DISCLOSURE APPENDIX AT THE BACK OF THIS REPORT CONTAINS IMPORTANT DISCLOSURES, ANALYST CERTIFICATIONS, LEGAL ENTITY DISCLOSURE AND THE STATUS OF NON-US ANALYSTS. US Disclosure: Credit Suisse does and seeks to do business with companies covered in its research reports. As a result, investors should be aware that the Firm may have a conflict of interest that could affect the objectivity of this report. Investors should consider this report as only a single factor in making their investment decision.
5 September 2017 Americas/United States
Equity Research
Technology
Cybersecurity
The Ideas Engine series showcases Credit Suisse’s unique
insights and investment ideas.
Research Analysts
Brad Zelnick
212 325-6118
William Lunn
212 325 4392
Syed Talha Saleem, CFA
212 538 1428
Kevin Ma
212 325 2694
INITIATION
The Cloud Has No Walls
Initiate on Firewall (PANW, FTNT, CHKP) with a Negative Category View
While we consider cybersecurity to be a secular growth theme, as the
corporate network disintegrates we anticipate spend will be redistributed away
from the network to the detriment of incumbent firewall vendors.
■ Cybersecurity Is a Secular Growth Theme: We believe the value of data
to firms is rising, as is the threat of its compromise. As long as malicious
innovation outpaces benevolent, the cybercrime wave will endure, putting
upward pressure on budgets for data defense.
■ Architectural Shift Deprioritizes the Perimeter: Traditional centralized
methods of IT delivery lend themselves to a walled garden defense: build
high, strong walls at the perimeter and defend them carefully. The cloud,
being by its very nature distributed, dissolves the concept of network
perimeter. As workloads move out of data centers, it becomes less clear at
what point the bounds of the corporate network begin and where they end.
■ Agile Compute Demands Agile Security: The new security paradigm
should mirror the cloud compute paradigm in that it is (1) on-demand,
(2) borderless, (3) without hardware, (4) dynamically priced, and
(5) scalable. An appliance-based approach fails on each account, thus we
expect spend to be redistributed to other controls and cloud-first innovators.
■ Multiple Structural Headwinds Face the Firewall: Even if the firewall
retains its relevance in the cloud, the space will continue to face multiple
structural headwinds, in our view. The most notable headwinds include
increasing competition, pricing challenges, the diminishing tailwind of TAM
expansion, and the shift in spend from prevention to detection and response.
■ Stocks: Most at risk and with the highest market expectations, we initiate
on PANW (TP:$125) and FTNT (TP:$33) with Underperform ratings. Less
optimistically priced and of higher quality, we rate CHKP (TP:$110) Neutral.
Figure 1: The Cloud Security Spending Disconnect
Source: Gartner, Credit Suisse Research.
7.1%9.3%
11.8%
14.4%
17.0%19.2%
6.7%7.8% 8.8% 9.8% 10.6% 11.3%
0%
5%
10%
15%
20%
25%
2015 2016 2017 2018 2019 2020
Spend on Cloud (IaaS, PaaS & SaaS) as % of IT budget
Spend on Cloud security as % of security budget
5 September 2017
Cybersecurity 2
Table of Contents
Executive Summary 5
Structural Thesis 21
Cybersecurity is Secular Growth .............................................................................. 21
Data Are of Enormous Value, and Thus Deserving of Expensive Protection ........... 21
Data Are Increasingly Valuable to the Firm .............................................................. 22
The Cyber Crime Wave Continues Unabated........................................................... 24
Why Are the Attackers Winning the Cyber War? ...................................................... 27
Securing the Cloud ..................................................................................................... 31
The Cloud Holds Great Promise, and Great Security Risk ....................................... 31
Spend Unlikely to Continue to Coalesce Around the Network .................................. 35
Agile Compute Demands Agile Security ................................................................... 35
Beware Disaggregation ............................................................................................. 36
Firewall—The Security Mainframe? .......................................................................... 46
Sector Thesis 49
Other NGFW Tailwinds to Slow ................................................................................. 49
Competition to Reaccelerate ..................................................................................... 52
Cloud Transition ........................................................................................................ 64
TAM Expansion Is Limited ........................................................................................ 77
SSL Decryption Less of a Tailwind ........................................................................... 81
Shift from Prevention to Detection ............................................................................ 84
Firewall Stocks ............................................................................................................ 86
Relative Exposure to Sector Headwinds ................................................................... 86
Relative Valuation ..................................................................................................... 89
Relative HOLT® Perspective ..................................................................................... 91
Stock Calls 97
Palo Alto Networks: Lost in Palodise ....................................................................... 97
Key Charts .............................................................................................................. 100
Supports for Our Thesis .......................................................................................... 113
Risks to Our Thesis ................................................................................................. 117
Fortinet: Fortinet & Unfortified = Underperform .................................................... 135
Key Charts .............................................................................................................. 138
Supports for Our Thesis .......................................................................................... 139
Risks to Our Thesis ................................................................................................. 149
Check Point Software Technologies: Without a Box… Check! ........................... 171
Key Charts .............................................................................................................. 174
Company Positives ................................................................................................. 175
Company Negatives ................................................................................................ 182
Valuation ................................................................................................................. 188
5 September 2017
Cybersecurity 3
Appendices 195
Appendix I: The HOLT® Framework ....................................................................... 195
Cash Flow Return on Investment (CFROI®) ........................................................... 195
HOLT Valuation ....................................................................................................... 197
Appendix II: Additional Drivers of Security Spending .......................................... 200
Regulation Is Catalyzing Action .............................................................................. 200
Attacks Move Down Market .................................................................................... 204
Connected Security ................................................................................................. 210
Appendix III: Who Are Those Guys?....................................................................... 212
Black Hats: Know Thy Enemy ................................................................................. 212
White Hats ............................................................................................................... 216
5 September 2017
Cybersecurity 4
How Are We Differentiated?
Primary Work the Key Drive of Our Differentiation
In formulating our counter-consensus firewall thesis and broader industry view, we have
engaged in differentiated primary data collection and leveraged Credit Suisse HOLT® to
sense check our conclusions:
■ Counter-Consensus: We present two highly anti-consensus stock calls, with
Underperform ratings on Palo Alto Networks and Fortinet. On FTNT, we are the only
Underperform rating, and on PANW, we are the second. On CHKP, 43% of analysts
have Outperform ratings, and we initiate with a Neutral rating.
■ Software SoundBytes: This report contains over 100 software SoundBytes:
anonymized quotes from our 50+ interactions with industry figures. These interactions
have been broad-based, from salespeople, resellers, and technical evangelists to
founders and CEOs (past and present) of start-ups, unicorns, and public companies.
In a sector in which data points are hard to come by, our proprietary SoundBytes offer
insight to what leaders and those with feet-on-the-street are seeing in the market and
envisaging for its future.
■ HOLT®: Using Credit Suisse HOLT, we back-stop and sense check our relative
valuation. We find HOLT to be reflective of our views, particularly CHKP's quality;
egregious stock-based compensation at PANW and FTNT; and high market-implied
expectations for PANW, both in terms of the top line and returns on capital.
■ Interviews: We include two interviews1 designed to shed some light on hard to
penetrate cybersecurity topics including what motivates hackers, how should hackers
collaborate with security professionals, and what should boards and senior leaders be
asking themselves about cybersecurity.
− Dr. Gráinne Kirwan: Chartered Psychologist and Lecturer in Cyberpsychology and
Forensic Psychology at Dun Laoghaire Institute of Art, Design, and Technology, to
better understand the psychology of cybercrime and how criminological and
forensic psychological theories explain what motivates and characterizes offenders.
− Keren Elazari: Senior Researcher at the Balvatnik Interdisciplinary Cyber
Research Center at Tel Aviv University and featured speaker at international events
including TED, RSA Conference, TEDMED, TEDx, DLD, DEFCON, NATO, and
WIRED. Objective: Better understand the evolution of the hacking community.
Figure 2: We present two highly counter consensus stock calls on PANW and FTNT
Source: Company data, Credit Suisse estimates
1 Kind thanks to Richard Kersley, the Credit Suisse Global Thematic Team and the Credit Suisse Research Institute for facilitating and providing these interviews
Underperform, TP$125Top disaggregation pick
Underperform, TP$33Top disaggregation pick
Neutral, TP$110Preferred Firewall Play
5 September 2017
Cybersecurity 5
Executive Summary
IT Security Is a Secular Theme
The modern day enterprise is first and foremost an agglomeration of digital assets that
demand defense. From a structural standpoint, the enterprise demand for protection
increases as a function of the following variables: (1) the volume of digitized data, (2) the
value of that data, and (3) the threat of its compromise. We believe each of these to be
increasing.
■ Volume: The volume of data continues to increase as connected devices proliferate
and the sensors they contain multiply; the data exhaust of an increasingly connected
society, unstructured data, is the key driver of data volume growth.
■ Value: We believe data to be a fundamental component of competitive advantage in
the information age and think both traditional and Big Data are increasing in their value
to the enterprise. The former is due to its undisruptable characteristics as a barrier to
entry, and the latter is due to the amplifying cycle of (1) data creation, (2) data storage,
(3) data transmission, and (4) data analytics.
■ Threat of Compromise: It stands to reason that as the volume and value of digital
assets grow, all else equal, the yield on cybercrime increases. However, should the
resultant increase in sophistication and deployment of threats be met with an
equivalent increase in defenses, it follows the number of successful breaches should
remain static. Our analysis supports a concerning conclusion: records lost to breaches
are rising exponentially and the sophistication and deployment of cybercriminals is
outpacing the defense; the bad guys are winning.
Figure 3: The Number of Records Lost to Data Breaches Is Increasing at an Exponential Rate
Source: Company data, Credit Suisse estimates.
100,000
1,000,000
10,000,000
100,000,000
1,000,000,000
10,000,000,000
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
Hacking Accident Insider
ThreeWonga
PayAsUGym
Brazzers Snapchat
Clinton
campaign
Lynda
Dailymotion
Friend
Finder Network
River City Media
Syrian government
Minecraft
Mossack Fonseca
Mail.ru
Fling
Anthem
VK
TalkTalk
Slack
Sanrio
Adult Friend Finder
VTech
Premera
Experian
AshleyMadison
Voter Database
NASDAQ
AOL
Gmail
Sony
Korea Credit
Bureau
Home Depot
Ebay
Yahoo
Citigroup
Nintendo
Twitter Apple
Kissinger
Cables
Yahoo Japan
Adobe
Tumblr
Yahoo
Medicaid
Apple
Massive Americanbusiness
hack
StratforSega
TexasState
Tricare
NHS
178.com
SonySteam
Sony PSN
AT&T
Gawker
BetfairJPM
Virginia Dept.
Of Health
RockYou!
US Military
Heartland
AT&T
RBS
Data Processors International GS Caltex
FNIS
Dai Nippon Printing
UK Revenue and Customs
TK / TJ Maxx
Hewlett Packard
KDDI
AOL
US dpt of Vet Affairs
Automatic Data Processing
Ameritrade Inc.
Citi
Cardsystems Solutions Inc.
AOL
Bell
Zomato
Expon. (Total Data Breaches)
5 September 2017
Cybersecurity 6
Cybercrime Is Costly to the Real Economy…
Studies place the annual cost of cybercrime in the range of $500bn, just under the global
cost of narcotic crime, and extracting roughly 15-20% of the Internet’s annual economic
value. In contrast, CISOs deemed the aggregate value of digital assets worthy of spending
~75bn on their defense in 2016.
We think the delta between cost to economy and spend is likely to narrow and expect
continued increases in the volume and value of data to drive an unabating cybercrime
wave. Combined, we believe these forces will drive sustained secular growth in security
software spending that will outpace prevailing forecasts of the market and industry
analysts alike.
Figure 4: Cybercrime Represents a Similar % of Global GDP as Drug Crime,
Piracy, and Car Crashes as Well as Just over Half That of Global Theft
Source: MIT Technology Review, Credit Suisse Research.
Additional Drivers of Secular Growth in Security Spending Include…
■ Regulation Catalyzing Action: We expect GDPR, billed as the largest change to data
privacy laws in 20 years, to catalyze a review of firms' security postures across the
spectrum. We imagine this will span governance, control, organization, processes,
sourcing, and technology.
■ Attacks Moving Down-Market: Blind, agnostic threats such as ransomware are
increasing the risk of cyber-attack for small and medium-sized enterprises. This space
has historically been an under-penetrated market segment but is now crowded and
price competitive.
■ Connectivity: Increased connectivity creates added risk exposure for corporations,
governments, and individuals. As a result, enterprises will need to invest in IT security
technologies to mitigate the potential cost of IT security incidents.
1.50%
1.20%
1.00%
0.90%
0.89%
0.80%
Pilferage
Transnational Crime
Car Crashes
Narcotics
Counterfeiting/Piracy
Cybercrime
5 September 2017
Cybersecurity 7
Securing the Cloud
Dissolution of the Network Perimeter
Traditional methods of IT delivery are internally oriented; applications run on an internal
datacenter and are accessed by a workforce sitting inside offices. The nature of this
architecture lends itself to a walled garden defense: build tall strong walls at the perimeter
and defend those walls carefully.
The cloud, being by its very nature distributed, dissolves the concept of network perimeter.
As workloads move out of data centers to cloud environments, it becomes less clear at
what point the bounds of the corporate network begin and where they end.
Figure 5: How We Conceptualize the Evolution of IT and Security Architectures
Source: Credit Suisse Research.
Internet
Internet
IaaS
PaaS
SaaS
On-Premise architechure1995-2005
Hybrid Cloudarchitechure2005-2015
Multi-cloud, cloud-first architechure2015- 2025
IaaS
Internet
SaaS
Perimeter Defined Security
Enterprise data is mainly stored in on-premise datacenters
Regional offices are connected
to HQ via hub-and-spokeEast-West traffic tends to
dominate North-South trafficThe workforce is internal, immobile and sedentary
Perimter centric hardware oriented security infrastructure Mostly everything sits behind the corporate firewall
Point Solution Security
Some enterprise data is stored on-premise, some in the cloud
Branches access cloud data via
backhauling to secure networkEast-West traffic and North-South
are equally importantThe workforce is increasingly mobile, there are more endpoints
Hardware and software oriented security infrastructureNetwork perimter less defined as cloud/mobility increasesPoint solutions addresses perimiter breaks for cloud and mobility
Cloud Defined Security
A majority of enterprise data is stored in the cloudRegional offices access enterprise
data via the cloudNorth-South traffic dominates East-
West traffic
The workforce is extremely mobile and multi-device is the norm
Software, rather than appliances, dominate the security infrastructureSecurity as a Service means
security is built into the edge of the network
5 September 2017
Cybersecurity 8
Security Spend unlikely to remain coalesced around the network
Historically enterprise security spending has focused on the network perimeter. This is well
exemplified by the success of the largest and most investible public cybersecurity plays –
Firewall vendors Check Point Technologies, Palo Alto Networks, and Fortinet.
Figure 6: Spend has historically coalesced around the perimeter, as reflected by
the cumulative market capitalization of the three key firewall vendors
Publically listed Firewall Vendors cumulative market capitalization
Source: Thomson Reuters Datastream, Credit Suisse Research
We believe many investors and industry analysts expect spend to continue to coalesce
around the network, and firewall to retain its relevance as an integral part of the security
stack. Gartner, for example, forecasts Network Security to grow 9% through 2020.
Figure 7: Industry analysts (and we believe the market) expects security spend
in the network and its perimeter to remain buoyant through 2020
Gartner market forecast CAGR to 2020
Source: Gartner, Credit Suisse Research
We believe agile IT requires a new agile security approach, and anticipate a reallocation of
spend away from the perimeter. In fact it already appears there is somewhat of a
disconnect between forecasted enterprise cloud spend (as a percent of total IT budget),
and enterprise spend on cloud security (as a percent of total security budget).
$0bn
$10bn
$20bn
$30bn
$40bn
1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016
Palo Alto Networks Fortinet Check Point
2%
4%
4%
6%
8%
9%
12%
Messaging security
Other security
Endpoint security
Web security
Identity and accessmanagement
Network security
Security and vulnerabilitymanagement
5 September 2017
Cybersecurity 9
Figure 8: The Cloud Security Spending Disconnect
Source: Gartner, Credit Suisse Research.
Agile Compute Demands Agile Security
In our view, the new security paradigm should mirror the new cloud computing paradigm in
that it is (1) on-demand, (2) borderless, (3) without hardware, (4) consumption model pricing,
and (5) scalable. Traditional hardware approaches to security (appliances) fail on each of
these accounts. Appliances require capacity planning, aren’t on-demand or scalable,
are predicated on rigid hardware, and assume the existence of defined borders.
We think a sub-set of innovative vendors stand to benefit; as enterprises shift from
physical to virtual IT, whether public or hybrid cloud, the priorities become scalability,
managing who is granted entry in and dynamically protecting workloads. Ultimately, there
is a need to secure applications and data, and consumers of them, regardless of where
either resides. Security sub-sectors we expect will remain relevant include the following.
■ Security as a Service: We believe cloud-based security offerings that enforce policy
as an intermediary between the enterprise and the Internet via points-of-presence in
the network edge offer great promise to expand their capabilities to offer the entire
security stack as a service. Representative vendors include Zscaler, Cato Networks
Cloudflare, and Akamai.
■ Cloud Workload Protection Platforms (CWPP): Recognizing that server workloads
differ fundamentally from end-facing endpoints, CWPPs offer network segmentation,
traffic visibility, configuration and vulnerability measurement, application control, exploit
prevention, and memory protection. Representative innovators include vArmour, Illumio,
Dome9, CloudPassage, and Carbon Black.
■ Identity and Access: Once considered a mature market, we think identity will become
increasingly instrumental and something that many emerging cloud security vendors
will be wary of taking responsibility for themselves. Representative disruptive vendors
include Okta, CyberArk, SailPoint, BeyondTrust, and ForgeRock.
■ Security Analytics: Regardless of paradigm, we believe security event data still need
to be collected, stored, and correlated, and therefore we see security analytics as
architecture agnostic. We are positive on Splunk, having initiated with an Outperform
rating, $80 target price, representing 19% upside potential.
■ Application Security: If the programmatic code itself is well constructed without
vulnerabilities, the surface area for attack is greatly reduced. As application workloads
are increasingly transient, it is important security be embedded within the apps
themselves. We see value in companies such as CA’s Veracode, Qualys, and
WhiteHat Security.
7.1%
9.3%
11.8%
14.4%
17.0%
19.2%
6.7%7.8%
8.8%9.8%
10.6% 11.3%
0%
5%
10%
15%
20%
25%
2015 2016 2017 2018 2019 2020
Spend on Cloud (IaaS, PaaS & SaaS) as % of IT budget
Spend on Cloud security as % of security budget
5 September 2017
Cybersecurity 10
Ultimately, we would argue that should there be a current opportunity to, with a clean
slate, reimagine IT security in what is rapidly becoming a cloud-first world,
appliance-centric perimeter defense is unlikely to be the conclusion drawn. We therefore
wonder if the $11bn (forecast to rise to $16bn by 2020) network security market is ripe for
displacement.
Other Firewall Tailwinds to Slow
In addition to the overarching architectural challenges we believe face the firewall industry
as the world transitions to cloud, we consider five further meaningful headwinds to the
category:
■ Competition Is Set to Reaccelerate: A long-running theme has been easy
competitive wins for new entrants versus legacy competitors. Now that Juniper has no
share left to give, Cisco is getting its act together, and product parity is upon us, we
expect competition to meaningfully intensify.
Figure 9: Juniper Has Little Share Left to Donate Figure 10: Cisco Is Growing Security Rapidly
4Q rolling sum as share of total UTM and Firewall market Cisco Firewall & UTM y/y, quarterly, %
Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.
■ Changing Dynamics in the Cloud: Cloud transitions mean short-term revenue
headwinds that hold value for investors in terms of greater Customer Lifetime Value
(CLTV). We are concerned network security investors are unprepared for a revenue
headwind, and moreover, we expect this transition to be deflationary. While transitions
that consolidate adjacencies can be price accretive, we worry that virtualizing firewall
disaggregates adjacencies and expect price pressure in the transition to a metered
model (greater price transparency, opportunity for better capacity utilization, and
lowered switching costs).
