Below is a brief explanation of zero trust security, an approach which is driving dramatic change in the world of cyber security and creating great opportunities for the companies delivering these changes. The explanation is provided by one of the companies featured below.
Zero trust security is an IT security model that requires strict identity verification for every person and device trying to access resources on a private network, regardless of whether they are sitting within or outside of the network perimeter. No single specific technology is associated with zero trust architecture; it is a holistic approach to network security that incorporates several different principles and technologies.Traditional IT network security is based on the castle-and-moat concept. In castle-and-moat security, it is hard to obtain access from outside the network, but everyone inside the network is trusted by default. The problem with this approach is that once an attacker gains access to the network, they have free reign over everything inside. This vulnerability in castle-and-moat security systems is exacerbated by the fact that companies no longer have their data in just one place. Today, information is often spread across cloud vendors, which makes it more difficult to have a single security control for an entire network. Zero trust security means that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources on the network. This added layer of security has been shown to prevent data breaches. A recent IBM-sponsored study demonstrated that the average cost of a single data breach is over $3m. Considering that figure, it should come as no surprise that many organisations are now eager to adopt a zero-trust security policy.The philosophy behind a zero trust network assumes that there are attackers both within and outside of the network, so no users or machines should be automatically trusted. Another principle of zero trust security is least-privilege access. This means giving users only as much access as they need, like an army general giving soldiers information on a need-to-know basis. This minimizes each user’s exposure to sensitive parts of the network. Zero trust networks also utilise microsegmentation. Microsegmentation is the practice of breaking up security perimeters into small zones to maintain separate access for separate parts of the network. For example, a network with files living in a single data centre that utilizes microsegmentation may contain dozens of separate, secure zones. A person or program with access to one of those zones will not be able to access any of the other zones without separate authorisation.Multi-factor authentication (MFA) is also a core value of zero trust security. MFA simply means requiring more than one piece of evidence to authenticate a user; just entering a password is not enough to gain access. A commonly seen application of MFA is the 2-factor authorisation (2FA) used on popular online platforms like Facebook and Google. In addition to entering a password, users who enable 2FA for these services must also enter a code sent to another device, such as a mobile phone, thus providing two pieces of evidence that they are who they claim to be.In addition to controls on user access zero trust also requires strict controls on device access. Zero trust systems need to monitor how many different devices are trying to access their network and ensure that every device is authorized. This further minimizes the attack surface of the network. Up until now, zero trust required detailed implementation by security engineers, focusing on the core principles and technologies listed above. But thanks to the introduction of Cloudflare Access, any organisation can now quickly and easily implement a zero trust system on their network.
Cloudflare NET Buy @ $77 MV: $22.8bn Next figures due: 18 February 2021 Number of times recommended: 6 First recommended: $23.28
As you can see from the above Cloudlfare is a key player in the world of zero trust security, which is cloud based and ideally suited to a WFA (work from anywhere) world undergoing widespread digital transformation. The group describes its business as “Cloudflare is on a mission to help build a better Internet. We have built a global cloud platform that delivers a broad range of network services to businesses of all sizes around the world—making them more secure, enhancing the performance of their business-critical applications, and eliminating the cost and complexity of managing and integrating individual network hardware. Today, approximately 16pc of the Fortune 1,000 are paying Cloudflare customers.” Cloudflare provides DDoS mitigation services, which protect customers from distributed denial of service (DDoS) attacks. As of September 2020, the company claims to block “an average of 72bn threats per day, including some of the largest DDoS attacks in history.” On 6 September, 2019, Wikipedia became the victim of a DDoS attack. European users were unable to access Wikipedia for several hours. The attack was mitigated after Wikimedia network engineers used Cloudflare’s network and DDoS protection services to re-route and filter internet traffic. The specific Cloudflare product used was Magic Transit.
The opportunity for Cloudflare has come as the Internet has moved from a primarily on premise computing environment to a world of cloud computing, a transition that has been dramatically accelerated by Covid-19. Almost overnight the entire on premise security network has been revealed as not fit for purpose and a massive disruption is taking place led by companies like Cloudflare and the others listed below. The shift to zero trust security is only one element in this disruption.
The speed with which Cloudflare has moved has been incredible. The group was only founded in September 2010 yet “Today, our network spans 194 cities in over 90 countries and interconnects with over 8,000 networks globally, including major ISPs [internet service providers], cloud services, and enterprises. We estimate that we operate within 100 milliseconds of 99pc of the Internet-connected population in the developed world, and 94pc of the Internet-connected population globally (for context, the blink of an eye is 300-400 milliseconds).”