0%
10%
20%
30%
40%
50%
60%
70%
80%
2002 2004 2006 2008 2010 2012 2014 2016
Others
Fortinet
Check Point
Palo Alto
Cisco
Juniper 23%
-40%
-20%
0%
20%
40%
60%
2003 2005 2007 2009 2011 2013 2015 2017
5 September 2017
Cybersecurity 11
Figure 11: Virtualizing Firewall Disaggregates the
Combined Hardware/Software Model
Figure 12: Consuming firewall either by subscription
or on-demand reduces excess capacity
Traditional revenue model (not to scale, for illustrative purposes only) Conceptual traffic patterns and savings, for illustrative purposes only
Source: Credit Suisse Research Source: Credit Suisse Research
■ TAM Expansion Is Finite: The revenue preservation strategy of platforming is limited
by what remains to be consolidated onto the next-generation firewall and the ceiling for
consolidated product demand. We believe years of easy consolidation are likely at an
end and, therefore, so are the vendor benefits of feature consolidation: (1) TAM
expansion, (2) attach tailwind, (3) unit gravity. In addition, the relative scale of whatever
might be consolidated is much smaller than in the past due to the overall TAM having
already become significantly larger.
Figure 13: Many Point Solutions Have Already Been
Consolidated onto NGFW
Figure 14: UTM/NGFW already Accounts for in
Excess of 50% of the Security Appliance Market
Size of bubble represents size of TAM (not to scale, for illustrative purposes only)
Security appliance market share by revenues
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
■ SSL Decryption Is Not the Tailwind People Anticipate: Enterprises have been
upsizing to appliances with higher throughput in order to decrypt rising levels of SSL
encrypted traffic. We expect this tailwind to taper as the rate of increase in encrypted
traffic decelerates. Furthermore, we expect an increasing amount of decryption to be
done off-box by visibility appliances available from the likes of Gigamon and
Metronome (now Symantec).
2 3 4 51
Maintenance/support
Subscription
Year
Hardware
portion
of product
Up
-fro
nt
pro
du
ct
co
st
Jan Jan Mar Apr
Saved in Subscription pricing model
Saved in cloud virtual pricing model
Number of features
consolidated
Time
Core
Firewall
Core
Firewall
& VPN
Core
Firewall
& VPN
& WAF
Core
Firewall
& VPN
& WAF
& IDP
Core Firewall
& VPN
& WAF
& IDP
& AV
& DLP
Unified Threat Management (includes Next
Generation Firewall)
VPN
Content Management
IPS
Firewall
52%
16%
12%
18%
5 September 2017
Cybersecurity 12
Figure 15: Around 75% of browsing time is spent on
SSL encrypted sites on Chrome
Figure 16: The Majority of Traffic Occurs Within the
Same Datacenter and Doesn't Require Encryption
Chrome browsing patterns Traffic distribution
Source: Google, Credit Suisse estimates. Source: Cisco VNI, Credit Suisse estimates.
■ Shifting Spend from Protection to Detection and Response: As enterprises have
been conditioned to accept the inevitability of breaches despite investment in
protection, there has been a shift in security budgets to detection and remediation
capabilities. We expect that this shift continues and will be a disproportionate headwind
for network security players despite many having elements of detection and response
in their portfolios.
Figure 17: Enterprise Security Spend Shifting
Rapidly to Detection & Response
Figure 18: EDR Market Forecast to Grow ~17x the
EPP Market
% of Enterprise IT Security Budget Dedicated to Detection & Response
Endpoint Detection and Response (EDR) market vs Endpoint Protection Market (EPP)
Source: Gartner, CS Communications Infrastructure Team, Credit Suisse Research. Source: Gartner, CS Communications Infrastructure Team, Credit Suisse Research.
70%73%
75%78%
81%83%
45% 46%
54%57%
60%57%
66%68%
71% 70%74%
30%
40%
50%
60%
70%
80%
90%
Mar '15 Jul '15 Nov '15 Mar '16 Jul '16 Nov '16 Mar '17 Jul '17
Percentage of pages loadedover HTTPS in Chrome
Time spent browsing SSLencrypted sites on Chrome
Data center to user
Data center to data center
Within data center
14%
9%
77%
10%13%
18%23%
30%
39%
50%
60%
0%
10%
20%
30%
40%
50%
60%
70%
2013 2014 2015 2016 2017 2018 2019 2020
2013-2020 CAGR = 29.2%
3,166 3,249 3,333 3,420 3,509 3,600
238 640 797 9931,236
1,540
0
1,000
2,000
3,000
4,000
5,000
6,000
2015 2016 2017 2018 2019 2020
EPP
EDR
5 September 2017
Cybersecurity 13
Stock Calls
Ratings Driven by Negative Category View
Given our negative category view is a significant driver of our stock ratings, PANW
(Underperform, TP:$125, 14% downside), FTNT (Underperform, TP:$33, 14% downside),
CHKP (Neutral, TP:110, 1% downside), we have attempted to contextualize the exposure
to each headwind that results in heterogeneous risk.
This analysis highlights the differentiated exposure to each risk factor. On an aggregated
basis, we believe Check Point to be the best positioned, and Fortinet the worst, to deal
with the sector headwinds we have isolated.
Figure 19: Relative Exposure to Sector Risks
Source: Credit Suisse Research.
Substantial Nuance in Firewall Valuation
Broad conclusions from our deep-dive, holistic valuation work are as follows:
■ PANW Looks Misleadingly Cheap: On EV/UFCF, both Palo Alto Networks and
Fortinet appear inexpensive. Given higher relative growth expectations for PANW &
FTNT, the fact they trade in-line with CHKP is optically attractive. However, adjusting
out SBC (broadly accounting for the fact some cash would have had to have paid in
lieu of stock to retain talent) and adjusting for the change in LT deferred revenue
shows FTNT and particularly PANW to be more expensive than CHKP.
■ Only CHKP Trades on an Earnings Multiple: Looking at income statement multiples,
particularly non-GAAP P/E, reveals only CHKP to be trading within a reasonable range
on P/E, while both PANW and CHKP trade on revenues and cash flows.
■ Recurring Revenues Favor Fortinet: Fortinet is attractive on a recurring revenue
basis. While we think of recurring revenue multiples as more reflective of floor value
than intrinsic value, recurring revenues provide more support to FTNT than either
PANW or CHKP.
Check Point Palo Alto Networks Fortinet
CHKP PANW FTNT
Architectural Shift to Cloud ◔ ◑ ◕
Cisco increasingly competitive ○ ◕ ◑
Juniper has little share left to give ○ ● ◔
Cloud transitionary headwinds ◔ ◑ ◑
TAM expansion ◑ ◑ ●
Competition in the mid market ◑ ○ ●
Carrier Exposure ◔ ◑ ●
Total ◔ ◑ ◕
Who is best equipped to deal with…
5 September 2017
Cybersecurity 14
Figure 20: Valuation Matrix
Source: Company data, Credit Suisse estimates.
NTM CY18 NTM CY18 NTM CY18
Cash Flow Statement Multiples
EV/UFCF 14.9x 14.5x 13.8x 12.0x 12.2x 11.5x
EV/UFCF Adjusted for SBC 16.4x 15.9x 37.8x 30.1x 19.2x 18.1x
EV/UFCF Adjusted for LT Deferred 15.7x 15.4x 21.3x 17.0x 16.8x 15.4x
EV/UFCF Adjusted for SBC & LT Deferred 17.4x 17.1x n/a n/a 33.8x 29.9x
Income Statement Multiples
EV/Sales 7.6x 7.4x 5.4x 5.0x 3.2x 3.1x
EV/Non-GAAP Operating Income 14.3x 13.8x 25.5x 22.6x 19.8x 17.4x
Non-GAAP P/E 20.5x 19.6x 44.2x 39.6x 38.8x 34.8x
GAAP P/E 23.2x 22.1x n/a n/a 92.7x 74.4x
EV/Recurring Revenue 10.9x 10.5x 8.3x 7.5x 5.1x 4.8x
Absolute Valuation AnalysisCHKP PANW FTNT
Absolute Valuation Analysis
NTM CY18 NTM CY18 NTM CY18
Cash Flow Statement Multiples
EV/UFCF 13.0x 12.5x 11.6x 10.6x 14.5x 12.7x
EV/UFCF Adjusted for SBC 14.2x 13.6x 41.3x 38.4x 25.8x 21.6x
EV/UFCF Adjusted for LT Deferred 13.6x 13.2x 18.0x 15.0x 23.2x 19.8x
EV/UFCF Adjusted for SBC & LT Deferred 14.9x 14.5x n/a n/a 78.5x 56.4x
Income Statement Multiples
EV/Sales 7.0x 6.7x 4.7x 4.3x 3.2x 2.9x
EV/Non-GAAP Operating Income 13.0x 12.4x 8.1x 7.3x 18.3x 16.1x
Non-GAAP P/E 19.4x 18.9x 40.6x 36.0x 33.1x 29.8x
GAAP P/E 21.3x 20.1x -48.2x -46.9x 70.7x 60.0x
Recurring Revenue Multiples
EV/Recurring Revenue 10.2x 9.7x 7.2x 6.3x 5.1x 4.6x
EV/Subscription Revenue 25.9x 23.2x 14.0x 13.4x n/a n/a
EV/Maintenance Revenue 16.9x 16.7x 16.5x 15.2x n/a n/a
CHKP PANW FTNT
5 September 2017
Cybersecurity 15
PANW: Our Take on the Key Debates Initiating Coverage with Underperform Rating and $125 Target Price
Despite being one of the most disruptive innovators of the security industry, we believe
investors are overly optimistic regarding Palo Alto Networks’ ability to sustain above-
market top-line growth rates. We believe this is a great company with great management
but not a great stock at current levels.
Key Debates:
■ How Long Can PANW Outgrow the Market? At present, consensus expectations call for
PANW to outgrow the firewall market by a factor of 2x. Can this be sustained at scale?
■ How Big of a Growth Driver Can Subscription & Support Be? With a compelling
platform strategy, subscription is an important revenue driver. As share gains contribute
less at scale, how large is the attached and unattached subscription opportunity?
■ How Material Is the Refresh Opportunity? Management guidance and model
mechanics point toward a refresh opportunity in 2H17 and FY18. We think sizing this
opportunity is an important debate for investors.
Our Takes:
■ Growth Expectations Are Too Optimistic: Past performance isn’t an indicator of future
success. We think PANW enjoyed a perfect storm of tailwinds as it grew; now these
tailwinds are abating, or becoming headwinds. In addition, PANW appears highly exposed
to the sector headwinds (architectural and otherwise) we believe face firewall incumbents.
■ Remaining Subscription Headroom Unclear: Attached products (e.g., Global Protect,
WildFire) appear highly penetrated, but there remains headroom for unattached. However,
we think subscription is largely tied to physical box sales, and unattached is too small to
move the needle.
■ The Refresh Cycle Is Less Supportive than Some Presume: We think the refresh cycle
is potentially less of a support (20-30% vs 50% of product) than some in the market
believe and believe a bull case constructed off the refresh dynamic to be overly optimistic.
Risks to Our Takes:
■ Substantial Balance Sheet Capacity: PANW has substantial balance sheet capacity
and has showed willingness to deploy it in a transformational manner when reportedly
bidding upward of $3 billion for Tanium in fall 2015.
■ Strength and Resilience of Financial Model: The overall execution of the transition to a
subscription-based model may prove more successful than anticipated and could provide
access to the >$8 billion CLTV expansion opportunity that management estimates.
■ Becomes a Strategic Acquisition Target: Particularly at lower valuations, PANW could
become a potential target for a strategic buyer seeking to consolidate the market.
Estimates:
■ Revenue and EPS: We forecast FY18E/FY19E revenue growth at 21%/17% vs the
consensus at 22%/19% and EPS of $3.29/$4.09 vs the Street at $3.30/$4.12.
■ Cash Flow: We forecast 7.5% FCF 10 year FCF CAGR through 2027E.
■ Refresh Cycle: We model a ~5.5 year refresh cycle.
Valuation: ■ DCF: Our $125 target price is based on our DCF analysis, implying 15% downside and
20x post-tax SBC adjusted EV/uFCF (CY2019) vs CHKP at 16x and FTNT at 18x.
5 September 2017
Cybersecurity 16
Key Charts
Figure 21: PANW Benefited from a Perfect Storm of
Factors and Has Taken Substantial Market Share…
Figure 22: ...The Market Expects PANW Billings to
Continue to Outgrow Competitors and the Market …
Source: IDC, Credit Suisse Research. Source: Factset, Credit Suisse Research.
Figure 23: …However, Management Guidance
Implies Its Refresh Cycle Has Lengthened…
Figure 24: …Refresh Cycle and Rate Assumptions
Sensitivity Show Diminished Refresh Opportunity…
Source: Company Management, Credit Suisse Research. Source: Credit Suisse Research.
Figure 25: …The Tailwind from Support Is
Challenging to Increase at the Same Rate… Figure 26: …with Valuation Highest (Adj. for SBC)
Source: Company data, Credit Suisse Research. Source: Company data, Credit Suisse estimates.
0%
20%
40%
60%
80%
2002 2006 2010 2014
Others
Fortinet
Check Point
Palo Alto
Cisco
Juniper
0%
10%
20%
30%
40%
50%
60%
70%
80%
Dec 2012 May 2014 Sep 2015 Feb 2017 Jun 2018
PANW CHKP FTNT
2
3
4
5
6
7
8
2013 2014 2015 2016 2017 2017
Refresh cycle guidance range
Midpoint
Refresh rate assumption (% )
80% 85% 90% 95% 100%
4.038% 40% 42% 45% 47%
4.531% 33% 35% 37% 39%
5.027% 29% 30% 32% 34%
5.523% 25% 26% 28% 29%
6.019% 21% 22% 23% 24%
6.515% 16% 17% 17% 18%
7.09% 10% 11% 11% 12%
Ave
rage
Ref
resh
(y)
30%
35%
40%
45%
50%
2008 2009 2010 2012 2013 2015 2016
FTNT PANW CHKP
14.9x12.2x 13.8x
16.4x19.2x
37.8x
0x
10x
20x
30x
40x
CHKP FTNT PANW
EV/UFCF, NTM
EV/UFCF Adjusted for SBC, NTM
5 September 2017
Cybersecurity 17
FTNT: Our Takes on the Key Debates Initiating Coverage with Underperform Rating and $33 Target Price
We respect Fortinet as an innovative vendor that provides exceptional products and an
integrated platform offering few competitors can match. Successes in hardware, however,
may not translate into the cloud, and FTNT faces the most risk from sector headwinds.
Key Debates:
■ Is Exposure to SMB a Positive? The SMB market is growing rapidly as agnostic attacks
threaten SMBs more than ever (e.g., ransomware) and regulation enforces greater
controls and accountability (GDPR for instance). Is FTNT's exposure here attractive?
■ How Does Competitive Advantage Translate to Cloud? As the virtual form factor
becomes an increasingly important method of consumption, debates surround whether
FTNT will retain its silicon-based competitive advantage in the cloud.
■ Is Carrier Market Exposure a Blessing or Curse? FTNT's success in the carrier market
has been a blessing in the past, while now investors are debating if this will continue.
Our Takes:
■ Despite Growth, Competitive Pressures Render SMBs Unattractive: In addition to
lower renewal rates, the SMB market is increasingly fragmented and competitive, and we
think these dynamics apply pricing pressure to vendors operating in this end of the market.
■ Silicon Isn’t a Competitive Advantage Anymore: We struggle to see how the
competitive advantage bestowed by superior silicon can be sustained as successfully in
the cloud.
■ Carrier Market Rapidly Virtualizing: We are concerned FTNT's ~20% carrier billings may
mature into a curse. Our field conversations underline that the carrier market is virtualizing
rapidly, and we think this may cannibalize appliance demand.
Risk to Our Takes:
■ Legendary Leadership: We view the dual leadership of Fortinet by Ken and Michael Xie,
CEO and CTO, respectively, to be a key strength. Given the brothers' track record of
disruptive innovation in the space, we don’t count out their ability to re-adapt FTNT's
strategy beyond the successful formula of the past five years.
■ Transformative M&A: We estimate FTNT could deploy as much as $4bn for
transformative M&A, albeit lower than peers (60% less than CHKP and 20% less than
PANW). This still represents non-trivial balance sheet capacity.
■ Becomes a Strategic Target: Given its relatively small market cap, FTNT could
represent a potential target for a strategic buyer. recognize
Estimates:
■ Revenue and EPS: We forecast FY17E/FY18E revenue growth at 17%/11% vs the
consensus at 17%/15%, with EPS of $0.94/$1.10 in FY17E/ FY18E vs Street estimates at
$0.95/$1.14.
Valuation: ■ DCF: Our discounted cash flow analysis yields a target price of $33, implying 14%
downside risk and an FY18E EV/uFCF (SBC adj.) of 13.5x.
■ Relative Valuation: Expensive on an absolute basis but less so once adjusted for
growth, we think of PANW as in between CHKP (best) and PANW (worst) on valuation.
5 September 2017
Cybersecurity 18
Key Charts
Figure 27: Highly Exposed to the SMB Market… Figure 28: ...Which Remains the Most Competitive
Fortinet 2016 Revenue Exposure by server class Herfindahl-Hirschman Index, 4Q moving average
Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.
Figure 29: FTNT Most Exposed to Sector Risks…. Figure 30: …with an Elongating Refresh Cycle
US$ in millions, unless otherwise stated US$ in millions, unless otherwise stated
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
Figure 31: Less Balance Sheet Capacity… Figure 32: …Valuation in Middle vs Firewall Peers
US$ in millions, unless otherwise stated EV/uFCF adjusted for SBC, and Non-GAAP P/E
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
High-end
Midrange
Volume
20%
24%56%
FTNT
0.00
0.05
0.10
0.15
0.20
0.25
2002 2005 2008 2011 2014
High-end
Midrange
Volume
Check Point Palo Alto Networks Fortinet
CHKP PANW FTNT
Architectural Shift to Cloud ◔ ◑ ◕
Cisco increasingly competitive ○ ◕ ◑
Juniper has little share left to give ○ ● ◔
Cloud transitionary headwinds ◔ ◑ ◑
TAM expansion ◑ ◑ ●
Competition in the mid market ◑ ○ ●
Carrier Exposure ◔ ◑ ●
Total ◔ ◑ ◕
Who is best equipt to deal with…
5%
10%
15%
20%
25%
30%
35%
2008 2010 2012 2014 2016
4 years
4.5 years
5 years
5.5 years
6 years
6.5 years
7 years
$9.9bn
$5.4bn
$4.0bn
$0bn
$2bn
$4bn
$6bn
$8bn
$10bn
$12bn
CHKP PANW FTNT
16.4x19.2x
37.8x
20.5x
38.8x
44.2x
0x
10x
20x
30x
40x
50x
CHKP FTNT PANW
EV/uFCF Adjusted for SBC, NTM
Non-GAAP P/E, NTM
5 September 2017
Cybersecurity 19
CHKP: Our Take on the Key Debates Initiating Coverage with a Neutral rating and an $110 Target Price
While we view transitionary challenges as a negative influence on the category as a whole,
Check Point excels over peers in nearly every major identifiable headwind and is thus our
preferred firewall play.
Key Debates:
■ Is the Product Line-up Competitive? How does Check Point's solution stand up to those
of PANW, which has aggressively grown share?
■ Where Are Margins Heading? While Gross Margins have held up, operating margins
have been trending downward since 2012, with sales & marketing spend rising.
■ How Prepared Is CHKP for the Architectural Shift? As security shifts from physical
appliances to virtual ones, uncertainty surrounds the scalability and performance of legacy
security companies and their products in cloud architecture.
■ What’s the Value of CHKP’s Substantial Idle Cash Balance? CHKP’s total cash &
equivalents are 20% of its market cap, which, undistributed or reinvested, may appear to
be lost opportunity for greater returns.
Our Take:
■ Recognized Offerings, with a Fully Integrated Management Console: We believe
Check Point's solutions in the Enterprise Network Firewall and UTM space are among the
best, while CHKP management console's ability to implement a unified policy across the
entire infrastructure provides a point of differentiation against rivals.
■ Margins Are Optimized: While we recognize management's long-term value creation and
superlative discipline against competitive pricing pressures, we see Check Point's margin
structure at peak and see limited opportunities to expand it further.
■ Management Has Adapted Successfully in the Past: We take confidence in the fact that
CHKP already transitioned from software to hardware in the mid-2000s, and we believe
that the experience will prove advantageous in the reverse as the industry moves away
from hardware and toward cloud-based solutions.
■ Large Acquisition Capacity Will Be Major Strategic Advantage: We estimate CHKP
has $9.7 billion of total firepower (2.3x FTNT’s capacity and 1.8x PANW’s), which we
believe is strategically significant.
Risks:
■ Successful Transition Not Guaranteed: Strong management notwithstanding, CHKP
has ceded 337bps of market share since its peak in 2012 of ~12%.
■ Management May Be Conservative with Cash: We note that management has
amassed a cash pile and not yet unleashed it for transformative acquisitions, which might
indicate conservativeness and unwillingness for relatively large deals.
Estimates:
■ Revenue: We forecast FY17E/FY18E revenue growth at 7.5%/7.5% vs the consensus at
7.5 %/7.0%, respectively.
■ EPS: We forecast FY17E/18E EPS of $5.18/$5.66 in-line with Street estimates at
$5.18/$5.67, respectively.
Valuation: ■ DCF: Our discounted cash flow analysis suggests a target price of $110, implying 1%
downside potential and 14.5x EV/uFCF (2018).
5 September 2017
Cybersecurity 20
Key Charts
Figure 33: CHKP Has Lost Share Since 2012… Figure 34: ...but Margins Have Remained High
4Q rolling sum as share of total UTM and Firewall market Reported Adjusted Operating margin
Source: IDC, Credit Suisse Research. Source: HOLT, Credit Suisse Research.
Figure 35: Better Placed for Sector Risks Figure 36:Significant Cash Balance
Exposure to Sector Headwinds Cash (onshore and offshore) as a % of market capitalization
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
Figure 37: Balance Sheet Can Be Unleashed.. Figure 38: …Valuation Cheapest vs Peers
Assuming 3x leverage, Balance Sheet capacity vs Peers Valuation Analysis on EV/FCF basis
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
0%
10%
20%
30%
40%
50%
60%
70%
80%
2002 2004 2006 2008 2010 2012 2014 2016
Others
Fortinet
Check Point
Palo Alto
Cisco
Juniper
45%
50%
55%
60%
65%
2003 2009 2015
Adjusted operating margin
Check Point Palo Alto Networks Fortinet
CHKP PANW FTNT
Architectural Shift to Cloud ◔ ◑ ◕
Cisco increasingly competitive ○ ◕ ◑
Juniper has little share left to give ○ ● ◔
Cloud transitionary headwinds ◔ ◑ ◑
TAM expansion ◑ ◑ ●
Competition in the mid market ◑ ○ ●
Carrier Exposure ◔ ◑ ●
Total ◔ ◑ ◕
Who is best equipped to deal with…
4%
14%
18%
20%
23%
27%
29%
44%
0% 10% 20% 30% 40% 50%
Qualcomm Inc
Alphabet Inc
Intel Corp
Microsoft Corp
Check Point
Oracle Corp
Apple Inc
Cisco Systems Inc
$9.9bn
$5.4bn
$4.0bn
$0bn
$2bn
$4bn
$6bn
$8bn
$10bn
$12bn
CHKP PANW FTNT
14.9x12.2x 13.8x
16.4x19.2x
37.8x
0x
10x
20x
30x
40x
CHKP FTNT PANW
EV/UFCF, NTM
EV/UFCF Adjusted for SBC, NTM
5 September 2017
Cybersecurity 21
Structural Thesis
Cybersecurity is Secular Growth Data Are of Enormous Value, and Thus Deserving of Expensive Protection
This is not a new phenomenon; consider the Domesday book2, the perceived value of the
data it contained was such that when not travelling with the King, it was housed in the
royal treasury in Winchester, arguably the most secure location in the British Isles. Later it
was kept in an iron clad chest with three locks, the keys to which were divided amongst
three officials such that its opening required mutual consent.
As data have increasingly become stored in soft, rather than hard form, the security
surrounding it has naturally moved from physical walls and guards to their digital
equivalent. A digitized Domesday book should exist encrypted and backed up in a
hardened Oracle database with security controls activated, in a server located behind a
NGFW, segmented from east-west traffic on the corporate network via internal firewalls,
separate from the web server (which itself should be protected with a WAF to protect
against the injection of SQL queries), there should be honeypots to throw off potential
attackers and a full-time security monitoring team should be ensuring the health of the
network at all times.
Of course, the point is that the modern day enterprise is an agglomeration of digitized
assets, and is therefore in need of protection. From a structural standpoint, the enterprise
demand for protection increases as a function of three variables: (1) the volume, (2) the
value of digitized data, and (3) the threat of its compromise.
In 2016, CISOs deemed the aggregate value of digital assets such that c$75bn was spent
on its protection.3 We are of the view that continued increases in the volume and value of
data and an unabating cybercrime wave drive a secular increase in Security Software
spending that will outpace the prevailing forecasts of the market and industry analysts.
Figure 39: IDC Forecast IT Security Vendor Revenue to Grow 7.6% Through 2020
Source: Gartner, Credit Suisse Research
2 A manuscript comprising a great inventory of England and Wales commissioned by William I and completed in 1086. The Saxon Chronicle explained this exhaustive 'great survey' 'there was no single hide, nor yard of land nor indeed … one ox nor one cow nor one pig which was there left out, and not put down in his record.'
3 IDC Semiannual Security Spending Guide, Oct 12; includes software, hardware and services
6,713
11,297
16,072
7,715
8,652
10,064
2,889
5,914
9,141
3,618
5,410
7,471
1,738
2,190
2,732
2010 2016 2020
Messaging
Security
Web
Security
Identity and Access
Management
Security and
Vulnerability
Endpoint
Security
Network
Security
1.7%
5.7%
8.4%
11.5%
3.9%
9.2%
$26,663m
$36,240m
$48,525m 2016-2020 CAGR
7.6%
5.9%
5 September 2017
Cybersecurity 22
Data Are Increasingly Valuable to the Firm
Increasingly, the firm's most valuable asset is its data. As recognition of this continues to
take hold, we think firms will measure the value of their data more rigorously, learning not
only it is more valuable than they currently perceive but also that it is increasing in value
more rapidly than they appreciate. A greater enterprise understanding of the value of its
data assets will result, we think, in greater propensity to spend on its protection.
CEO Ginni Rometty of IBM eloquently connected data and cybercrime earlier this year at
the Security Summit in New York, where she said, “We believe that data is the
phenomenon of our time. It is the world’s new natural resource. It is the new basis of
competitive advantage, and it is transforming every profession and industry. If all of this is
true – even inevitable – then cybercrime, by definition, is the greatest threat to every
profession, every industry, every company in the world."
The HBR agree, describing most modern organizations as data-driven to some degree
and seeing data becoming 'a centerpiece of corporate value creation more generally' (Do
you know what your company's data is worth? HBR). We believe there are two common
components to a company's data assets:
■ Traditional Data: Customer lists, patents, budgets, plans, ideas, and other IP: these
are data that for the most part existed in hard form prior to the information age, and
have now been digitized. As a rule of thumb, we think about this as being stored in
legacy databases, analyzed using legacy tools, and creating value in traditional ways.
The IP traditional data represent are increasingly valuable. We believe that barriers to
compete are decreasing across the spectrum as a result of a confluence of disruptive
factors, not least the agility of cloud architecture and level of connectivity enabling
immense scalability. Consider IHG and Airbnb. Originally founded in 1777, the
multinational hotel group IHG operates c770k rooms globally, while Airbnb was founded in
2008 and lists in excess of 2m. In our view, proprietary IP represents an undisruptable
barrier, and therefore, against a background of decreasing barriers to compete, IP will
increase in value.
■ Big, Fast Data: Consider the rising volume of data (both structured and unstructured)
coupled with improving availability and ability of tools to store, analyze, and ultimately
monetize larger and larger amounts of data. We think about this as data existing as a
result of digitization; it’s the digital exhaust of the information age.
We define Big Data simply as datasets so large and unstructured that their storage,
management, and analysis is beyond traditional databases and tools. We believe the
amplifying cycle of (1) data creation, (2) data storage, (3) data transmission, and (4) data
analytics maps onto the determinants of Big Data value. We believe this virtuous data
cycle as one of the most unifying themes across the global technology space.
Figure 40: The Virtuous Cycle of Big Data Figure 41: Big Data Value Determinants
Source: Credit Suisse Research. Source: Gartner, IBM, Credit Suisse Research.
Data Creation
Data Storage
Data Transmission
Data Analytics
The Virtuous Cycle of
Big Data
Volume Variety
VeracityVelocity
Big Data
VALUE
Scale/amount
of data
Analysing
streaming data
Data
uncertainty
Different forms
of data
5 September 2017
Cybersecurity 23
Putting this virtuous cycle another way, as data storage and management follows Moore's
law to increasing affordability, the necessary yield from analysis of that data to justify its
storage decreases; as analytics become more advanced, and transmission faster, the
insight yield gained from the data increases while the exponential increase in data creation
supports an ever expanding pool of potential insight. Therefore, at its most fundamental,
the value proposition to the enterprise of Big Data-derived insights increases as
infrastructure costs decline, the amount of data grows and analytics improves.
Figure 42: Forecast Growth in
Connected Devices
Figure 43: Unstructured Data Growth
Greatly Outpaces Structured Data
Source: Company Data, Credit Suisse Research. Source: Oracle, ESG Digital, Credit Suisse estimates.
We thus believe two of the three key determinants of enterprise demand for protection, the
volume and value of digitized data, are rapidly growing. In addition, we believe the third
determinant, threat of compromise, is also increasing.
Unstructured Data Growth 15bn +11% 28bn
M2M: Non-cellular 2.6 +27% 10.7
M2M and consumer electronics; cellular 0.4 +25% 1.5
Consumer electronics; non-cellular 1.6 +12% 3.1
PC/laptop/tablet 2.4 +3% 2.8
Mobile phones 7.1 +3% 8.7
Fixed phones 1.3 +1% 1.4
2015 2021
Growth of Data
Driven by Unstructured Data
300 Exabytes
12%Structured Data
88%Unstructured Data
80Exabytes
2013 2015
5 September 2017
Cybersecurity 24
The Cyber Crime Wave Continues Unabated
It stands to reason that as the volume and value of digital assets grow, all else equal, the
yield on cybercrime increases. On the dark web, you can sell 100 credit card records for
more than you can ten, and the greater the value of data encrypted, the higher the
ransomware victims marginal propensity to pay for decryption.
Of course there are additional variables, including the sophistication and deployment of
threats and defenses. Should both of these rise in lockstep with the growth in volume and
value of digital assets, it follows that the amount of successful breaches will remain static.
However, upon examination, available data support a concerning conclusion:
sophistication and deployment of cybercriminals is outpacing the defense; the bad guys
are winning.
Figure 44: The Number of Records Lost to Data Breaches Is Increasing at an Exponential Rate
Source: Credit Suisse Research.
We make the following key observations: (1) the absolute number of records breached
appears to be increasing at an exponential rate, (2) which is driven by a 21% CAGR
increase in successful data breaches4 since 2011 that is accelerating (up 40% from 2015
to 2016), and (3) hacking, skimming, and phishing are behind this rapid increase (up 105%
from 2015 to 2016). The balance of power appears heavily tilted toward the offense, and
we continue to live in the midst of a cybercrime wave.
4 'The Identity Theft Resource Center (ITRC) defines a data breach as an incident in which an individual name plus a Social
Security number, driver’s license number, medical record or financial record (credit/debit cards included) is potentially put at risk because of exposure. This exposure can occur either electronically or in paper format. The ITRC will also capture breaches that do not, by the nature of the incident, trigger data breach notification laws. Generally, these breaches consist of the exposure of user names, emails and passwords without involving sensitive personal identifying information. These breach incidents will be included by name but without the total number of compromised records included in the cumulative total.'
100,000
1,000,000
10,000,000
100,000,000
1,000,000,000
10,000,000,000
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
Hacking Accident Insider
ThreeWonga
PayAsUGym
Brazzers Snapchat
Clinton
campaign
Lynda
Dailymotion
Friend
Finder Network
River City Media
Syrian government
Minecraft
Mossack Fonseca
Mail.ru
Fling
Anthem
VK
TalkTalk
Slack
Sanrio
Adult Friend Finder
VTech
Premera
Experian
AshleyMadison
Voter Database
NASDAQ
AOL
Gmail
Sony
Korea Credit
Bureau
Home Depot
Ebay
Yahoo
Citigroup
Nintendo
Twitter Apple
Kissinger
Cables
Yahoo Japan
Adobe
Tumblr
Yahoo
Medicaid
Apple
Massive Americanbusiness
hack
StratforSega
TexasState
Tricare
NHS
178.com
SonySteam
Sony PSN
AT&T
Gawker
BetfairJPM
Virginia Dept.
Of Health
RockYou!
US Military
Heartland
AT&T
RBS
Data Processors International GS Caltex
FNIS
Dai Nippon Printing
UK Revenue and Customs
TK / TJ Maxx
Hewlett Packard
KDDI
AOL
US dpt of Vet Affairs
Automatic Data Processing
Ameritrade Inc.
Citi
Cardsystems Solutions Inc.
AOL
Bell
Zomato
Expon. (Total Data Breaches)
5 September 2017
Cybersecurity 25
Figure 45: Successful Breaches Are Increasing at
an Accelerating Rate, Up 40% from 2015 to 2016…
Figure 46: … Primarily by Breaches Due to Hacking
/ Skimming / Phishing, Up 105% from 2015 to 2016
Total number of breaches Breaches by cause, %
Source: ITRC Breach Statistics 2005-2015, Credit Suisse Research. Source: ITRC Breach Statistics 2005-2015, Credit Suisse Research.
How Much Does Cybercrime Cost the Real Economy?
In aggregate, several studies have pegged the cost of cybercrime at around half a trillion
USD per annum5. This extraordinary number is roughly 0.8% of global GDP, only 10bps
less than the annual cost of narcotic crime, and extracts roughly 15-20% of the annual
economic value generated by the Internet (estimated at 2-3trn annually).
Perhaps more extraordinary than the current cost is a recent report6 suggesting that, by
2019, data breaches will cost $2.1trn, a quintupling from today.
Figure 47: Cybercrime Represents a Similar % of Global GDP as Drug Crime,
Piracy, and Car Crashes as Well as Just over Half That of Global Theft
Source: MIT Technology Review, Credit Suisse Research.
According to Gartner, the global market for IT security software, hardware, and services
reached approximately $76 billion in 2015. Although this level of spending has increased
meaningfully in recent years, $76 billion in annual spending accounts for less than 20% of
the $400 billion in total damage inflicted from hackers each year, a price most people,
companies, and governments are willing to pay.
As a result, we expect the increase in IT security spending to continue to outpace overall
IT budget growth, given these solutions can reduce the potential financial losses stemming
from breaches of critical systems and the loss of valuable data and information.
5 Net Losses: Estimating the Global Cost of Cyber Crime (see here)
6 The Future of Cybercrime & Security: Financial and Corporate Threats & Mittigation (see here)
157
321
446
656
498
662
421471
614
783 781
1,093
0
200
400
600
800
1,000
1,200
2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
0%
20%
40%
60%
80%
100%
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
Hacking / Skimming / Phishing
Insider Theft
Data on the Move
Accidental Email /Internet
Other
1.50%
1.20%
1.00%
0.90%
0.89%
0.80%
Pilferage
Transnational Crime
Car Crashes
Narcotics
Counterfeiting/Piracy
Cybercrime
5 September 2017
Cybersecurity 26
Which Country Gets Hacked the Most?
As indicated in research from security firm mi2g Intelligence, the United States is the most
hacked country in the world, and the scale of international theft of U.S. intellectual property
(IP) alone is unprecedented and is estimated at hundreds of billions of dollars per year, in
the order of the size of U.S. exports to Asia.
On September 24, 2015, Chet Nagle, a former CIA agent and current vice president of M-
CAM, wrote an article in the Daily Caller, stating, “At FBI headquarters in July, the head of
FBI counterintelligence, Randall Coleman, said there has been a 53% increase in the theft
of American trade secrets, thefts that have cost hundreds of billions of dollars in the past
year. In an FBI survey of 165 private companies, half of them said they were victims of
economic espionage or theft of trade secrets—95% of those cases involved individuals
associated with the Chinese government.”
The effect of IP theft is twofold:
■ Lost Revenue: Rewards that should have accrued to innovators, or those who have
purchased licenses to provide goods and services based on them, as well as of the
jobs associated with those losses, and,
■ Incentive Misalignment: Illegal theft of intellectual property undermines both the
means and the incentive for entrepreneurs to innovate, which could slow the
development of new technologies and industries.
How Much Does Cybercrime Cost the Enterprise?
Perhaps more digestible than big numbers is to think about the average cost per breach to
the enterprise. Studies such as the Ponemon Institute's Cost of Data Breach survey show
the average breach cost to be around $4m, comprised of detection, response, notification,
and (the lion's share) lost business.
Figure 48: A Breach Costs an Average of $4m
Source: Ponemon Institute 2016, Credit Suisse Research.
It’s interesting to note the substantial regional skew; the average breach in the United
States costs more just in lost business costs than the aggregate average breach in the
United Kingdom. Globally, the average data breach costs $160k in notification costs, just
over $1m for ex-post response, just over $1m for detection and escalation, and c$1.5m in
lost business costs.
7.01
5.01 4.984.72 4.61
3.95
3.31 3.27
2.491.93 1.87
1.6
US
A
Ger
man
y
Can
ada
Fra
nce
Mid
dle
Eas
t
UK
Japa
n
Italy
Aus
tral
ia
Bra
zil
Sou
th A
fric
a
Indi
a
Notification costs
Ex-post response costs
Detection and escalation
Lost business costs
5 September 2017
Cybersecurity 27
Ponemon annual survey data are consistent with our thesis that as the value of data
continues to increase, the costs of breaches are rising (up 29% to $4m in 2016 from
2013). Also consistent with our thesis that data volume is also increasing, per capita cost
increased 15% from 2013, implying the average number of records breached is
increasing.
Encouragingly, however, it appears that the organization can take steps that have a
measurable impact on the cost of cybercrime. Research by the Ponemon Institute
suggests that good security practices, such as appointing a CISO, having an incident
response team in place, and using encryption reduce the average cost per compromised
record.
Figure 49: Organizations Can Take Actions to Reduce the Cost of Breaches
Degree to which the cost per data record breached is decreased by…
Source: Ponemon Institute 2016, Credit Suisse Research.
Why Are the Attackers Winning the Cyber War?
We think a war is won by the weapons used (think of the atomic bomb), or as a result of
the landscape changing (think of the Germans dealing with the onset of Russian winter on
the Eastern front). The cyber war is no different, except the weapons are in bits and bytes
and the landscape is the IT architecture. In our view, the cyber arms race is being won by
cybercriminals, and the shifting landscape increases the cyber-attack surface they can
target.
■ Weapons Arms Race
Simply the fact that attacks are increasing in size and frequency even as security spend
increases implies malicious innovation is outpacing benevolent innovation. We think a
confluence of factors are contributing to the success of cybercrime:
− Increasing Yield Translates to Increasing Sophistication: We believe the value
of volume of data is increasing, meaning the yield on investment in malicious
innovation is rising. We think this results in enhanced investment, increasing the
volume of attempted attacks (Symantec witnessed a two-fold increase in attempted
attacks against IoT devices over 2016, and at times of peak activity, the average
IoT device was attacked once every two minutes) and increasing attack
sophistication. (In-memory attacks are rapidly increasing in incidence.)
9%
8%
4%
3%
3%
2%
-3%
-3%
-4%
-4%
-5%
-6%
-6%
-6%
-8%
-10%
Third party involvement
Extensive cloud migration
Rush to notify
Lost or stolen devices
Consultants engaged
Provision of ID protection
Insurance protection
Data classification schema
Board-level involvement
CISO appointed
Extensive use of DLP
BCM involvement
Participation in threat sharing
Employee training
Extensive use of encryption
Incident response team
Average cost per breached record:
$158
Average cost decreased
Average cost increased
5 September 2017
Cybersecurity 28
− Barriers to Entry Decreasing: The cost of developing code and technology to
mount attacks has fallen from millions of dollars to the tens of thousands; this
significantly reduces the barriers to entry for conducting such attacks. Internet
security firm Trend Micro reports this trend in its Russian Underground 2.0 research
paper: the cost of spreading malware to 1,000 computers in the United States had
reportedly fallen from $100-150 in 2011 to as low as $40 by 2015.