The group grows by acquiring new customers, expanding business with existing customers, adding new products and extending their serverless platform strategy.
This last element it describes as “We have opened our serverless platform to outside developers with a product called Cloudflare Workers. This enables our customers to write and deploy their own code in seconds directly onto our global cloud platform and have it run close to their users. We have seen a growing number of customers bring applications to market using Cloudflare Workers. This opens up an entirely new market for us: compute and storage.”
Since every organisation which uses the Internet is a potential customer the opportunity is huge and the growth has been dramatic. The number of paying customers has grown from 35,002 in 2016 to 49,309 for 2017, 67,899 for 2018 and reached 101,000 in Q3 2020. Even more striking has been the growth in large customers with revenue over $100,000 a year, who now provide over half group revenue. This number has grown from 95 in 2016 to 313 in 2018 and 736 in Q3 2020. Revenue is also growing rapidly – from $84.8m for 2016 to $287m for full year 2019 with $729m forecast by analysts by 2022.
In Cloudflare’s 2019 IPO document there was a letter from the founders which included the following telling quote. “We aim to build a massive business — slowly and consistently.” I am sure they are going to build a massive business, less sure that they are going to do it slowly.
Crowdstrike CRWD Buy @ $167 MV: $37bn Next figures due: 19 March 2021 Number of times recommended: 11 First recommended: $92 Lowest recommendation price: $51
Crowdstrike is another phenomenally exciting cyber security business about which I ave written many times. The impetus to digital transformation from Covid-19 has seen growth accelerate in recent quarters and the latest quarter, Q3 2020, reported on 2 December, was no exception. “CrowdStrike delivered a record third quarter, with results exceeding our expectations across the board. Our robust growth at scale underscores our growing leadership in the security cloud category and the immense value we deliver to customers seeking to transform, consolidate, and fortify their security posture. A few of our accomplishments in the third quarter include: setting a new record for net new ARR [annual recurring revenue] generated and ending the quarter with over $900m in ARR; delivering strong 87pc subscription revenue growth and setting a new record for professional services revenue; adding a record 1,186 net new subscription customers; generating non-GAAP operating income for the third consecutive quarter and positive operating and free cash flow for the fifth consecutive quarter; introducing three new modules and driving strong module adoption among customers; acquiring Preempt Security, which expands CrowdStrike’s Zero Trust capabilities and incorporates critical identity behavior data and analysis to help customers fortify their defenses and prevent identity-based attacks and insider threats; joining forces with EY to help strengthen their client cybersecurity posture by using the Falcon platform, our alliance with EY has already influenced multiple deals; and lastly, hosting a highly successful virtual user conference, with six times the customers and prospects attending compared with our in-person event last year.
EY is the former accountancy giant, Ernst & Young, which has grown from its British base to create one of the world’s largest professional services networks. They make a formidable partner.
Crowdstrike was formed in 2011 by George Kurtz, CEO and Dmitri Alperovitch, CTO (chief technology officer) and is growing even more rapidly than Cloudflare. Analysts are projecting sales climbing from $250m for the year to 31 January 2019 to $1,565m for the year to 31 January 2023. Subscriber numbers grew 85pc year over year and the net expansion rate [sales generated from year ago customers] stayed over 120pc.
The company is positive on prospects. “We believe we are well-positioned to expand our leadership and drive strong growth at scale. We have multiple avenues to drive growth, including winning new customers at a rapid pace, cross-selling new modules to existing customers and protecting more of their cloud assets, growing our market opportunity with new modules and adjacencies, and growing our international business. The very nature of our cloud-native architecture powered by Threat Graph enables our ability to innovate and bring new modules to market that customers actually adopt. Our customers recognize that Threat Graph is unique to CrowdStrike and differentiates us from others in the market. All the data we collect is stored in one place: The Threat Graph. This is very different from other vendors, including upstarts, that silo their data, limiting their ability to scale in the customers’ environment. Any vendor with an on-prem solution is currently unable to replicate our Threat Graph capabilities, which allows us to deepen our competitive moat.”
Okta OKTA Buy @ $240 MV: $31.6bn Next figures due: 5 March 2021 Number of times recommended: 9 First recommended: $57.50
Okta was co-founded in 2009 by Todd Mckinnon, CEO and Frederic Forrest, COO [chief operating officer]. Both originally held senior roles at Salesforce.com. The company specialises in identity and access management software provided as a service on subscription from the cloud. Okta is both a customer of and close collaborator with Crowdstrike. Like the other companies featured in this alert Okta is an enterprise software company, which means its customers are other businesses and the developers who work for those businesses. In an era of digital transformation many enterprise software companies are experiencing rapid growth making the whole sector very attractive for investors.