− Attack Velocity Increasing: The lifespan of 82% of malware is less than an hour,
and 72% of threats surface but once, according to FireEye. This is the result of
inexpensive crypting services available on the dark web that can take pieces of
malware, scan them against all available signature-based detection agents, and
iteratively perform custom encryption routines until the malicious nature of the code
becomes all-but undetectable. This state is known on the dark-web as fully un-
detectable, or FUD for short, ironic given the fear, uncertainty, and doubt (FUD)
marketing tactics employed by so many in the security industry.
We think a greater payoff combined with diminishing barriers to entry and increasing
velocity explains the efficacy of cyber defenses being outpaced by volume and
sophistication and volume of attackers. It seems clear, both from a logical and anecdotal
standpoint, that pernicious attacks that attract substantial publicity are likely to act to
increase budgets. We believe that as long as the problem set outpaces the solution set,
the aggregate market will remain in growth mode. For more information on hacking,
hackers, and cyber threats, please refer to Appendix III, ‘Who are those guys?’
Figure 50: Anecdotal Evidence Suggests Attacks
Such as Wannacry Positively Affect Security Budgets
Figure 51: Barriers to Entry Diminishing—Cost per
Malware Click Through Is Decreasing
Source: Linkedin.com. Source: Trend Micro, Credit Suisse Research.
0
50
100
150
200
250
300
2011 2012 2013 2014 2015
$150
$100
$250
$100
$120
$200
$150
$90
$100
$40
5 September 2017
Cybersecurity 29
Figure 52: Software SoundBytes Regarding Cybercrime
Source: Credit Suisse Research.
■ Landscape Is Changing
The conventional approach to network security has been to build a tall, thick wall around
the corporate network, in which sat the corporation’s valuable data. Currently, virtually
every enterprise defense begins with this strong first line; the walls have been built high
with on-premise bricks of NGFW, SWG, and IPS. This IT architectural paradigm had a
defined attack surface (the sum of attack vectors), which generally could be understood
and defended.
As workloads are moved into the cloud, the corporate network inverts and becomes hard
to define. The growing reliance on cloud services should be an area of substantial concern
for enterprises, as ultimately it results in a rapidly expanding attack surface.
− Attack Surface Expanding: Cybersecurity Ventures forecasts the cyber-attack
surface will grow an order of magnitude larger through 2021. (See here.) As
workloads move to the public cloud, data are stored outside the enterprise
datacenter; as mobile devices and remote working proliferate, the centrality of the
corporate network decreases. Ultimately, the attack surface expands, presenting a
greater space in which adversaries can maneuver.
− Information Asymmetry: Securing the environment must be predicated on an
understanding of the environment. Thus it is of concern that Symantec found the
average organization is using ~900 cloud applications (up 10% y/y) but the average
CIO believes their organization uses between 30 and 40. The information
asymmetry of shadow IT results in unknown unknowns makes accurate risk
assessment challenging and reduces the purview of the information security team.
Software SoundBytesCybercrime
Brad Zelnick
(212) 325 6118
“People are realizing that there is no silver bullet. All these different threat detection
techniques solve some problems, and not others”
“Hackers are getting more strategic, initially they spent the most of their time focusing on large
institutions, now they are industrializing and automating themselves into smaller businesses, and
we are seeing lots of ransomware attacks infecting SMBs.”
“Very basic tactics continue to be used – many attacks aren’t at all sophisticated! All
it takes is basic blocking to prevent 99.9% of attacks.”
“You have an explosive growth in devices that need protecting within the network.
Incidents are increasing – ransomware increased 300% from 2015-2016 with nearly
4k attacks each day…”
“The key is you need to know what is on the network to protect the network. Tanium’s hygiene checks found
the average environment had 12-20% more endpoints than previously known; 5-20% of these had failing or
non-existent endpoint agents, 60% were missing critical patches, and 90% missing at least one patch.”
“Hacking is a multi-billion dollar per year business– its industrialized … they can buy
top of the line stuff”
5 September 2017
Cybersecurity 30
Figure 53: Software SoundBytes Regarding the Move to Cloud
Source: Credit Suisse Research
Software SoundBytesCloud transition
Brad Zelnick
(212) 325 6118
“On the cloud more generally, we don’t see the Fortune 500 decommissioning data
centers. Instead, their adoption of cloud is mostly adding compute rather than displacing
existing workloads.”
“It’s the third time in my career I have seen this shift—first it was mainframe, then ASP, now cloud.”
“No company wants to buy hardware or software anymore. So the majority of companies
predominantly are extremely hesitant to commit to a solution. They are okay with purchasing as an
operational expense—subscription.”
“For us, public cloud is not necessarily a replacement; often it's an addition. So
now what's in question is how the company is managing its data flow.”
“It is not necessarily true that running workload on Amazon is very cheap, for example if
you are running substantial DevOps workloads on Amazon once a day the cost saving is
more a perception.
“The fundamental change has been the mindset, for a very long time people looked at their
infrastructure like: I have these segments in my network, so I need these pieces and then I’m done.
People understand you aren’t set, because of the speed of change; the cycle is much shorter than
typical refresh, so this drives mindset of not buying solutions that will be obsolete in 5 years.”
“Everyone is doing something in the public cloud… In the public cloud you have to build
from bottom up, rather than try to retrofit… Everything is becoming virtualized, think about
software defined networking, software defined data center, et cetera”
“Everyone is using their own data centers and also using AWS … everyone
has a multi-cloud strategy… they have to play AWS off against GCP and
GCP against Azure for pricing reasons.”
“Cloud a few years ago was a VM, some storage, maybe a virtual database, maybe a load
balancer – now look at what the amazon menu looks like – Try taming this tornado!”
'There is no such thing as hybrid cloud – this is something VMware and Dell
and Cisco coined to fool enterprise buyers, most security vendors followed
their tune and 'cloudwashed' their solutions.”
“Our experience over last few years with our very largest customers (large financials, media
customers etc) is that they all have multicloud strategies – some say it’s to prevent lock-in: having
already been burned once by Oracle they are fearful of being tied to one vendor. That’s one
justification, but oftentimes people also want to hedge their bets when figuring out which vendor is
best suited for certain use-cases, for certain apps AWS is best, for others, where there are machine
learning objectives for example, GCP provides great out-of-box functionality.”
5 September 2017
Cybersecurity 31
Securing the Cloud The Cloud Holds Great Promise, and Great Security Risk
Traditional methods of IT delivery are internally oriented. (Applications run on an internal
datacenter and are accessed by a demarcated sedentary workforce.) The nature of this
architecture lends itself to a walled garden defense; build tall strong walls at the perimeter
and defend those walls carefully.
Figure 54: Traditional Methods of IT Delivery Have an Easily Identifiable, and
Therefore Defensible, Perimeter
Source: Credit Suisse Research.
The traditional IT architecture visualized above is rapidly giving way to cloud-oriented
distributed computing. Workloads are moving from defined processes executed within the
on-premise datacenter to transient and abstracted virtual activities; there is less ownership,
less visibility, and ultimately less control. However, the benefits are manifold; as we
discuss in our Industry piece (Software: Buy Aggregation, Avoid Aggravation), we expect
cloud adoption is likely to remain rapid, perhaps even surprising us by the speed at which
the enterprise transitions.
Gartner forecasts that 25% of corporate data traffic will bypass the corporate network
entirely by 2021, enabled primarily by cloud applications and infrastructure, in addition to
greater mobility (off-network work, corporate-owned laptops, branch offices, mobile
devices, etc.).
HQ
Internal
DatacenterInternal
Users
Branch Office Endpoint
Intranet
Internet
5 September 2017
Cybersecurity 32
The cloud, being by its very nature distributed, starts to dissolve the concept of network
perimeter. The traditional corporate network has a clearly defined, and therefore
defensible, perimeter. As workloads move out of data centers to cloud environments, it
becomes less clear at what point the bounds of the corporate network begin, and where
they end.
Figure 55: The Perimeter Becomes More Difficult to Define in a Hybrid Cloud World
Source: Credit Suisse Research.
This has not gone entirely unnoticed by CIOs and CISOs. In our recent survey, 63% of
respondents indicated they believed that public cloud environments are less secure than
their internal data centers.
Of the respondents, approximately 64% indicated that they would increase their security
spending as they move workloads to public cloud environments. We imagine some of the
opex and capex cost savings associated with the public cloud transition would shift toward
IT security budget.
HQ
Internal
DatacenterInternal
Users
Branch Office Endpoint
Internet
IaaS
PaaS
SaaS
5 September 2017
Cybersecurity 33
Figure 56: 63% of Respondents
Consider Public Cloud Environments
Less Secure than Internal Data-Centers
Figure 57: 64% of Respondents
Expect to Increase Their IT Spending
as Workloads Move to the Cloud
Do you consider public cloud environments as more secure than your internal data centers?
Do you expect to increase your IT Security spending if you move workloads to a public cloud?
Source: Credit Suisse CIO/CISO Survey. Source: Credit Suisse CIO/CISO Survey.
Our survey's findings are corroborated by Gartner, which found in its 2015-16 Security and
Risk survey that security in the cloud occupies pole positions in terms of both mind and
wallet share.
Figure 58: Cloud Security Holds Both Mind-Share and Wallet-Share with Enterprise Customers
Source: Gartner Security and Risk Management Summit, June 2016, “Top Take-Aways: 2015-2016 Security and Risk Surveys “, Khushbu Prata.
Yes37%
No63%
Yes64%
No36%
Invest
Interest
5 September 2017
Cybersecurity 34
Figure 59: Software SoundBytes Regarding Security in the Cloud
Source: Credit Suisse Research.
Software SoundBytesSecurity in the Cloud
Brad Zelnick
(212) 325 6118
“2-years ago we saw 90-95% physical appliances, today adoption of virtual appliances
in small and medium sized enterprises is as much as 30-35%”
“Typically when talking about total client security in the cloud, there are a number of security
exposures that you either don’t know exist, or don’t need to worry about on premise, and vice versa.“
“The paradigm is breaking, resources can be spun up and then down again before the
firewall is even up and running in the cloud.”
“I believe there will continue to be a place for firewalls in security architecture, but
the definition of Next Generation Firewall will have to evolve to include
microsegmentation, with capabilities from companies like Illumio and vArmour.”
“The world is moving to ‘infrastructure as code’, and I don’t believe there is a need for
Firewall or Next-Generation Firewall going forward.”
“Identity is key to security. It’s important because it drives security policy… don’t believe
that Microsoft will ever cede its position in identity.”
“I believe everything moves to cloud, and believe in Google’s BeyondCorp security model.”
“Like for like units are less expensive when consumed virtually … Even so, the cost of firewall vs
infrastructure on smaller deployments can sometimes be a multiple of infrastructure. This is highly
dependent on what workloads you are running, and where you are running them”
“We generally recommend extending the same security controls [customers] have in
place, but they’re not always fully comprehensive, so we also push for next
generation solutions to fill the holes. The most common solution here is CASB.”
“There is volatility in the consumption model … some of our customers don’t think that they
need as much security on their premise”
“Amazon works on a shared responsibility model: It takes control of the infrastructure from the
Hypervisor down; everything up is customer’s responsibility. If you are ever compromised in an
Amazon environment, you can’t hold Amazon accountable, but should anything go wrong that is
Amazon’s fault then they aren’t allowed to sue at all. They have a Teflon view of putting legality
around security. They will work with and certify third party security that can be brought into the
Amazon world but only hypervisor up.”
“What I like about public cloud is that workloads don’t need application protection. Plus
the inbuilt firewalls provided by Azure and AWS are good enough for most people”
5 September 2017
Cybersecurity 35
Spend Unlikely to Continue to Coalesce Around the Network
The question naturally becomes, where does this expanded budget manifest itself? Many
expect it to remain coalesced around the network and that firewall will remain an integral
part of the security stack. However, we believe that agile IT requires a new agile security
approach and that a reallocation of spend away from the perimeter is likely.
Figure 60: Spend Has Historically Coalesced Around the Perimeter, as Reflected
by the Cumulative Market Capitalization of the Three Key Firewall Vendors
Cumulative Market Capitalization over time
Source: Thomson Reuters Datastream, Credit Suisse estimates.
As enterprise data centers shift from rigid structures, with clearly defined perimeters and
boundaries, to become perimeter-less and software-defined, we believe traditional security
fails to address the agility, elasticity, and dynamism implicit to the cloud paradigm.
If you can deliver an application and run it in five minutes, you need to have the same
flexibility with the security surrounding the application; you can’t wait for the InfoSec team
to write custom rules and deploy a firewall.
Netflix, for example, spins up 4,000-5,000 new servers every Friday night. We believe it
has to be able to protect these workloads in an agile fashion that seamlessly scales and is
priced in the same way as it buys its compute: on-demand. In this environment, we
struggle to see how appliances maintain their historical relevance.
In addition, as Gary Newe, F5’s director of systems engineering, has pointed out, there is
a blatant mismatch between the destination of security spend and the real world attack
vector.
“Ninety percent of security budget is focused on the network perimeter, although only 25
percent of the attacks are focused on that point in the network.”
- Gary Newe, F5’s director of systems engineering
Agile Compute Demands Agile Security
In our view, the new security paradigm should mirror the new cloud computing paradigm in
that it is (1) on-demand, (2) borderless, (3) without hardware, (4) consumption model
pricing, and (5) scalable.
Traditional hardware approaches to security (appliances) fail on each of the above
accounts. Appliances require capacity planning, aren’t on-demand or scalable, are
predicated on rigid hardware, and assume the existence of defined borders.
We think a sub-set of innovative vendors stand to benefit; as enterprises shift from
physical to virtual IT, whether public or hybrid cloud, the priorities become scalability,
$0bn
$10bn
$20bn
$30bn
$40bn
1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016
Palo Alto Networks Fortinet Check Point
5 September 2017
Cybersecurity 36
managing who is granted entry in, and dynamically protecting workloads. Ultimately, there
is a need to secure applications and data and consumers of them, regardless of where
either resides. Security sub-sectors we expect will remain relevant include:
■ Security as a Service: We believe cloud-based security offerings that enforce policy
as an intermediary between the enterprise and the Internet via points-of-presence in
the network edge offer great promise to expand their capabilities to offer the entire
security stack as a service. Representative vendors include Zscaler, Cato Networks,
Akamai, and CloudFlare.
■ Cloud Workload Protection Platforms (CWPP): Recognizing that server workloads
differ fundamentally from end-facing endpoints, CWPPs offer network segmentation,
traffic visibility, configuration and vulnerability measurement, application control, exploit
prevention, and memory protection. Representative innovators include vArmour, Illumio,
Dome9, CloudPassage, and Carbon Black.
■ Identity and Access: Once considered a mature market, we think identity will become
increasingly instrumental and something many emerging cloud security vendors will be
wary of taking responsibility for themselves. Representative disruptive vendors include
Okta, CyberArk, SailPoint, BeyondTrust, and Foregerock.
■ Security Analytics: Regardless of paradigm, we believe security data still need to be
collected, stored, and correlated and therefore see security analytics as architecture
agnostic. We are positive on Splunk, having initiated with an Outperform rating and $80
target price, representing 19% upside potential.
■ Application Security: If the programmatic code itself is well constructed without
vulnerabilities, the surface area for attack is greatly reduced. As application workloads
are increasingly transient, it is increasingly important security be embedded within the
apps themselves. We see value in companies such as CA’s Veracode, Qualys, and
WhiteHat Security.
Ultimately, we would argue that should there be a current opportunity to, with a clean
slate, reimagine IT security in what is rapidly becoming a cloud-first world, an
appliance-centric perimeter defense is unlikely to be the conclusion drawn. We therefore
wonder if the $11bn (forecast to rise to $16bn by 2020) Network Security market is ripe for
displacement.
Beware Disaggregation
We are concerned by the risk of disaggregation faced by legacy vendors. (We explain how
this concept underpins our thinking at length in our industry report, Software: Buy
Aggregation, Sell Aggravation.) Given legacy vendors’ business models are grounded in
the premise of box sale with software attach, we fear the pressures involved in
disaggregating hardware from software will be painful and believe this will be a
deflationary architectural shift.
5 September 2017
Cybersecurity 37
Figure 61: How We Conceptualize the Evolution of IT and Security Architecture
Source: Riverbed, Cato Networks, Zscaler, Credit Suisse Research.
We Think This Transformation Is Yet to Be Clearly Understood by the Market
Our wide-ranging discussions suggest the security implications of the cloud remain to be
fully understood. We generally believe Gartner offers a view into the industry consensus:
'No useful level of consensus exists on what constitutes best practices for cloud security,
and as a result organizations struggle to determine which cloud control processes they
should apply' (G00296116)
Internet
Internet
IaaS
PaaS
SaaS
On-Premise architechure1995-2005
Hybrid Cloudarchitechure2005-2015
Multi-cloud, cloud-first architechure2015- 2025
IaaS
Internet
SaaS
Perimeter Defined Security
Enterprise data is mainly stored in on-premise datacenters
Regional offices are connected
to HQ via hub-and-spokeEast-West traffic tends to
dominate North-South trafficThe workforce is internal, immobile and sedentary
Perimter centric hardware oriented security infrastructure Mostly everything sits behind the corporate firewall
Point Solution Security
Some enterprise data is stored on-premise, some in the cloud
Branches access cloud data via
backhauling to secure networkEast-West traffic and North-South
are equally importantThe workforce is increasingly mobile, there are more endpoints
Hardware and software oriented security infrastructureNetwork perimter less defined as cloud/mobility increasesPoint solutions addresses perimiter breaks for cloud and mobility
Cloud Defined Security
A majority of enterprise data is stored in the cloudRegional offices access enterprise
data via the cloudNorth-South traffic dominates East-
West traffic
The workforce is extremely mobile and multi-device is the norm
Software, rather than appliances, dominate the security infrastructureSecurity as a Service means
security is built into the edge of the network
5 September 2017
Cybersecurity 38
Figure 62: Cloud Spend Is Forecast to Grow Rapidly
Market IT Spend, US$ in billions
Source: I.H.S. Markit, Credit Suisse estimates.
However, as cloud grows as a percentage of forecast IT spend, the forecast for cloud
security spend share of security budget is not forecast to rise as much.
Figure 63: The Cloud Security Spending Disconnect
Source: Gartner, Credit Suisse Research.
What seems clear, however, is that as the cloud continues to be adopted at an exceptional
rate, the debate about how to ensure security in the cloud will only increase in volume.
Endpoint Renaissance Reflects the Dissolution of the Perimeter
As of a few years ago, the corporate endpoint market has enjoyed a renaissance of sorts.
Very largely the result of cloud and mobile proliferation and the expansion/dissolution of
the network perimeter, endpoint security became more critical, as this is the point at which
the data reside unencrypted and are prone to poor user behavior such as clicking on
malicious links, and corporate data is more so than ever on devices connected to
unprotected networks. In a case of motive meeting opportunity, several disruptors in the
market advanced newer techniques for securing endpoints, seemingly one-upping the
traditional likes of Symantec, McAfee, and Trend Micro.
$28bn$41bn
$61bn
$93bn
$124bn
$163bn
$206bn
$249bn
$286bn
$0
$50
$100
$150
$200
$250
$300
$350
2012 2013 2014 2015 2016 2017 2018 2019 2020
Software as a Service (SaaS)
Platform as a Service (PaaS)
Cloud as a Service (CaaS)
Infrastructure as a Service (IaaS)
7.1%
9.3%
11.8%
14.4%
17.0%
19.2%
6.7%7.8%
8.8%9.8%
10.6% 11.3%
0%
5%
10%
15%
20%
25%
2015 2016 2017 2018 2019 2020
Spend on Cloud (IaaS, PaaS & SaaS) as % of IT budget
Spend on Cloud security as % of security budget
5 September 2017
Cybersecurity 39
Figure 64: Innovators Have Enjoyed Revenue
Growth…
Figure 65:… and Substantial VC Funding on a
Cumulative Basis
Endpoint Security Revenues Aggregate VC investment
Source: IDC, Credit Suisse Research. Source: CBInsights, Credit Suisse Research.
Okta’s Valuation Reflects Market Hunger for Security Disruptors
Okta listed at, and has maintained, an average EV/12m fwd sales multiple of 8x. We think
this market optimism around one of the few listed disruptive security vendors reflects
public market hunger for cybersecurity names away from firewall.
Figure 66: Okta Has Traded at an Average EV/Sales Ratio of 8x Since Listing
Okta, EV/12m fwd Sales, x
Source: Thomson Reuters Datastream, Credit Suisse estimates.
Release of Cloud Products from Traditionally On-Prem Vendors
Traditionally on-premise vendors have released a slew of cloud-based products aimed at
the hybrid audience. Examples include BlueCoat, Forcepoint (Websense), and most
recently Palo Alto Networks (GlobalProtect cloud service). We think this is reflective of the
reality of the architectural shift underfoot.
Venture Investment into Cybersecurity
Cyber security venture investments have been buoyant since 2013 with over 4bn USD
expected to be invested this year. The buoyancy shows no sign of abating; 1Q17 was the
highest Q1 on record in dollar terms and the highest quarter ever in terms of deals signed.
0
20
40
60
80
100
120
140
2012 2013 2015 2015 2016
Palo Alto FireEye Carbon Black
0
200
400
600
800
1,000
2011 2013 2015 2017
Tanium MalwareBytes Cylance Crowdstrike
6.0
6.5
7.0
7.5
8.0
8.5
9.0
9.5
10.0
May 2017 Jun 2017 Jul 2017 Aug 2017
Okta, EV/Sales Average, +/- 1stdev
5 September 2017
Cybersecurity 40
Figure 67: $4bn Is Forecast to Be Spent on Financing
Private Cybersecurity Companies This Year
Figure 68: 1Q17 Was the Highest Q1 on Record in
Dollar Terms and Highest Ever in Deals Signed
Cybersecurity Annual Global Financing History Cybersecurity Quarterly Global Financing History
Source: CBinsights, Credit Suisse Research. Source: CBinsights, Credit Suisse Research.
A Number of Scaled Private Companies
There are now a number of scaled private companies in the space that have received
press attention suggesting intentions to come to market. Should these disruptors become
public, we imagine their messaging during the listing process, and once public, will have
an edifying impact on investors.
5 September 2017
Cybersecurity 41
Figure 69: Software SoundBytes on The Relevance of Network Security
Source: Credit Suisse Research.
Software SoundBytesRelevance of Network Security
Brad Zelnick
(212) 325 6118
“We see security spend leaking into different areas. For example, NGFW had good growth
last year, but dropped off from 30-35% to the low 20s this year. The Next Generation
Firewall is no longer a key priority, and is becoming somewhat of a commodity.”
“Currently you still need a firewall for compliance reasons… Regulators are typically 5-7 years
behind what is going on – they all say there should be a firewall - therefore firewalls are still a driver
of spend, but the utility of them will reduce, it’s just the capacity conversation that will continue.”
“How you look at internal traffic is just as important as your edge traffic – for example
some may have Fortinet for edge but use Palo Alto Networks for internal.”
“I really don’t think the Fortinets, Palo’s etc will be the key winners: Our customers
struggle with buying security in a utility model or consumption model, their security guys
don’t do well in hourly usage models”
“Is there an existing brownfield opportunity to rip out an old firewall and put in a next
generation one? No that is very unlikely”
“I think pricing pressure could increase, we are seeing longer refresh cycles and
pricing pressure in this refresh, primarily resulting from competition”
“The hardware/software refresh cycle will diminish overtime but it will still be around.”
“Azure/AWS [security] is good enough for some of our customers.”
“What I like about public cloud is that workloads don’t need application protection. Plus the inbuilt
firewalls provided by Azure and AWS are good for most people”
“The downside risks to industry forecasts are competitive pressure, the extending refresh
cycle, transitioning to hourly consumption models and workloads increasingly being
protected by ‘good enough’ offerings from AWS/Azure.”
“The key areas to look at to talk about are analytics and endpoint, I have seen a clear
shift away from the pure play network security conversation”
“We will never not need some degree of network capabilities … the network will become the
Achilles heel to the enterprise, you still need to make sure your network is secure in a cloud world”
“We definitely think identity and encryption are higher priority than pure firewall – more of
our workloads in the cloud are transactional and don’t have same user component“
5 September 2017
Cybersecurity 42
Specific Challenges
The specific challenges faced from a security architecture standpoint depend on the type
of cloud strategy employed by the firm:
Hybrid Cloud – Combining Physical and Cloud Data-Centers
If an organization pursues a hybrid cloud strategy in which a portion of workloads will be
run on premise and a portion in the cloud, there is a need to connect the physical
hardware to cloud data-center. Two main architectural options exist:
Figure 70: Hybrid Cloud Adoption Is Significant According to Gartner
Source: Gartner, March 2016, n=1037.
(1) Connecting a physical firewall (open IPSEC VPN connection) to a native cloud
gateway (you VPN from your own premise to the cloud). This causes issues when
you have datacenters in multiple locations; you need to manage multiple policies,
and the on-premise firewall was not designed ground up to do this.
(2) Another option is to run a physical firewall on premise and then run the same
instance virtually in the cloud, connecting a VPN tunnel between the two. Most
vendors (Palo, CHKP, and FTNT) allow you to run this (but it's expensive, as you
need to pay for the firewall on premise and the firewall in the cloud. Again, these
firewalls weren't designed to run in this environment.
There is also the challenge of unpredictable Internet routing; if your physical datacenter is
in the United States and it needs to connect to an AWS datacenter in Europe, substantial
latency can be introduced.
Figure 71: There Is a Connectivity Trade-off in Datacenter to Cloud Connectivity
Source: Credit Suisse Research
36%40%
16%
7%
1%
Yes, using since2015 or earlier
Plan to be using byyear-end 2015
Plan to be using byyear-end 2017
No plans to use Don't know
5 September 2017
Cybersecurity 43
Multi-Cloud: Connecting One Cloud Datacenter to Another
Enterprises engaged in a multi-cloud strategy are presented with the challenge of securely
connecting different vendors to each other or datacenters hosted by the same vendor in
different regions.
You can think about multi-cloud as connecting two data centers from one cloud provider
across regions or as connecting two datacenters hosted by separate cloud vendors.
Neither is simple, the built-in management to the cloud instances isn't intuitive,
cross-region VPC peering isn't supported, and the VPN mesh configuration is difficult.
Even more complex is the true-multicloud environment, connecting cloud to cloud among
multiple vendors. Here there are multiple policies to manage, fragmented point solutions
from the native cloud tools, and a lack of consolidated visibility.
Figure 72: Connecting Cloud Data-Centers Figure 73: Connecting Different Cloud Vendors
Source: Cato Networks, Credit Suisse estimates. Source: Cato Networks, Credit Suisse estimates.
Connecting Branch Offices and Mobile Users to the Cloud
Another challenge, particularly for multinational corporations, is securely enabling branch
office connectivity. Trombone routing, in which the remote user, no matter their global
location, needs to VPN into the corporate network to access the Internet through the
organization's on-premise firewall.
Naturally a solution enabling direct access is highly preferable, and an increasing number
of vendors offer cloud-based services that act as an intermediary to enable secure
connectivity with reduced latency for the user and fewer potential choke points in the
security stack.
5 September 2017
Cybersecurity 44
Figure 74: Software SoundBytes regarding The Future of Security
Source: Credit Suisse Research.
The Last Transition in the Stack…
Thinking about enterprise IT architecture simply in terms of storage/compute, applications,
and perimeter, it's clear the traditional stack has been disrupted by AWS and other cloud
vendors and that the large applications vendors have been somewhat displaced by SaaS
offerings (Siebel to Salesforce). Without mincing words, it appears as if it’s the perimeter's
turn next.
Software SoundBytesThe Future of Security
Brad Zelnick
(212) 325 6118
“AMZN offers you a free of charge virtual networking –firewalling is built into this network.
Azure and Google also copied thesame concept.”
“Over the next 7-10 years traditional firewalls will cease to exist. If you can embed security around
workloads you don't need a firewall, there will be no more refresh cycles.”
“All cloud providers offer security functionality - but it’s not ready for enterprise
consumption.”
“The old world security model is to build castle, put guards on battlements, and dig moats. The New
world security model is to place bodyguards around critical workloads. Then have the solution scale
with workloads (add more bodyguards) and in the same way as body guards travel with the president,
have security follow the workload across physical, virtual, cloud and container environments”
“We had a well-defined market in terms of endpoint, network and cloud, these now
seem to be merging.”
“You need to spend about 10-15% of total cloud spend on security”
“Datacenters need to be segmented like a nuclear submarine. You need to be very careful
to segment nuclear warheads, and ensure they are separated from your bedroom. Equally
your toilet easily accessible from your bedroom, but not from your kitchen.”
5 September 2017
Cybersecurity 45
Figure 75: Security Moving into the Edge of the Network
Source: Cloudflare, Credit Suisse Research.
Netw
ork E
dg
eA
pp
lication
sS
tore/C
om
pu
te
Hardware/Software - Capex Services/Cloud - Opex
5 September 2017
Cybersecurity 46
Firewall—The Security Mainframe?
We Do Not View the Network Security Market as Growth
While our outlook for network security is less sanguine than the consensus view, we
believe that, like the mainframe, it is a platform that has durability and will be around for
years if not decades to come.
We appreciate the analogy has its limitations, but the thrust of our argument is that
firewalls are reliable workhorses and can be good businesses but are of declining
relevance as they become supplanted by other techniques and technologies. Bottom line,
we do not see the network security market en masse as a growth industry.
This is much the way the mainframe has been around for decades, is largely mature yet
very sticky, and today is a flat to declining business. There is cyclicality to both
mainframes and firewalls (product cycles and refresh cycles), and today the mainframe is
acknowledged to be a flat-to-declining business although with strong margins and
customer lifetime value.
Figure 76: CA's Mainframe Business Has Been in Decline, but Operating
Margins Remain Strong
CA Mainframe Solutions Segment, quarterly
Source: CA, Credit Software Research.
To be clear, we are comparing the future of firewalls (inclusive of UTM, NGFW, etc.) to
IBM’s System z mainframe business from the post dot.com era until today when it has
seen compounded annualized mid-single-digit losses (adjusted for cyclicality). To be clear,
we do not see this as the fate of firewalls in the near or even medium term but also
appreciate the firewall has been in existence for about 25 years vs. the mainframe, which
has been around for over 50 years.
0%
20%
40%
60%
80%
100%
0
100
200
300
400
500
600
700
2010 2011 2012 2013 2014 2015 2016
Expenses Operating Profit Operating Margin
5 September 2017
Cybersecurity 47
Figure 77: IBM z Systems Revenue Has Been in Decline for Two Decades
Source: IBM, Credit Suisse Hardware Research.
We further qualify our analogy to distinguish the firewall market from the mainframes of the
early 1990s when the category faced intense competition from distributed client/server
challengers and companies such as Compaq, Dell and, HPQ benefited greatly. While we
don’t foresee a similar precipitous decline in mainframe, we acknowledge this as
illustrative of what it can mean for being on the wrong side of a technology paradigm shift.
Is the shift to public cloud comparable to the adoption of distributed computing in the early
1990s? It’s a fair debate with compelling arguments on both sides.
Figure 78: IBM z Systems Revenues in the 1990s Illustrate the Ferociousness of
Being on the Wrong Side of a Paradigm Shift in the Technology Industry
Source: IBM, Credit Suisse Research.
Rather than take a firm stand, we instead acknowledge that IBM still exists today, and
while perhaps not a compelling investment in recent years, the company has stood the
test of time and has diversified very well away from the mainframe since the early 90s.
Many decades ago, the mainframe market was served by IBM and the seven dwarfs,
which included names such as Burroughs, Amdahl, and Honeywell. The only one left
standing is IBM, and while the revenue line for the mainframe might appear frightening,
the overall company diversified to drive growth, pretax income, and shareholder value
quite nicely from 1990 to 2015. The point being is that we expect companies such as
Check Point, Palo Alto, and Fortinet to evolve beyond what currently represents a very
high concentration of revenue for each. In fact they are all already moving in that direction,
but in our view, perhaps not quickly enough.
$3.1bn
$3.9bn
$3.9bn
$4.4bn
$3.6bn
$3.2bn
$3.6bn
$2.9bn
$4.1bn
$2.9bn
$3.3bn
$2.3bn$2.6bn $2.5bn
$2.7bn
$2.3bn
$1.8bn
$2.3bn
$1.7bn
$1.6bn1,000
1,500
2,000
2,500
3,000
3,500
4,000
4,500
5,000
1998 2000 2002 2004 2006 2008 2010 2012 2014 2016
System z mainframe revenue
0
2,000
4,000
6,000
8,000
10,000
12,000
14,000
1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000
IBM System z Revenues
5 September 2017
Cybersecurity 48
Figure 79: IBM Has Not Been an Attractive
Investment Relative Technology as a Whole Figure 80: IBM Relative to the S&P 500 IT
IBM = absolute, S&P = rebased to IBM at 01/01/1990 in millions, unless otherwise stated
Source: Thomson Reuters Datastream, Credit Suisse Research. Source: Thomson Reuters Datastream, Credit Suisse Research.
0
50
100
150
200
250
300
350
400
1990 1993 1996 1999 2002 2005 2008 2011 2014 2017
IBM S&P 500 Information Technology S&P 500
0
20
40
60
80
100
120
140
1990 1993 1996 1999 2002 2005 2008 2011 2014 2017
IBM relative S&P 500 InformationTechnology
5 September 2017
Cybersecurity 49
Sector Thesis
Other NGFW Tailwinds to Slow In addition to the overarching architectural challenges we believe face the firewall industry
as the world transitions to cloud, we consider five further meaningful headwinds to the
category:
■ Competition Is Set to Reaccelerate: A long-running theme has been easy
competitive wins for new entrants versus legacy competitors. Now that Juniper has no
share left to give, Cisco is getting its act together, and product parity is upon us, we
expect competition to meaningfully intensify.
Figure 81: Juniper Has Little Share Left to Donate Figure 82: Cisco Is Growing Security Rapidly
4Q rolling sum as share of total UTM and Firewall market Cisco Firewall & UTM y/y, quarterly, %
Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.
■ Changing Dynamics in the Cloud: Cloud transitions mean short-term revenue
headwinds that hold value for investors in terms of greater Customer Lifetime Value
(CLTV). We are concerned network security investors are unprepared for a revenue
headwind, and moreover, we expect this transition to be deflationary. While transitions
that consolidate adjacencies can be price accretive, we worry that virtualizing firewall
disaggregates adjacencies and expect price pressure in the transition to a metered
model (greater price transparency, opportunity for better capacity utilization, and
lowered switching costs).
Figure 83: Virtualizing Firewall Disaggregates the
Combined Hardware/Software Model
Figure 84: Consuming firewall either by subscription
or on-demand reduces excess capacity
Traditional revenue model (not to scale, for illustrative purposes only) Conceptual traffic patterns and savings, for illustrative purposes only
Source: Credit Suisse Research Source: Credit Suisse Research
0%
10%
20%
30%
40%
50%
60%
70%
80%
2002 2004 2006 2008 2010 2012 2014 2016
Others
Fortinet
Check Point
Palo Alto
Cisco
Juniper 23%
-40%
-20%
0%
20%
40%
60%
2003 2005 2007 2009 2011 2013 2015 2017
2 3 4 51
Maintenance/support
Subscription
Year
Hardware
portion
of product
Up
-fro
nt
pro
du
ct
co
st
Jan Jan Mar Apr
Saved in Subscription pricing model
Saved in cloud virtual pricing model
5 September 2017
Cybersecurity 50
■ TAM Expansion Is Finite: The revenue preservation strategy of platforming is limited
by what remains to be consolidated onto the next-generation firewall and the ceiling for
consolidated product demand. We believe years of easy consolidation are likely at an
end and, therefore, so are the vendor benefits of feature consolidation: (1) TAM
expansion, (2) attach tailwind, (3) unit gravity. In addition, the relative scale of whatever
might be consolidated is much smaller than in the past due to the overall TAM having
already become significantly larger.
Figure 85: Many Point Solutions Have Already Been
Consolidated onto NGFW
Figure 86: UTM/NGFW already Accounts for in
Excess of 50% of the Security Appliance Market
Size of bubble represents size of TAM (not to scale, for illustrative purposes only)
Security appliance market share by revenues
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
■ SSL Decryption Is Not the Tailwind People Anticipate: Enterprises have been
upsizing to appliances with higher throughput in order to decrypt rising levels of SSL
encrypted traffic. We expect this tailwind to taper as the rate of increase in encrypted
traffic decelerates. Furthermore, we expect an increasing amount of decryption to be
done off-box by visibility appliances available from the likes of Gigamon and
Metronome (now Symantec).
Figure 87: Around 75% of browsing time is spent on
SSL encrypted sites on Chrome
Figure 88: The Majority of Traffic Occurs Within the
Same Datacenter and Doesn't Require Encryption
Chrome browsing patterns Traffic distribution
Source: Google, Credit Suisse estimates. Source: Cisco VNI, Credit Suisse estimates.
■ Shifting Spend from Protection to Detection and Response: As enterprises have
been conditioned to accept the inevitability of breaches despite investment in
protection, there has been a shift in security budgets to detection and remediation
capabilities. We expect that this shift continues and will be a disproportionate
headwind for network security players despite many having elements of detection and
response in their portfolios.
Number of features
consolidated
Time
Core
Firewall
Core
Firewall
& VPN
Core
Firewall
& VPN
& WAF
Core
Firewall
& VPN
& WAF
& IDP
Core Firewall
& VPN
& WAF
& IDP
& AV
& DLP
Unified Threat Management (includes Next
Generation Firewall)
VPN
Content Management
IPS
Firewall
52%
16%
12%
18%
70%73%
75%78%
81%83%
45% 46%
54%57%
60%57%
66%68%
71% 70%74%
30%
40%
50%
60%
70%
80%
90%
Mar '15 Jul '15 Nov '15 Mar '16 Jul '16 Nov '16 Mar '17 Jul '17
Percentage of pages loadedover HTTPS in Chrome
Time spent browsing SSLencrypted sites on Chrome
Data center to user
Data center to data center
Within data center
14%
9%
77%
5 September 2017
Cybersecurity 51
Figure 89: Enterprise Security Spend Shifting
Rapidly to Detection & Response
Figure 90: EDR Market Forecast to Grow ~17x the
EPP Market
% of Enterprise IT Security Budget Dedicated to Detection & Response
Endpoint Detection and Response (EDR) market vs Endpoint Protection Market (EPP)
Source: Gartner, CS Communications Infrastructure Team, Credit Suisse Research. Source: Gartner, CS Communications Infrastructure Team, Credit Suisse Research.
10%13%
18%23%
30%
39%
50%
60%
0%
10%
20%
30%
40%
50%
60%
70%
2013 2014 2015 2016 2017 2018 2019 2020
2013-2020 CAGR = 29.2%
3,166 3,249 3,333 3,420 3,509 3,600
238 640 797 9931,236
1,540
0
1,000
2,000
3,000
4,000
5,000
6,000
2015 2016 2017 2018 2019 2020
EPP
EDR
5 September 2017
Cybersecurity 52
Competition to Reaccelerate
Cisco Is Getting Its Act Together, and Juniper Has No Share Left to Give
When thinking about competition in the firewall space, five key players hold the largest
revenue share of combined Firewall and Unified Threat Management (our preferred
method of considering the market).
Check Point, Cisco, Palo Alto Networks, Fortinet, and Juniper together share
approximately two-thirds of the market and are also (with the exception of Juniper)
considered highly in Gartner's Enterprise Network Firewall Magic Quadrant.
Figure 91: CHKP, CSCO, PANW, FTNT, and JNPR
Share Around Two-Thirds of the Market…
Figure 92: … and Occupy Prime Positions in
Gartner's Enterprise Network Firewall
Firewall and UTM Revenue by Vendor 2015 Red arrows indicate directional 2y momentum
Source: IDC, Credit Suisse estimates. Source: Gartner, Credit Suisse Research.
Cisco and Juniper have ceded share to the market over the past several years. This trend
has been a clear tailwind for FTNT and PANW, which have benefited from easy
competitive wins upon refresh against uncompetitive product offerings. While Check
Point's market share has remained remarkably stable through this period, industry
commentary suggests it has likely lost some of its installed base to PANW, which seems
to have been made up for by winning old JNPR and CSCO business.
Using the annual position on Gartner's magic quadrant as a proxy for product quality
momentum, it seems market share trends have been driven, at least to some extent, by
product differentiation. From first inclusion in the magic quadrant as a visionary in 2010,
PANW has seen significant upward momentum, leading the quadrant on completeness of
vision each year to 2015 (when it was overtaken by CHKP). Interestingly, there has been
some downward momentum, notably from 2016 to 2017.