Like its peers Okta has just reported a strong third quarter. “In the third quarter, we demonstrated continued strength with total remaining performance obligations, or RPO, growing 53pc. Total revenue grew 42pc. Subscription revenue grew 43pc, and we generated record quarterly cash flows. Okta has remained 100pc remote since mid-March, and we continue to execute at a high level. We’re fortunate that the nature of Okta’s business allows us to operate successfully in this dynamic work environment. We’re also proud of the fact that our solutions help our over 9,000 customers securely connect their distributed workforces and strengthen the security and identity posture of their websites and applications. The three mega trends that have been driving our business for the past several years, the adoption of cloud and hybrid IT, digital transformation and Zero Trust security are being accelerated. Organizations are being forced to evolve their digital strategy to navigate through the pandemic, while their remote work environments remain a critical part of their business. We continue to have success with growing our base of large enterprise customers. In Q3, we added nearly 100 customers with an annual contract value greater than $100,000. And once again, over half of these additions were from new customers. Large enterprise customers now contribute 80pc of our total annual contract value. The total number of $100,000-plus customers now stands at 1,780, an increase of 34pc, and we’re seeing our base of customers with bigger ACV [annual contract value] expand even faster. For example, our customers with an ACV greater than $500,000 grew over 50pc to 320 customers.”
Analysts see sales growing from $260m for the year to 31 January 2018 to $1,370m for the year to 31 January 2023. Okta is clearly resonating with ever larger businesses. “Further evidence of our progress with large enterprise companies is demonstrated by looking at the top 25 contracts we booked in Q3 by total contract value. This includes both new and upsell contracts. All 25 were over $1m, and six were over $5m. What’s more, the average contract size of our top 10 new customers increased more than 60pc when compared to Q3 last year. While that’s great progress, we believe that we are just getting started, and we still have a significant opportunity to further expand our business with these large organizations.”
CEO, Todd Mckinnon, concluded his remarks by saying. “We’re n the enviable position of being in a market that is coming toward us in the cloud. We’re proud of the success we’ve achieved, and we’re confident in our ability to maintain this high level of execution because we are just scratching the surface of the massive market opportunity.”
Palo Alto Networks PANW Buy @ $304 MV: $29bn Next figures due: 2 March 2021 Number of times recommended: 4 First recommended: $204
Founded in 2005, Palo Alto Networks enjoyed great success as the developer of next generation firewalls, which replaced traditional firewalls. Disruptors like Crowdstrike talk of their cloud native security products replacing not only legacy but also next generation products, which seemed to suggest that Palo Alto was vulnerable. In 2018 the group saw a changing of the guard at the top of the company with a new CEO from Google and other high level appointments. It seems the company may be fighting back and the recent share price performance has been encouraging.
At the Q1 2021 earnings call for for the year to 30 June 2021 CEO, Nikesh Agora, opened his remarks by saying. “I finally feel that we’re turning the corner on all that we’ve been doing over the last few years.” PANW is making the transition, like others before it, from traditional software sales to software as a service (SaaS) generating annual recurring revenue. Remember that this has a cost initially because it defers the revenue stream into the future so shares often languish for a while and then take off. “Our customers are investing, our teams are executing and our strategy of innovating in our firewall business and focusing on the next generation of products around cloud and AI in the industry is working. As you can see, we had a great start to fiscal year 2021 as we exceeded guidance across all metrics in Q1. Here are some of the highlights. We delivered strong billings of $1.08bn, up 21pc year over year, with strong growth across the board driven by continued strength in next-generation security or NGS billings, growing at 53pc year over year and NGS ARR of $719m.”
Those are impressive numbers and suggest that the group is well placed to benefit from the growing spending on cyber security in an increasingly digital world. As an example of the way the business is developing Agora had this to say. “We continue to drive innovation within our firewall business. We recently extended our new enterprise DLP [data loss prevention] solution to integrate with our complete firewall platform. Our DLP offering is a cloud-delivered service that is powerful, simple to deploy and protects sensitive data whether a customer keeps the data in the cloud, on-prem or takes a flexible approach. This launch takes our number of potential attached subscriptions to eight from four just two years ago. We also introduced an innovative joint solution with our VM-Series virtual firewall {VMware is a company which pioneered virtual computers] and AWS [Amazon Web Services] gateway load balancer. Our engineering-level partnership with AWS enabled us to launch this new capability that significantly simplifies deployment, improves the scale and performance and reduces the total cost of ownership of our VM-Series customers. Going forward, we will continue to provide leading innovation to our customers. One example of this is the upcoming launch of our new 5G-native security offering. With our unique approach to 5G security, we’re the first to introduce 5G network slice security, 5G context-driven security and much more, all in the containerized solution matching the preferred architecture of 5G. Not only will this allow mobile operators to secure their 5G infrastructure, but it will also enable them to launch value-added security services to their growing enterprise customers who are leveraging 5G for many new use cases.