Through the same time period, JNPR has slipped from best to worst among the five, and
CSCO suffered significant negative momentum before ticking up this year (in-line with our
thesis). FTNT has seen positive momentum to be recognized as a leader this year, and
CHKP is the only vendor to have maintained a leadership position each year since the
Magic Quadrant was first introduced over a decade ago in 2006.
Check Point
Cisco
Palo Alto Networks
Fortinet
Juniper
Sophos
Dell
Huawei2%
WatchGuard2%
Leadsec2%
Other
18%
16%
14%11%
5%
4%
4%
22%
Worldwide Firewall and UTM Revenue
$7.6bn
5 September 2017
Cybersecurity 53
Figure 93: Of the Major Players, Cisco and Juniper Have Been Share Donors to
Check Point, Fortinet, and Most Noticeably Palo Alto Networks
4Q rolling sum as share of total UTM and Firewall market
Source: IDC, Credit Suisse Research.
Figure 94: Product Quality Has Tracked Share
Transitions, with PANW Gaining MQ Momentum as
JNPR and CSCO's Dwindled
Figure 95: CHKP Is the Only Vendor to Have
Maintained a Leadership Position, While FTNT Has
Enjoyed Increasing MQ Momentum
Estimated based on 2010, 2011, 2013, 2014, 2015, 2016 and 2017 Magic Quadrants
Estimated based on 2010, 2011, 2013, 2014, 2015, 2016 and 2017 Magic Quadrants
Source: Gartner, Credit Suisse Research. Source: Gartner, Credit Suisse Research
0%
10%
20%
30%
40%
50%
60%
70%
80%
2002 2004 2006 2008 2010 2012 2014 2016
Others
Fortinet
Check Point
Palo Alto
Cisco
Juniper
Cisco
Juniper
Palo Alto
Check Point
Fortinet
5 September 2017
Cybersecurity 54
We think this tailwind for PANW, FTNT and CHKP is set to significantly slow for the
following key reasons: (1) Juniper has no NetScreen share left to give, and its SRX line is
now competitive; (2) Cisco is getting its act together in its security portfolio; and (3) we
think the market is at product parity, meaning pricing may have to come down.
(1) Juniper Has No NetScreen Share Left to Give, and SRX Is Competitive
Juniper bought NetScreen for $4bn in stock in 2004. Founded by Ken Xie in 1996,
NetScreen was the original (and then only) vendor of high throughput ASIC-based
appliances. Mr. Xie left the company in 2000 to found ASIC-based competitor Fortinet.
Under the stewardship of Juniper, underinvestment in R&D and lack of strategic direction
resulted in multiple quarters of revenue declines in a growing industry, resulting in
substantial market share loss.
Figure 96: Juniper's Security Business Has
Declined over 50% from Its Peak in Revenue Terms
Figure 97: … and If We Look at Cumulative Share, It
Appears There Is Little Left for Juniper to Donate
Revenue, 4Q rolling sum, $m Cumulative share, 4Q rolling sum, %
Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.
NetScreen specifically has seen precipitous declines; after reaching a peak share of 7%
market in late 2008, Netscreen now accounts for only 0.07% of combined Firewall and
UTM sales.
Figure 98: Netscreen Revenue Has Fallen
Precipitously from Its 2010 Peak…
Figure 99: … Driven by Sustained Periods of -50%
Growth, Reflecting the Refresh Dynamic
Revenue, 4Q rolling sum, $m Quarterly revenue growth, y/y, %
Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.
0
100
200
300
400
500
600
700
800
2002 2004 2006 2008 2010 2012 2014 2016
VPN UTM IDP Firewall
0%
10%
20%
30%
40%
50%
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
VPN UTM IDP Firewall
0
20
40
60
80
100
120
140
160
180
200
2004 2006 2008 2010 2012 2014 2016
Netscreen
-60%
-40%
-20%
0%
20%
40%
60%
80%
100%
120%
140%
2004 2006 2008 2010 2012 2014 2016
Netscreen
5 September 2017
Cybersecurity 55
Periods of very significant decline in 2010 and 2013-14 are reflective of how the refresh
dynamic can present an opportunity for competitors, in this case Fortinet and Palo Alto
Networks, to take share during the cycle. As evidenced below, the NetScreen brownfield
opportunity is now much reduced.
Gartner suggests that, despite serving incumbent Juniper infrastructure customers well,
SRX is displaced more often than it enjoys competitive wins (Enterprise Network Firewall
Magic Quadrant 2017). While this suggests SRX is uncompetitive, we don't expect Juniper
to remain a material share donor via SRX in the coming refresh cycle for three reasons:
■ SDSN Message: Juniper's evolving message of Software-Defined Secure Threat
Protection, which aims to integrate security into the network, resonates with us given
our view of shifting sands in best-practice security architecture.
■ Network Clients Are Sticky: Despite a perception that Juniper lags competitors in
innovation and new feature releases, the synergy for some enterprises between
network and security integration should result in some stickiness.
■ Commitment to Security: We think that Juniper appears to be following a Cisco-
esque path in its messaging around the security business. Mather Hurley, VP of Global
Channels, said recently 'Juniper is completely committed to the security business. We
are open to competing again with the industry vendors. We take pride in Juniper's
innovations across networking and security solutions over the years. We have
relaunched a brand new roadmap in the security space, from low end firewalls that
goes right up the stack.' (CSO India, see here.)
Figure 100: Juniper's SDSN Ecosystem
Source: Juniper Networks.
5 September 2017
Cybersecurity 56
(2) Cisco Is Getting Its Act Together in Security
Security has been a focal point within Cisco's strategy for the past several years, and we
believe its investments are starting to yield meaningful results.
How Has Cisco Changed Direction in Its Security Business?
David Goeckeler (SVP, GM Networking & Security) said in late February 2017 that he was
charged around five years ago (early 2012) with taking a look at the security business, as
Cisco wanted to 'invest more in this space. [Understand] what's the architecture going to
be? … [and] build out a best-of-breed portfolio.'
Perhaps following Mr. Goeckler's review, it was widely reported in December 2012 that
John Chambers (then CEO) had given Chris Young (then head of security) a blank check
to turn around the security business. This check was written in mid-2013 when Cisco paid
$2.7bn in cash to purchase Sourcefire (a premium of c30% to the pre-announcement
closing price).
Figure 101: Sourcefire Revenue by Product Brand Pre-Acquisition
SourceFire revenue by product brand, 4Q rolling sum, $m
Source: IDC, Credit Suisse Research.
Following this integration, Cisco has focused heavily on a re-alignment of its security
strategy. Messaging and product offerings alike have increasingly focused on moving
security beyond the firewall and questioning the notion of perimeter-based security in a
cloud-first world with a dissolving network edge.
Cisco has positioned itself as the natural security vendor in this world of expanding attack
surface area; by virtue of seeing the network, Cisco arguably has an enhanced ability to
capture holistic information, therefore better understanding where threats exist and
pushing targeted policy to address them back into the infrastructure.
"the network's never been more relevant. I talked about how they're building up their
infrastructure, very distributed in ways. We're managing hundreds of thousands of devices
today, and they have to be ready to manage a million or more by 2020. And I think that,
that is why this automation and analytics capability in the security built into the
network is so important. The third is we continue to have our customers looking for us to
help them really build out the secure intelligent platform that spans across this multi-cloud
environment for their digital business. And I think that our security results, all the number
of new customers embracing the technology, I think, is indicative of how they're buying in
this new architecture.”
– Chuck Robbins, CEO, 16th August 2017
0
40
80
120
160
200
2002 2003 2004 2005 2006 2007 2008 2009 2010
Sourcefire 3D Sensor RNA 3D8000 Series 3D7000 Series IPSx
5 September 2017
Cybersecurity 57
An analysis of CSCO's evolving acquisition strategy gives credence to our view that the
security segment is viewed as strategically significant and that product has pivoted away
from the perimeter toward the cloud.
■ Strategic Significance: Cisco's acquisition history shows cumulative total disclosed
expenditure of $6.8bn across 20 deals in the security segment since 1995. Roughly
80% of the disclosed dollar activity and 43% of the deal activity have been in what we
call the blank check era, speaking to the strategic significance of the segment.
■ Pivot Toward the Cloud: The most recent acquisitions of CASB CloudLock,
OpenDNS with its suite of cloud security products, Lancope with its Stealthwatch
network visibility and enforcement capabilities, and most recently security analytics firm
Observable Networks underline the shifting focus toward Cloud Security at Cisco.
Figure 102: Cisco Has Acquired Heavily in the Cyber Security Space, Especially
During What We Call the Blank Check Era
Source: Crunchbase, Credit Suisse Research.
The increasing depth of Cisco's security offerings is a key part of the strategic roadmap,
and we also believe a tax reform scenario could see major balance sheet unleashed. In a
repatriation environment (assuming 10% repatriation tax) and allowing for tuck-in M&A and
an incremental buyback, as much as $10-20bn may be available for transformative M&A.
Date Name Business Cost ($)
27 Oct 1995 Network Translation Firewall $30
24 Jun 1997 Global Internet Software Group Firewall $40
18 Feb 1998 WheelGroup Intrusion detection $124
12 Mar 2004 Twingo SSL & VPN $5
22 Mar 2004 Riverhead Networks Distributed denial of service $39
21 Oct 2004 Perfigo Network endpoint security $74
20 Dec 2004 Protego Networks Network security $65
27 Feb 2005 Netsift Network security $30
26 May 2005 FineGround Networks Enterprise web security $70
29 Nov 2005 Intellishield Security reporting -
14 Jun 2005 M.I. Secure Corporation VPN $13
06 Jul 2006 Meetinghouse Network access control $44
04 Jan 2007 IronPort Email and web security gateway $830
27 Oct 2009 ScanSafe Malware analysis $183
05 Jan 2010 Rohati Systems Datacenter security -
16 Jul 2012 Virtuata Software security -
20 Nov 2012 Meraki Cloud-based security $1,200
29 Jan 2013 Cognitive security AI for threat detection -
07 Jul 2013 Sourcefire Network security and intrusion detection $2,700
21 May 2014 ThreatGRID Malware analysis -
10 Dec 2014 Neohapsis Security consulting -
13 Apr 2015 Embrane Firewall, VPN, SSL, LB -
30 May 2015 OpenDNS Cloud-delivered enterprise security service $635
30 Sep 2015 Portcullis Enterprise and government security -
15 Oct 2015 Pawaa Integrated file encryption -
27 Oct 2015 Lancope Threat detection and response $453
28 Jun 2016 CloudLock Cloud-Security Provider $293
17 Jul 2017 Observable Networks Network Behavior Monitoring -
Total disclosed $6,827
'Blank Check' era total disclosed $5,281
5 September 2017
Cybersecurity 58
Figure 103: Cisco Has Among the
Highest Absolute Levels of Offshore
Cash…
Figure 104: …and Offshore Cash as a
Percent of Market Cap Is Among the
Highest Too
Source: Company data, Credit Suisse Research. Source: Company data, Credit Suisse Research.
Cisco Firewall Offering
Specifically in Firewall, Cisco now has three key product lines: the Cisco Firepower NGFW
that includes all new releases, the older ASA (Adaptive Security Appliance), and the
Meraki range for SMBs. In sum, these appliances account for around two-thirds (c.$1.2bn
LTM revenue) of Cisco's security revenue on IDC data.
Figure 105: Firewall and UTM Appliance Sales Stood
at $320m Last Quarter, a c.$1.3bn Run Rate
Figure 106: Firewall and UTM Constitute 65% of
Cisco's Security Business's Revenues
Cisco Firewall & UTM quarterly revenues Cisco revenue, 4Q rolling sum, $m
Source: IDC, Credit Suisse Research. Source: Company data, Credit Suisse estimates.
We also see Cisco expanding its offerings and moving toward software and cloud-based
solutions, as it continues to do tuck-in acquisitions in the space (such as the recently
completed acquisition of Observable Networks).
Investment on the Brink of Payback
We think there are multiple signs to suggest that Cisco's five-year investment in its security
business is on the cusp of paying dividends.
■ Better Product: Cisco has enjoyed excellent momentum toward the leader's quadrant
on Gartner's Enterprise Network Firewall magic quadrant over the past five years. We
think this reflects genuine product improvement and note other corroborative data
points; for example, Cisco stated it has successfully reduced time to detection from 46
hours two years ago to 8.5 this year. We think this measure of how long does it take to
find a threat actor who got past all other defenses is increasingly important in the
context of mandated reporting periods enforced by regulation such as GDPR.
0
50
100
150
200
250
AA
PL
MS
FT
CS
CO
OR
CL
GO
OG
L
QC
OM
INT
C
AM
ZN
HP
E
IBM
HP
Q
NT
AP
0%
10%
20%
30%
40%
NT
AP
CS
CO
QC
OM
AA
PL
OR
CL
HP
E
MS
FT
HP
Q
GO
OG
L
INT
C
IBM
AM
ZN
0
50
100
150
200
250
300
350
2002 2004 2006 2008 2010 2012 2014 20160
200
400
600
800
1,000
1,200
1,400
1,600
1,800
2,000
2002 2004 2006 2008 2010 2012 2014 2016
UTM
Firewall
IDPVPN
5 September 2017
Cybersecurity 59
Figure 107: Cisco Has Seen Momentum Toward the Leaders Quadrant
Source: Gartner, Credit Suisse Research.
■ Growth & Share Gain: Cisco has achieved two quarters of >20% growth. This growth
has been sufficiently in excess of the market that Cisco has regained 3.2p.p. of market
share relative to 1Q16. Over the past 15 years, we have observed only four instances
in which Cisco has grown its security offerings at this pace, with the last time being
over five years ago in 2012.
■ Channel Momentum: Our field conversations corroborate that Cisco's product
offerings are increasingly successful in competitive situations. In addition, Gartner sees
Cisco firewalls on an increasing number of shortlists, and sees continued momentum
for the Cisco Security Enterprise License Agreement (ELA). While a security or
collaboration ELA has been traditionally offered, consolidating these silos (security,
network infrastructure, computing and storage, and collaboration and video
conferencing) in a single ELA was first introduced in May 2017.
5 September 2017
Cybersecurity 60
Figure 108: Cisco Has Achieved Two Quarters of
>20% Growth in Its Firewall and UTM Segments…
Figure 109: … This Above-Market Growth Has
Resulted in a Tick-up in UTM/Firewall Market Share
Cisco Firewall & UTM y/y, quarterly, % Cisco market share, Firewall and UTM, %
Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.
Ultimately, we think that Cisco's five-year investment in its security product suite is likely to
be a driver of increased competition in the network security market for the foreseeable
future.
This view appears to be shared (and relished) by management at Cisco; David Ulevitch
(SVP/GM of Cisco's Security Business, previously CEO of OpenDNS) has remarked on
the record that he views the refresh cycle referenced by Fortinet and Palo Alto Networks
as a clear opportunity for Cisco:
'…We think that their [PANW’s] refresh, which is their first refresh at scale that they've
ever gone through, is our refresh opportunity. And so, we're focused on making sure that
our partners and our channel are really able to understand exactly the benefits of the
Cisco's architectural advantage and that where our product portfolio is to be as
extraordinarily competitive as possible. They are squarely in our crosshairs.'
- David Ulevitch, 06/06/2017
23%
-40%
-20%
0%
20%
40%
60%
2007 2009 2011 2013 2015 2017
10%
15%
20%
25%
30%
2007 2009 2011 2013 2015 2017
1Q17 growth saw market share tick up to
2015 levels
5 September 2017
Cybersecurity 61
Figure 110: Software SoundBytes Regarding Cisco
Source: Credit Suisse research.
(3) Product Parity Is Upon Us; Does Price Competition Come Next?
The firewall market is saturated and thus driven by refresh cycles of roughly five years.
This results in linear, as opposed to lumpy, share transitions. We think of the last refresh
cycle as characterized by remarkable share gains from innovators, most notably Palo Alto
Networks. This was very much a result of product differentiation, Palo Alto Network's
highly innovative granular application control in particular enabling a successful land-and-
expand market approach.
Since then, the product offerings of most major vendors have, in our view, converged. Our
field conversations and broader research suggest that Fortinet and Check Point have
caught up with, if not over-taken, Palo Alto.
“We recommend Cisco more than CHKP. They have done a great job with their acquisitions.”
Software SoundBytesCisco competition
Brad Zelnick
(212) 325 6118
“In my opinion a lot of people don’t realize how comprehensive Cisco’s cyber security offering
is—they have threat intelligence, firewall, etc. Cisco recently also announced integration on
almost all of their cyber products together. They can bring in solutions for switching, routing
right through to cyber security. Because it’s Cisco, they can bundle it all together.”
“We think of Check Point as number one, although we have a bigger base in Cisco, we don’t care for
its products – they don’t stack up well to Check Point and Palo Alto, but they remain kind-of-the-turf,
and its their datacenter at the end of the day. Overall we would rank Check Point first, followed by
Palo Alto, then Cisco and Fortinet last.”
“We are selling umbrella, and we are selling SourceFire. But we are doing it not at CHKPs
expense, we haven’t replaced a CHKP. However we have replaced Palo and Fortinet.”
“We never used to have Cisco as part of a true security strategy, now we do and are waiting to see this play
out. I think there will be some serious showdowns between Cisco and Vmware, with VMware partnering up
with Palo Alto. We are seeing it in enterprise accounts, there is a competitive bake off. Lots of companies
want to do network segmentation and use SDN to do that, and then it becomes a security play.”
“Cisco are self-aware on the health of their core business, and think about Security as a big
driver of all of it. At a high level they expect security to be increasingly outsourced, and
solved as a managed service over time, coupled with cyber insurance”
“Cisco gave a 58% discount and 2 years of free SmartNet on a deal worth over 20m dollars”
“Palo Alto are facing their first major product refresh now, and it is an opportunity for Cisco as well”
“Acquisition of SourceFire and open DNS has really changed things. Open DNS has been more
impactful than probably anything else, it is a very hot topic of conversation, they call it an umbrella
now. They also claim that nobody else can do this, I personally don’t believe that, there is rarely a
product that nobody else can imitate. Our Cisco security business has grown substantially.”
5 September 2017
Cybersecurity 62
NSS Labs corroborates our view, and Gartner now believes that, 'in effect, all vendors in
the enterprise firewall market have ... next-generation firewalls (NGFWs); in essence,
there is no longer a next-generation in the firewall market' (Enterprise Network Firewall
Magic Quadrant 2017, Gartner).
Figure 111: NSS Labs Next-Generation Firewall Security Value Map
Source: NSS Labs.
In terms of consolidated feature capabilities, there is also parity among the major vendors.
Figure 112: In Terms of Consolidated Features, There Appears to Be Parity
Among the Major Vendors
Source: Anitian, Credit Suisse Research.
We agree with David Goeckeler (Cisco SVP/GM Networking and Security) that IT security
is going to always remain a market driven by innovation due to the active nature of the
adversary. However, we struggle to imagine the next generation of security innovation to
be firewall, or even appliance focused. Should competition continue to increase, and
product parity endure, the natural conclusion is increased potential for commoditization
and price pressure.
FW VPN IPS AV WF App Email DLP
Checkpoint a a a a a a a aCisco a a a a a a a aFortinet a a a a a a a aJuniper a a a a a a a ✕
Palo Alto a a a a a a ✕ aSonicwall a a a a a a a aWatchguard a a a a a a a a
ProductFeature
5 September 2017
Cybersecurity 63
Figure 113: Software SoundBytes Regarding Product Parity
Source: Credit Suisse Research.
Software SoundBytesProduct Parity
Brad Zelnick
(212) 325 6118
“It’s all getting commoditized, now it’s all about SLAs… I don't care whose
labels are at my perimeter”
“It used to be that 'my tools are better than yours' and this would drive the competitive process, now the product
is commoditized and so we are reaching a place where vendors will compete on price rather than product.”
“There is undoubtedly less product differentiation… The key
differentiation is on the platform side”
“We see security spend leaking into different areas. For example, NGFW had good growth
last year, but dropped off from 30-35% to the low 20s this year. The Next Generation Firewall
is no longer a key priority, and is becoming somewhat of a commodity.”
5 September 2017
Cybersecurity 64
Cloud Transition
Transitionary Challenges Await Incumbents in a Successful Adaption Scenario
Even if we imagine the incumbent vendors strategically align themselves successfully with
what, in our view, represents the future of security infrastructure, we still expect them to
face transitionary challenges.
■ Top Line: Firstly, and perhaps most obviously, we don't think investors are prepared
for the large firewall names to face the revenue headwind inherent in a transition to
cloud.
■ Pricing: Secondly, and less obviously, we don't believe the market to be fully
cognizant of the deflationary pressures we expect cloud to exert on firewall. We believe
this to primarily result from this being one of the few examples of a cloud transition that
disaggregates (rather than aggregates) adjacencies.
Contextualizing a Traditional Cloud Transition
■ Short-Term Revenue Headwind Due to ACV Decline: The transition from a
license/maintenance business model to subscription cloud model is well known to
result in a short-term revenue headwind. This is a result of selling new customers, and
transitioning renewing customers, onto subscription contracts that tend to have a lower
annual contract value (ACV) but a greater customer lifetime value (CLTV). It is argued
there is value for shareholders who look through the near-term top-line pressure to
enhanced CLTV. Oracle's comments around its most recent quarter highlight this:
'Total cloud revenues totaled $4.7 billion, growing 68%. On-premise software declined 1%
to $25.6 billion as the 3% growth rate in software support was offset by cloud-related
declines in new software license, which were down 11%... Over the full year of FY '18, I
expect continued high growth in cloud revenues, with cloud revenues materially
surpassing new software license revenues.'
– Safra Catz, Oracle 4Q17 Earnings Call,
6/21/2017
Figure 114: Adobe's Guide to Its Cloud Transition’s
Near-Term Revenue Headwind in 2013…
Figure 115: … and the Actual Results as Reported
Showing Successful Execution
Adobe 2013 Analyst Day Creative Product Family Revenue guide Adobe reported Creative Product Family Revenue Guide
Source: Adobe, Credit Suisse Research. Source: Adobe, Credit Suisse Research.
~$2bn
FY12A FY13E FY14E FY15E FY16E
Su
bscri
pti
on
Revenu
e
Perp
etu
al
Revenu
e
$2.3bn
$1.9bn $1.8bn
$2.3bn
$3.2bn
FY12A FY13A FY14A FY15A FY16A
$28
$103
ADBE share price
5 September 2017
Cybersecurity 65
■ Consolidating Adjacencies Results in Greater CLTV: Cloud transitions tend to
consolidate adjacencies. Taking Oracle Database as a Service (DBaaS) as an
example, traditionally the enterprise would have bought a database license to host the
software on its own infrastructure; purchasing DBaaS shifts the responsibility for
hardware, power, cooling, maintenance, etc. to the vendor, therefore consolidating the
various total cost elements. From a price perspective, this drives the greater CLTV that
delivers value to the customer and ultimately shareholder.
'…When a customer who's on-prem paying us support moves to the cloud, they pay us
more money. They don't pay us 1:1, they don't pay us 2:1, they pay us more like 3:1. In
some cases, more than 3:1. In some cases, we also get the attach of platform … and that
is not included in the 3:1 that I'm giving you.'
– Mark Hurd, Oracle 4Q17 Earnings Call, 6/21/2017
Why We Are Concerned That Firewall Might Not Be as Successful…
We think that the key value component for investors in a cloud transition strategy is the
ability to look through the near-term revenue headwind toward the potential for CLTV
enhancement and revenue visibility implicit in subscription. The CLTV enhancement itself
results from adjacency consolidation and TAM expansion.
We (1) struggle to believe investors are yet fully prepared to look through a short-term
transitionary revenue headwind for incumbent firewall vendors, and (2) struggle further to
be convinced that this transition would be accretive to CLTV rather than deflationary.
The Market Is Underprepared for Any Revenue Headwind
Previous successful cloud transitions have relied on clear messaging from management to
the investment community. As yet, we have seen no signs of this; instead, management at
Check Point, Palo Alto Networks, and Fortinet continue to communicate that the market
should expect cloud to be incremental rather than cannibalistic.
Check Point Comments Around Its vSec Virtual Edition
Credit Suisse Interpretation of CHKP Messaging: (1) Cloud is incremental in most
cases; (2) there will always be a physical network and therefore demand for appliances;
and (3) cloud means more traffic, meaning you need more aggregate throughput.
'… I haven't seen that the cloud is changing a lot of customers' behavior of their physical
network. We still have physical network, we still need to secure them, sometimes they
need to connect them to cloud, which means that they need some appliances or some
devices to do the VPN through the cloud. The cloud in most cases, again not all of them,
but in 99% of the cases is an extension and expansion for the existing network.'
– Gil Shwed, CEO, 04/27/2017
'It's additive in most of the cases… So, just like you have if you had the 4,000 offices
around the world, now you have 4,001. You need another gateway, right? It might not be
physical one. It might be a virtual one. You still need to manage it.'
– Tal Payne, CFO, 11/15/2016
'We see it as an incremental long-term and short-term.… once you start going up into the
cloud, there's many different ways you can get your employees up to the cloud to use
those applications. Sometimes it's going through a direct connect through your data center,
so you still have to have a data center, or you're going to have to do SSL connections from
your perimeter. And in that case, you're going to need bigger boxes because you're going
to have more traffic, and that's not going to stop. So, besides that, and then having it in the
cloud, everything that we come up with is incremental.'
– Kip Meintzer, VP Investor Relations, 03/06/2017
5 September 2017
Cybersecurity 66
Palo Alto Comments Around Its VM-Series Product
Credit Suisse Interpretation of PANW Messaging: (1) Cloud is additive, (2) customers
want feature parity and consistency between virtual products and on-premise appliances,
and (3) more workloads moving to the cloud mean more opportunities to sell virtual
firewalls.
'… So far, and we think this will continue into the future. We've seen the cloud in general
and then our VM-Series and other cloud aspects like Aperture be additive. So we think
that's a lead provider for us and a growth provider for us for new use cases'
– Mark McLaughlin 05/31/2017
…we view the cloud as additive to us. We are helping our customers work through
architectural decisions that are both on-prem and cloud and we view this as positive.
- Steffan Tomlinson, 12/07/2016
'We view moving workloads to the cloud as incremental for our business. The fact that
companies want to have a consistent security policy to manage on-prem devices, plus
their cloud workloads, accrues to our benefit. Because we have virtualized our firewall a
number of years ago to have full feature and functionality of a next-generation firewall but
in a virtual form factor.'
– Steffan Tomlinson, 09/14/2016
'So when you think of a cloud, there is the going to and coming from the cloud
infrastructure that we deliver, but also what goes on in that cloud itself. Now, this is
typically big [iron]. That's a big machine that sits between the cloud and target. But in that
cloud, you have thousands of little machines that have to be protected, which is a great
opportunity for us to sell thousands of virtual firewalls, VM-Series firewalls, into those
infrastructures.'
– Rene Bonavanie 09/28/2016
'… our VM-Series [delivers] the traditional form factor of hardware in a software model for
deployment in virtual either public, private, or hybrid models. And that's also a mid eight-
figure business growing roughly the same rate as Traps.
…If anyone could find an industry analyst who actually has sized that market, let me know.
It is still very early stage and I think the industry itself is watching a slow evolution of
adoption of cloud, but that will be an important contributor.'
- Kelsey Turcotte, VP Investor Relations, 09/08/2016
Fortinet Comments Around Their Virtual Product
Credit Suisse Interpretation of FTNT Messaging: (1) Virtual is the fastest growth
segment at FTNT and will be the largest segment of revenues in three to four years, (2)
hybrid model is the way forward, and (3) there is pressure on the product line from virtual
product adoption.
'Definitely the cloud; starting to grow faster than real appliance' [in response to question
about how physical vs virtual will unfold over the next three to four years] .
– Ken Xie, Founder, Chairman of the Board & CEO, 02/02/2017
[That's more] incremental and also interesting, I also see -- I think we wrote a comment
about almost maybe a year ago we move lot of data to the Cloud. You actually need to
secure the access and also increase the bandwidth to -- for the -- whether encryption,
whatever, to access the data there. At the same time, even the data in the Cloud, you also
need to protect that, right? So, that's actually -- I believe, when some data application
move to the Cloud, they actually need the most security.
- Ken Xie, Fortinet Inc – CEO 2/28/2017
5 September 2017
Cybersecurity 67
'Our cloud and virtual business more than doubled year over year in the fourth quarter.
Although this is from a small base, it continues to represent the fastest-growing segment
of our total business… We are really trying to weight the money -- we're really to drive to
higher customer lifetime value, and the way you do that is attribute more to the recurring
higher profitability side of the business.'
- Drew Del Matto, CFO, 02/02/2017
'Where we are seeing the most uptick really is what I would call the hybrid model and what
we call that actually is BYOL, Bring Your Own License or Bring Your Own Device, and so
someone, a customer is generally buying a device and they are installing it in someone
else's cloud environment where they are managing it for them. Now, the other thing we're
seeing, I mean we're actually seeing an uptick in the virtual licenses being downloaded,
the metered models, the utility models.
But the problem is, it's so small, right. [It's not] necessarily a bad thing because if that's
going to grow, I think it really give us a kind of a nice path to growth without the risk of
cratering the revenue line, the topline as you transition. Look, investors are worried about
or people are often worried about is that it's going to be like Adobe going from perpetual to
subscription and you get this cratering effect on the P&L and the topline and what we hope
is that this thing just grows nice at a nice curve and a nice rate, we continue to take share
and we kind of sail through the transition.' -
Drew Del Mato – 9/07/2016
'There is a beneficial impact from the cloud. I think the non-beneficial impact could be
something like Drew was saying is that it extends the sales cycles. As customers are
planning their next-generation networks, perhaps shifting some to the cloud in the hybrid
model, it does slow things down in the decision making process. But we feel from a
competitive standpoint we are very well positioned.'
- Michelle Spolver, Chief Communications Officer, 10/27/2016
'Yes. The thing I would add, too, to what Drew said, is that product revenue, you see an
acceleration from most companies. And Drew talked about it being an overall opportunity.
We definitely see that, probably more in the long term than the short term.
But in Q3, for us, we had about 200 to 300 basis points of product revenue that moved into
services, and that was primarily accounting for sales of virtual products through AWS and
Azure. And so, that's something that, it's an incremental opportunity, but you get lower
upfront product revenue. We are selling it in that fashion. It certainly -- it helps on the gross
margin line, but it brings product revenue down a little bit.'
- Michelle Spolver, Chief Communications Officer, 11/09/2016
Complacency Is Evident in the Numbers
We illustrate potential unpreparedness via revenue revisions data. It is clear that when
analysts expect a cloud transition (generally following management communication to
market), they revise their forward revenue forecasts downwards.
Naturally, we recognize the market can react positively despite downward top-line
revisions, generally when investors applaud cloud transitions and look through the
revenue headwind to enhanced CLTV. While we argue strongly below a firewall cloud
transition disaggregates adjacencies, and is therefore unlikely to be CLTV accretive, we
appreciate this as a risk to our thesis.
5 September 2017
Cybersecurity 68
Figure 116: Revenue Revisions Data Show Analysts
Revised Down Their Top-Line Forecasts…
Figure 117: … After Messaging About a Cloud
Transition Began at ORCL and ADBE
Oracle revenue revisions Adobe revenue revisions
Source: Bloomberg, Credit Suisse Research. Source: Bloomberg, Credit Suisse Research.
Looking at revisions data for the incumbent firewall vendors, we believe the Street
continues to model virtual firewall as entirely incremental in nature.
Figure 118: PANW, CHKP, and FTNT Have Not Experienced Material Sell-Side Downward Revisions to
Forward Revenue Estimates
Source: Bloomberg, Credit Suisse Research.
Is a Messaging Shift Already Under Way?
We have analyzed the messaging from Palo Alto Networks regarding its virtual business
and wonder if there is a subtle messaging shift under way. In September 2016, Palo Alto
Networks CFO Steffan Tomlinson described shifting workloads to cloud as unequivocally
incremental for PANW.
'We view moving workloads to the cloud as incremental for our business. The fact that companies want to have a consistent security policy to manage on-prem devices, plus
their cloud workloads, accrues to our benefit. Because we have virtualized our firewall a number of years ago to have full feature and functionality of a next-generation firewall but
in a virtual form factor.' – Steffan Tomlinson, 09/14/2016
In December 2016, Mr. Tomlinson offered greater detail about the economics of cloud and
accepted that different transitions result in different economics. However, the message
remained consistent that cloud is additive and incremental.
12Y 13Y 14Y15Y
16Y 17Y
18Y
19Y
34,000
36,000
38,000
40,000
42,000
44,000
46,000
48,000
2010 2011 2012 2013 2014 2015 2016 2017
Larry Ellison announced Oracle Public Cloud in late 2011
10Y
11Y 12Y 13Y14Y
15Y
16Y
17Y
18Y
19Y
2,000
3,000
4,000
5,000
6,000
7,000
8,000
9,000
10,000
11,000
2007 2009 2011 2013 2015 2017
Adobe announced their cloud intentions in
November 2011
13Y 14Y
15Y
16Y
17Y
18Y
19Y
1,300
1,500
1,700
1,900
2,100
2012 2013 2014 2015 2016
13Y 14Y15Y
16Y
17Y
18Y
19Y
0
600
1,200
1,800
2,400
3,000
2012 2013 2014 2015 2016
13Y 14Y
15Y
16Y
17Y
18Y
19Y
500
800
1,100
1,400
1,700
2,000
2012 2013 2014 2015 2016 2017
Palo Alto Networks, $m Fortinet, $m Check Point, $m
5 September 2017
Cybersecurity 69
'Well, the operative engagement model that we're seeing today is really a hybrid one,
where we're seeing a combination of on-prem and cloud. And by the way we define cloud
as public cloud, private cloud and SaaS applications. Depending on how the customer
actually goes to market with their cloud strategy will determine the outcome around
the economics of the deal.
As an example, in one flavor, you could have a customer who has a public cloud or private
cloud infrastructure, but they're still routing their traffic back through their data center. In
that case, they will be actually buying high-speed chassis from us, physical product-related
revenue for us and they will be buying virtual firewalls from us for both the public
and private cloud options.
If they were just to go down the private or public cloud route, they'll be buying our virtual
firewalls. And the economics are favorable in both areas. The unit economics are different
because you have a physical firewall, which has a lot of hardware and throughput
capability. The virtual firewall has less throughput capability, because it doesn't have
the hardware component. But the cost per megabit within the same zip
codes for both on-prem equipment and virtual firewall.'
– Steffen Tomlinson, 12/07/2016
In June 2017, Mr. Tomlinson injected some measured caution around earlier statements
that cloud is unequivocally incremental, suggesting the transition to cloud is a long game
where the margin and revenue impacts remain to be seen.
'…what we've seen is lots of companies are moving workloads to the cloud, but it's not
moving everything to the cloud right now. We view the cloud as an incremental opportunity.
It remains to be seen. This is a long game. It remains to be seen, the margin impacts,
the revenue impacts, et cetera.
But I can tell you right now, there's not a one-for-one correlation between one physical
firewall and one virtual firewall because from the way that most firewalls are scoped out is
it's based off of throughput. If you have a 20-gig firewall and you're buying one appliance,
you're going to need to buy probably at least 20 if not more virtual firewalls, depending on
the network setup that you have. And so there's going to be an evolution of what the
revenue model looks like. But right now, we're not seeing any negative effect of
public cloud. We're seeing it is an incremental benefit.'
– Steffan Tomlinson, 06/06/2017
Having One's Cake and Eating It?
We think there may be a level of cognitive dissonance among management of CHKP,
PANW, and FTNT applauding growth in their respective virtual businesses and
simultaneously messaging cloud is entirely additive.
Especially in the context of Symantec's clarity in messaging around the economics of
physical vs hybrid vs pure virtual/cloud, we struggle to understand how virtual firewall
cannot be cannibalistic on some level.
5 September 2017
Cybersecurity 70
Figure 119: Symantec's Accepts That Virtual Appliances Are Not Necessarily Always Accretive to CLTV
Source: Symantec, Credit Suisse Research.
Can Cloud Be Accretive to CLTV?
As discussed above, we are concerned that the market is not cognizant of the potential
revenue headwind in a cloud transition scenario. However, why should investors not just
look through the short-term headwind to the greater CLTV opportunity that cloud security
promises?
We are concerned that a cloud transition is likely to be deflationary for pricing, regardless
of consumption model. We are cognizant of multiple factors that we think may impact the
ability of firewall vendors to maintain the tight control over pricing they have historically
enjoyed.
Figure 120: Pricing for High-End Units Has Remained Within a Relatively Tight
Band
High end ASP, adjusted for inflation by US PPI from most recent quarter
Source: IDC, Credit Suisse Research.
Hybrid Solution Virtual AppliancePhysical Appliance
Product/Support Product/Support & Subscription Subscription
$600
$269
$269
$269
$269
Year 1 Year 2 Year 3 Year 4 Year 5
$640
$391
$391
$391
$391
Year 1 Year 2 Year 3 Year 4 Year 5
$380
$380
$380
$380
$380
Year 1 Year 2 Year 3 Year 4 Year 5
CLTV $1,480 CLTV $1,930 CLTV $1,645
~4 year breakeven
* CLTV assumes an annual 5% discount factor
0
20,000
40,000
60,000
80,000
100,000
2003 2005 2007 2009 2011 2013 2015 2017
High end ASP, inflation adjusted (US PPI)
Average, +/- 1stdev
5 September 2017
Cybersecurity 71
Consumption Models
There are two main consumption models for virtualized firewall: (1) as a license to install in
one's own private cloud, or (2) via AWS and other public cloud vendors on a metered
basis. Of the below factors, we think that disaggregating adjacencies and the lowering of
switching costs represent potential pricing headwinds for both consumption models, while
the price transparency, deconsolidation, and capacity utilization arguments are more
specific to metered models.
■ Disaggregation of Adjacencies: NGFW/UTM/Firewall moving from a physical to
virtual form-factor actually disaggregates the value proposition of hardware with
software attach. The value delivered via product purchase is currently triplicate, (1)
the physical hardware itself, (2) the software platform that requires maintenance
payments, and (3) attendant attach optionality paid for via subscription.
Virtualizing product decomposes the product/support/attach model into software
subscription excluding hardware (product) and associated maintenance. All else equal,
the revenue (and profit to a lesser extent) opportunity should actually be lower for
virtualized product by virtue of the removal of hardware components, assembly, and
development. Put another way, why would the customer pay the same when they have
to provide their own hardware?
Therefore, assuming virtual is priced at parity (i.e., excluding the hardware component)
on a discounted basis, and assuming no growth, there is a sustained haircut to the
aggregate vendor revenue opportunity. This said, we recognize that the gross margin
on the software component of product is substantially higher than the hardware piece.
Figure 121: A Portion of the List Price Represents the Cost of Hardware
Traditional revenue model (not to scale, for illustrative purposes only)
Source: Credit Suisse Research.
■ Switching Costs Lowered: The physicality of hardware lends it gravity (both literally
and figuratively) in the IT infrastructure. It's expensive to rip and replace during the
deployment life cycle (we think about the average refresh as five years), as your sunk
costs greatly outweigh your variable costs. Virtualized firewall paid for on a subscription
basis implies no irrecoverable costs and therefore would greatly reduce the economic
imperative of delaying switching until the refresh.
We recognize the residual switching cost of policy gravity, which is the migration of
firewall policy from one vendor to another being challenging, but believe this to
represent only a portion of aggregate switching costs.
2 3 4 51
Maintenance/support
Subscription
Year
Hardware
portion
of product
Up
-fro
nt
pro
du
ct c
ost
5 September 2017
Cybersecurity 72
Figure 122: The Figurative Gravity of Hardware (with
Its Upfront Costs) Results in High Switching Costs…
Figure 123: … Subscription Reduces the Economic
Imperative of Switching Upon the Refresh
Traditional revenue model (not to scale, for illustrative purposes only) Cloud revenue model (not to scale, for illustrative purposes only)
Source: Credit Suisse Research. Source: Credit Suisse Research.
■ Price Transparency: While the above are pricing headwinds for virtual firewall sold
under a subscription model, we expect there will be significant demand for metered
pricing. The popularity of on-demand pricing is unlikely to pass by virtual firewall
additions; indeed Fortinet, Palo Alto, and Check Point's virtual solutions can all already
be consumed via public cloud vendors.
Moving to a metered pricing model results in greatly enhanced price transparency;
vendors can be compared more easily. We question whether this may expose an
historically price-opaque and insensitive business model to the whimsy of dynamic
pricing.
Year 2 3 4 51
Up
-fro
nt
pro
du
ct c
ost
Maintenance/support
Subscription
Sunk
cost
Sunk costs = high switching costs
Year 2 3 4 51
Subscription
No
Sunk
cost
No sunk costs = lower switching costs
5 September 2017
Cybersecurity 73
Figure 124: Fortinet, Palo Alto, and Check Point All Have Virtual Offerings
Available on a Metered Basis on the AWS Market Place
Source: AWS.