He also mentioned a product called Prisma Access. “We also delivered the first CloudGenix and Prisma Access integration which seamlessly enables cloud-delivered brand security in just a few clicks.” He added “For many of our customers, COVID accelerated their digital transformation time lines, and we continue to see conversion of remote access trials and very strong pipeline generation. We now have more than 1,000 Prisma SASE [Service Edge Secure Access] customers, more than double from a year ago. To highlight a deal from the quarter, we won a seven-figure SD-WAN deal with a U.S. retailer who had already been Palo Alto Networks customer for a number of years who was an early adopter of Prisma Access. The success that we had with Prisma Access and the strong integration with CloudGenix was a winning combination, and this customer is now a full SASE customer. Switching to Prisma Cloud. Prisma Cloud is very well positioned for sustainable growth as it is at the heart of the global shift to cloud computing. In Q1 2021, we launched Prisma Cloud 2.0, introducing four new modules to enable customers to easily and rapidly extend their cloud security coverage in a number of critical areas, all within a single cloud-native security platform. These modules are data security which discovers and protect cloud storage data at a scale and velocity common in public cloud environments and addressing one of the most common data exposure issues in cloud transformation, includes web application and API [application programming interface] security which protects web applications from attacks….. Prisma Cloud now serves 20pc of the Global 2000 companies, 70pc of the Fortune 100 companies and secures 1.8bn cloud resources. This customer momentum is up from the 14pc of Global 2000 companies reported last quarter and up significantly from the 43pc of Fortune 100 that we reported two quarters ago. We’re also seeing a substantial increase in Prisma Cloud customers who are using both cloud security posture management and cloud workload protection for containers and serverless applications, now at 45pc, up from a third we reported last quarter.”
These are impressive numbers and suggest that after a period of hiatus Palo Alto is again very much a contender in the cyber security space.
Zscaler ZS Buy @ $180 MV: $24bn Next figures: 4 March 2021 Number of times recommended: 9 First recommended: $60
Zscaler was founded in 2007 by Jay Chaudry and K. Kailash and floated on the stock market in 2018. In their IPO document the company said – “Applications have moved out of the data centre and into the cloud; users have moved off the corporate network and are connecting from everywhere; security is still sitting in the data centre; its time to move security”.
This is how Zscaler described what they do. “Our multi-tenant architecture is distributed across more than 100 data centres globally, which allows us to secure users across 185 countries. Each day, we block over 100m threats and perform over 120,000 unique security updates. Our customers benefit from the network effect of our growing cloud because once a new threat is detected it can be blocked for users across our entire customer base within minutes.
The background to what is happening is a huge change in the digital environment. “Organisations are undergoing a massive shift in their IT strategies. The adoption of cloud applications and infrastructure, explosion of internet traffic volumes and shift to mobile-first computing enhance business agility and have become a strategic imperative for CIOs. Organisations are embracing these trends to empower business users, increase speed of deployment, create new customer experiences, re-engineer business processes and find new opportunities for growth.” This has created new problems for cyber security providers leading to new solutions.
The company has grown rapidly. At the time of the IPO it had 2,800 customers including 200 of the Forbes Global 2000. I don’t have any more recent customer numbers but the sales growth, including projections, is amazing. The annual sales sequence starting in the year to 31 July 2015 is $53.7m, $80.3m, $126m, $190m, $303m, $431m (to 31 July 2020), $612m, $797m and $1,018m forecast for the year to 31 July 2023. For Q1 2021 the group “delivered 52pc growth in revenue, and 64pc growth in billings, while also generating record operating profits and free cash flow.”
The group has been focused on its marketing efforts to great effect. “We closed a record number of seven-figure ACV [annual contract value] deals. The majority of these wins are three-year commitments to provide the foundation for application, network, and security transformation. In particular, I’m pleased with our increasing wins in the financial services vertical, which is now embracing the cloud and Office 365 deployments have become an important catalyst for us. Secondly, our optimised go-to-market engine is driving significant velocity, including a strong pace of new logo acquisitions. I’m very pleased with our performance across all geographies. Last year, we doubled down on our investment in our sales organisation. We scaled our sales enablement team and built a reputable and metrics-driven process, which is giving us better visibility into our business and ultimately, resulting in a strong and growing pipeline.”
This is how Zscaler breakso down what it does. “Our platform is comprised of four key pillars with each enabling a critical element of the transformation. ZIA to secure direct access to the internet and SaaS [software as a service], ZPA for zero trust access to private applications, Zscaler Digital Experience, or ZDX to deliver user experience for work from anywhere, cloud workload segmentation to protect applications.”
The results are impressive. “An increasing share of our sales is coming from initial platform purchases by new customers and also by upselling to existing customers, which is driving a record 122pc net retention rate. I believe in the current challenging environment and in the post-COVID economy, Zscaler will be the go-to platform for vendor consolidation, cost savings, increased user productivity, and better cyber protection.“
Prospects look outstanding. “As we look forward to the next few years, we are focused on driving broader adoption of our four major cloud solutions, which together maximize the value for our customers’ digital transformation. From pre-sales to deployment and customer success, we have built a sophisticated sales machine to sell value and deliver measurable outcomes at the CxO level [CxO = chief experience officer, which relates to how customers experience a company, its technology and its marketing efforts].“
Covid-19 has accelerated the process of digital transformation and created an even stronger following wind for Zscaleer. “Many CxOs shared with me that their current work from home environment while temporary has helped them realize that zero trust architecture is the future and it can be implemented easily and rapidly. COVID was a catalyst in changing the mindset and shaking off inertia, resulting in a reduced need for educating customers about the value of the Zscaler architecture over legacy approaches. Inbound customer requests have greatly increased, and we are becoming an integral part of a growing number of larger transformation projects. We continue to see more customers buying ZIA and ZPA together, which enables a true transformation with direct and seamless access to SaaS applications or applications in your data centre, or the public cloud.“
I appreciate that some of the copy above is rather dense and demanding. We are dealing with companies at the cutting edge of technology and while we many not need to understand exactly what they do we need to get the flavour of what makes them successful, why they are growing so fast and the leading role they already play in the large markets they are addressing. If you don’t want to plough through it all you can just take my word for it that these businesses are very special.
You might think that all these companies are competing for the same corporate dollars but this is not the case. Okta is a customer and partner of Crowdstrike, which is also in partnership with Zscaler. Plus the markets they are addressing are so huge with cyber security playing an increasingly critical role in enabling the Internet and the digital world to function that there is plenty to go around for everyone.
I have noticed in the past that in order to become a large or very large company a business needs to grow very fast for a very long time. This often begins with a period of hypergrowth of the sort being delivered by the businesses discussed above. One effect of hypergrowth is that it leads to a supercharged share price performance, which includes companies being very highly valued by investors. They build much of that expected future growth into the current valuation, which is understandable but scary.
Cloudflare is valued at 56 times the sales expected for 2020. This is a phenomenal valuation but part of what it tells us is that it is very hard to value a company like Cloudflare which is (a) growing very rapidly, by over 50pc a year and (b) has a huge, almost unlimited, total addressable market. I think part of the problem is investors’ obsession with statistics so they try to use numbers to value and compare companies. I don’t do that because I think it doesn’t work except to stop you buying shares in really exciting businesses because they always look too expensive. It is a bit like paintings. A bog standard daub on canvas might cost £50 but you can pay £10s of millions for outstanding examples. Ordinary companies don’t cost much; the best cost a fortune but they are the ones to buy.
I don’t crunch numbers; I look for the best and for them I just pay the going rate. The crafty bit is that I don’t buy my entire holding in one go. I add more when the shares are individually strong or sometimes if an opportunity is presented by general market weakness so that I gradually scale my best performing holdings. Even at times of general weakness I still look for signs of strength in the particular shares I want to buy.
This all relates to my overall strategy for Quentinvest, which is to concentrate on building a portfolio of shares in great 21st century businesses. Valuation and timing is a mugs’ game because who ever knows. What we can do though is pick quality. It’s actually usually obvious. If you are not quickly convinced that a business is great, fast growing and has outstanding prospects it probably isn’t and doesn’t.
The thing I bring to the party is a lot of experience in identifying such star performers and that it is my day job so I can spend time looking. All you have to do is buy them. If you do, are patient and sell only if there are clear signs of company specific problems, time will be on your side and your portfolio should appreciate in value.
Table of Contents
Index to Financial Statements
1
Table of Contents
Index to Financial Statement