■ Capacity Utilization Is Deflationary: When the InfoSec team plans a firewall
purchase, it is making capacity decisions to ensure performance not just during max-
throughput occasions but also in the context of its forecast traffic growth during the
intended life of the appliance. We think that virtualized pricing models, in addition to the
ephemeral nature of workloads, will result in more efficient capacity utilization.
5 September 2017
Cybersecurity 74
Figure 125: Currently, Firewall Throughput Capacity
Is Planned Such That the Network Will Remain
Performant During High-Traffic Events
Figure 126: Buying Firewall Either by Subscription
or on a Metered Basis Will Reduce Excess Capacity
Relative to the Hardware Pricing Model
Conceptual, for illustrative purposes only Conceptual, for illustrative purposes only
Source: Credit Suisse Research. Source: Credit Suisse Research.
As we have attempted to illustrate in Figure 127, should a virtual firewall be consumed
via subscription, on a per-hour basis, on a per-seat basis, or on a throughput basis, we
expect it to be deflationary. This is because the delta between what you purchase and
what you consume decreases as a function of the granularity of pricing paradigm.
Figure 127: Illustration of Capacity Saved Under Different Pricing Models
Conceptual, for illustrative purposes only
Source: Credit Suisse Research.
■ Less Imperative to Consolidate: As we have referenced, consolidation has been a
beneficial trend for firewall vendors. These companies have continued to add
incremental controls and network security features onto their boxes and have done a
great job expanding TAM and simplifying the solution set for customers. NGFW has
been a consolidation story for the past several years and contributed to stock
outperformance during that time.
Jan Jan Mar Apr
Refresh cycle max traffic assumption
Max historical traffic
Illustrative daily traffic patterns
Jan Jan Mar Apr
Saved in Subscription pricing model
Saved in cloud virtual pricing model
Meteredpricing
Subscriptionpricing
Hardwarepricing
Actual traffic
Max historical traffic
Refresh cycle max traffic assumption
5 September 2017
Cybersecurity 75
Figure 128: Underlining Firewall Stock Outperformance During the Period of
Product Consolidation – the Aggregation Trade
Rebased to 100 on PANWs first trading day
Source: Thomson Reuters Datastream, Credit Suisse Research.
We posit the potential for a public cloud deployment and marketplace model to challenge
what has been the norm for the past several years. With the ephemeral nature of cloud
workloads, it might very well make sense for practitioners to more nimbly mix and match
different control from different vendors, perhaps even to vary the use of such controls by
workload instead of having more static one-size-fits-all solutions.
0
50
100
150
200
250
300
350
400
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
CHKP PANW FTNT
5 September 2017
Cybersecurity 76
Figure 129: Software SoundBytes Regarding Pricing of Security in the Cloud
Source: Credit Suisse Research.
Software SoundBytesPricing Security in the cloud
Brad Zelnick
(212) 325 6118
“If its BYOL model, it works great but the marketplace has been trending towards hourly
usage pricing models. Security guys have never done that and it’s challenging to achieve
any predictability. That’s working against the virtual firewall market.”
“If I look at the virtual firewall market it is not more than10% of the overall firewall market. 45% of
that is public cloud related, so only 3.5% - 4% of the firewall market is in the public cloud today.”
“Our customers struggle with buying security on a utility model”
“Security needs to be aligned with cloud consumption economics – pay as you go… People
buy excess capacity to not deal with refresh cycles – this will go away.”
“From a reseller perspective, the pricing on physical vs victual is still unclear – and
presence on AWS clearly alienates the channel – but does it mean that network
security players can recoup the channel margin?”
“Legacy vendors are not comfortable selling in a utility model; it goes counter to what the
trend has been, even with virtual FW on the private side the security guys really struggle
with how to do an on-demand security model. A lot of organizations are looking at security
in cloud more holistically, shifting spend to other areas like identity and encryption.”
“Like for like units are less expensive when consumed virtually … Even so, the cost of firewall vs
infrastructure on smaller deployments can sometimes be a multiple of infrastructure. This is highly
dependent on what workloads you are running, and where you are running them”
5 September 2017
Cybersecurity 77
TAM Expansion Is Limited
Feature Consolidation Is Limited, and So Is the Share Consolidated Solutions Can
Take
A multi-year theme in the firewall space has been the consolidation of point solutions onto
the firewall. We believe this has been a genuine response to the frustration of customers
(of all sizes) with an ever growing plethora of disparate solutions, but it has also been a
convenient revenue protection and enhancement strategy. We argue there is a limit to
what can be consolidated, as well as a limit to the share consolidated products can enjoy
in the marketplace.
The Problem with Point Solutions (for the Customer)
Separate Firewalls, intrusion detection/prevention (IDP) appliances, secure Web gateways
(SWG), SSL VPNs, and advanced threat prevention (ATP) sewn together by a large IT
services vendor are admittedly suitable for some very large sophisticated enterprises.
However, given the expense (both upfront and ongoing; you need an extensive security
team) and time to implement; this complexity limits broader demand for pastiche solutions.
Instead, the majority of enterprises would prefer a single platform from which to identify,
manage, and control security threats. Even if each constituent component is less strong
than a best-in-class point product, a platform solution tends to deliver greater functionality
via the integration inherent in consolidation, as well as better throughput and significant
cost savings.
Cisco's Marty Roesch (Vice President and Chief Architect of Cisco’s Security Business
Group, previously founder and CTO of Sourcefire) talks about the complexity trap of point
products. Each time a point product is added to one's security apparatus, the complexity
increases exponentially, while the value generated increases only linearly. This implies
that, at some point, the complexity of point solutions, even if they are best-of-breed,
overwhelms their utility.
Figure 130: Increasing Use of Point Products Increases System Complexity
Source: Credit Suisse Research, * System complexity proxy is number of connections necessary between point products should each be connected with every other.
The Benefits of Feature Consolidation (for the Vendor)
We believe there are three key vendor incentives to consolidate features onto a single
appliance: (1) synthetic TAM expansion, (2) the opportunity to increase attached
subscription and (3) enhanced unit gravity.
■ TAM Expansion: The more features consolidated onto a single box, the greater the
market addressable by that product. We visualize this phenomenon in Figure 131 and
see this as a top-line growth strategy in a saturated market.
0
50
100
150
200
0 2 4 6 8 10 12 14 16 18 20
Value Complexity *
5 September 2017
Cybersecurity 78
Figure 131: The More Point Solutions That Are Consolidated, the Greater the
TAM for Firewall Vendors Becomes
Size of bubble represents size of TAM (not to scale, for illustrative purposes only)
Source: Credit Suisse Research.
■ Tailwind for Attach: The more that can be consolidated onto a firewall, the more
features that can be sold attached to the box. We view this as a revenue protection
strategy in a saturated market. When the only incremental revenue opportunity is a
competitive (or defended) win on the refresh, the consolidation of adjacent products
offers an opportunity to both grow, and de-risk, the top line by the addition of sticky
recurring subscription revenues.
Figure 132: If We Look at the Five-Year Thru-Cycle Attach Rate, We Can See the
Financial Result of Feature Consolidation
Annualized subscription and support/maintenance as a percentage of 5y trailing product revenue
Source: Company data, Credit Suisse estimates.
■ Greater Unit Gravity: The more attached to a single box, the heavier that appliance is.
That is, the more the enterprise relies on it as a single-point solution, the stickier the
appliance becomes. In addition, the more attaches per box, the more throughput
consumed, and therefore the greater capacity demanded. This, we think, ultimately
results in greater unit gravity, better price leverage, and heightened capacity demand.
Number of features
consolidated
Time
Core
Firewall
Core
Firewall
& VPN
Core
Firewall
& VPN
& WAF
Core
Firewall
& VPN
& WF
& IDP
Core Firewall
& VPN
& WF
& IDP
& AV
& DLP
CASB?
32%
34%
36%
38%
40%
42%
44%
46%
48%
50%
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
CHKP FTNT PANW
5 September 2017
Cybersecurity 79
In summary, customers wish to take a platform approach to lower costs and increase
efficacy and vendors to consolidate features as a revenue protection strategy. Given this
incentive alignment between customers and vendors alike to rationalize their security
infrastructure, the multi-year trend toward feature consolidation is unsurprising.
Figure 133: Looking at the Share of the Market by Product Type Shows the Trend Toward Consolidation
Revenue by product as share of total market, %
Source: IDC, Credit Suisse Research.
Consolidation Tailwind Unlikely to Sustain
While feature consolidation has been a sustained tailwind for at least two refresh cycles,
we believe the benefits accruing to vendors from platform strategies are likely to be less
pronounced.
■ Ceiling for Consolidated Product Demand: Chief security officers are often
concerned by the unsystematic risk inherent in a single-vendor platform approach.
Security silos are vulnerable, and the generally accepted wisdom of defense in depth
means that those with the budget and sophistication are likely to continue to demand
the best-of-breed point products necessary for an integrated layered approach. In our
view, this results in a demand ceiling for unified products (UTM/NGFW).
■ Significant Proportion of the Market Already Consolidated: Given c52% of the
market is already comprised of UTM/NGFW (50% in the high end of the market), we
think there is a limit to the second derivative rate of change in UTM share, especially in
the context of our view around consolidated product demand ceiling.
■ Little Left to Consolidate: A push-back to the above is, of course, that innovation in
the market itself grows new point products that can then be consolidated at a faster
rate than we expect. While a legitimate risk to our thesis, we see the speed of
consolidation of innovations such as CASB as reflecting what little is left to be
consolidated. Barracuda acquired the Sookasa CASB, CHKP has partnered with
multiple CASB providers (Firelayers, Avanan, and Microsoft), Cisco bought Cloudlock,
and Fortinet has the FortiCASB. Given the nascent nature of the CASB market, we
think the extent to which it has already been consolidated reflects the vendor appetite
for new platform additions; deduction would therefore suggest there is little left to
consolidate.
Furthermore, akin to the law of large numbers, we note the simple mathematical
argument that as additional features are consolidated into the NGFW, it becomes
increasingly difficult to move the needle on existing TAM.
0%
20%
40%
60%
80%
100%
2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
Unified Threat Management/Next Generation Firewall
Firewall
Intrusion Detection and Prevention
Content Management
VPN
5 September 2017
Cybersecurity 80
Figure 134: UTM Accounts for in Excess of 50% of the Security Appliance Market
Source: IDC, Credit Suisse Research.
VPN2%
Content Management
16%
IPS12%
Unified Threat
Management52%
Hybrid VPN0.3%Ipsec VPN
0.3%
SSL VPN2%
WAM0.4%
Web Security10%
Messaging Security
5%
IDS1.3%
IPS10%
Firewall19%
5 September 2017
Cybersecurity 81
SSL Decryption Less of a Tailwind
The argument made by many students of the firewall industry, not least Gartner, is that as
more traffic is encrypted, firewall capacity will need to increase. The logic is that decrypting
SSL traffic (so that it can be inspected) and then re-encrypting it is roughly 50% more
computationally taxing than a simple inspection of unencrypted inbound and outbound
traffic.
Figure 135: The Performance Loss Resulting from an Inspection of SSL
Encrypted Traffic On-box Is Substantial
Source: NSS Labs, Credit Suisse Research.
Many NGFWs have the ability to pose as the recipient of the SSL session, decrypt and
inspect the content of the packet, and then impersonate the sender by creating a new SSL
session with the intended recipient.
Figure 136: The Decryption Process
Source: Fortinet, Credit Suisse Research.
In Gartner's words: 'The vendors in the firewall space will be challenged over time by the
maturing of the cloud service providers' (CSPs') solutions. But in the near term, Gartner
predicts that more firewalls will be deployed to deal with the growth of encrypted traffic, so
this can be a source of near-term incremental demand for firewall vendors.' – Gartner
Event Summary: Gartner Security & Risk Management Summit 2017, 13th July 2017
NSS Labs (512b Cipher)
NGFW Performance loss by Vendor
Forcepoint 3202 -54%
Palo Alto 5020 -66%
SourceFire 8250 -77%
Check Point -87%
Fortinet -93%
Content
Scanning
Decryption Re-encryption
Firewall Appliance
Encrypted Packet Encrypted Packet
Decrypted packet
HTTPS session HTTPS session
User Server
5 September 2017
Cybersecurity 82
Figure 137: SSL Encryption Has Grown Rapidly, but the Rate of Acceleration Is
Forecast to Decrease
Source: Google, Credit Suisse estimates.
While the argument is not without apparent logic (SSL encrypted traffic is growing, and
SSL encrypted traffic requires more processing power to inspect), we think there are three
key reasons for this trend to be less of a tailwind than the market expects:
■ The Lion’s Share of Growth in Encrypted Traffic Has Already Occurred: As of
February 2017, the EFF reported that more than half of all Internet traffic was protected
by HTTPS. This data are corroborated by statistics from Google that suggest SSL
encryption is in place on more than half of the pages loaded by desktop users and that
the same users spend more than two-thirds of their time on HTTPS websites.
When we look at data from Chrome (the most popular web browser), we find that as of
September 2017, 83% of pages were loaded over HTTPS and 74% of time was spent
browsing HTTPS websites. Ultimately, this suggests that the second derivative growth
in encrypted traffic is likely to be less significant, and therefore less of a near-term
tailwind, than industry analysts suggest and the market believes.
Figure 138: Chrome Is the Most Popular Web
Browser, with over 60% of Web Traffic
Figure 139: Nearly 80% of Time Is Spent Browsing
SSL Encrypted Sites on Chrome
Source: w3counter.com, Credit Suisse Research. Source: Google, Credit Suisse Research.
■ Point Solutions Are Cheaper: While some argue the computational weight of traffic
decryption must result in greater aggregate firewall throughput demand, others argue
for a scale-out, rather than scale-up, model. Indeed our field work validates the cost
and security efficacy of using NGFW alongside stand-alone decryption devices from
vendors such as Gigamon or Symantec’s SSL Visibility Appliance (FKA Metronome
acquired by Blue Coat).
16%20% 19%
22% 23% 23% 25% 27%30%
34%39%
46%
59%65%
70% 75%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2005 2007 2009 2011 2013 2015 2017 2019
Ponemon data (enterprise deployment of encryption)
Letsencrypt.org data (percentage of web pages Loaded by Firefox Using HTTPS)
NSS Labs 2019 forecast (interpolated)
62%
14%
9%
8%
3%
Chrome
Safari
Internet Explorer
Firefox
Opera
70%73%
75%78%
81%83%
45% 46%
54%57%
60%57%
66%68%
71% 70%74%
30%
40%
50%
60%
70%
80%
90%
Mar '15 Jul '15 Nov '15 Mar '16 Jul '16 Nov '16 Mar '17 Jul '17
Percentage of pages loadedover HTTPS in Chrome
Time spent browsing SSLencrypted sites on Chrome
5 September 2017
Cybersecurity 83
■ Trade-Down Effect Accounts for Some of This Step Increase: Should we
hypothetically assume a higher volume of encrypted traffic as a material short-term
driver of incremental physical firewall demand, some of this will likely be accounted for
by the trade-down effect. That is, upon the refresh, it's common for new offerings at
price parity with your retired boxes to have higher throughput capacity than the retired
appliance. Therefore some customers will ‘trade down’ to cheaper boxes with
equivalent throughput.
■ IP Traffic Volume Is Surging, but It Isn't Leaving the Datacenter: Traffic within the
data center makes up ~75% of the data center traffic and usually between same-stack
components (server, converged, storage, switching, and routing hardware). IP traffic
volume is surging, but it isn’t all leaving the data center, therefore there is no need to
encrypt all of it.
In addition, when interconnection is in place to put a cross connect in place, let’s say
Credit Suisse Low Latency trading and NYSE, that traffic is secured using one fiber
optic cable with no other parties using the same sockets; so as long as there is mutual
trust between both parties, the need to SSL encrypt is ameliorated.
Figure 140: 77% of All Traffic Occurs Within the
Same Data-Center…
Figure 141: … and This Is Forecast to Grow at a 23%
CAGR Through 2020
Traffic distribution, 2016, % Traffic in Exabyte’s per year
Source: Cisco, Credit Suisse Research. Source: Cisco, Credit Suisse Research.
Data center to
user
Data center to
data center
Within data center
14%
9%
77%
5,074 6,728
8,391 10,016
11,770
-
2,000
4,000
6,000
8,000
10,000
12,000
14,000
16,000
18,000
2016 2017E 2018E 2019E 2020E
Data center to data center
Data center to user
Within data center
5 September 2017
Cybersecurity 84
Shift from Prevention to Detection
“Are you planning for resilience in the face of cyber-attack? I would counsel all large organisations to assume that they are being attacked, and that this will be both from
the outside and inside. In fact, it may make no sense to distinguish between the two in the short-term future. Therefore, if you cannot keep all the attacks out you must
assume that you need to plan to be resilient in the face of them existing.” – Dr. Sadie Creese, Director of the Global Cyber Security Capacity Centre at the
Oxford Martin School and a member of the Coordinating Committee for the Cyber Security Oxford network
Enterprise Investment Shifting from Prevention to Detection
It is increasingly accepted by practitioners that information security isn’t capable of
predicting or preventing targeted attacks, particularly in the context of an innovating
attacker and a mercurial attack surface.
In countering the increasing speed, sophistication, scale, and variety of attacks, we believe
companies are more likely to invest in enhancing detection and response capabilities, as
well as data origination and endpoint monitoring as opposed to prevention-centric security
measures. Gartner estimates that 60% of enterprise security budgets will be allocated for
detection and response by 2020, up from 10% in 2013, and that 80% of endpoint
protection platforms will include user activity monitoring by 2018, up from less than 5% in
2013.
Figure 142: Enterprise Security Spend Shifting Rapidly to Dedication & Response
% of Enterprise IT Security Budget Dedicated to Detection & Response
Source: Gartner, Credit Suisse estimates.
Verizon notes in its 2016 Data Breach Investigation Report the average time taken to
exfiltrate data is a matter of days, although a nontrivial 21.2% of reported cases occur in
minutes. In addition, the vast majority of data, typically some form of credentials, is
compromised within minutes, if not seconds.
10%13%
18%23%
30%
39%
50%
60%
0%
10%
20%
30%
40%
50%
60%
70%
2013 2014 2015 2016 2017 2018 2019 2020
2013-2020 CAGR = 29.2%
5 September 2017
Cybersecurity 85
Figure 143: Time to Threat Discovery Is Improving, but Disparity Between Time
to Compromise vs. Time to Discover Continues to Widen
% of Breaches Compromised in “Days or Less” vs. Detection in “Days or Less” (Source: CS est, Verizon)
Source: Company data, Credit Suisse estimates.
Meanwhile, although an increasing number of breaches are discovered within days or less
(albeit still <25% of cases), the proportion of incidences that takes days or less to
compromise data is nearing 100% and is increasing at a relatively greater pace.
In addition, according to a 2015 report by Mandiant, the average targeted malware
compromise was present for 205 days before detection, and 69% of discoveries were
made by external parties rather than by internal IT security divisions.
With a need for rapid detection, the market for endpoint detection and response (EDR) in
particular will likely see rapid growth. At present, EDR has roughly 40 million endpoints
installed (less than 6% of the total PC and tablet install base). Gartner estimates that
aggregate end-user spending on endpoint detection and response will grow from $238
million in 2015 to $1.5 billion in 2020 at a CAGR of 45.3%, markedly faster than the 2.6%
CAGR forecast for the endpoint protection market as well as the 7.0% forecast for the
overall IT security market.
Figure 144: Endpoint Detection & Response Market Will Likely See Growth ~17x
Greater than Endpoint Protection Market
EDR vs. EPP Revenue
Source: Gartner, Credit Suisse estimates.
In consideration of not only the magnitude and increasing sophistication of security threats
that enterprises face, but also the ongoing systemic migration of enterprise network
infrastructures to managed cloud services, we believe that allocation of enterprise security
spending will continue to see an increasingly dramatic shift toward endpoint detection,
monitoring, and diagnosis and away from prevention-based systems.
0%
20%
40%
60%
80%
100%
2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
Time to Compromise Time to Discover
3,166 3,249 3,333 3,420 3,509 3,600
238 640 797 9931,236
1,540
0
1,000
2,000
3,000
4,000
5,000
6,000
2015 2016 2017 2018 2019 2020
EPP
EDR
5 September 2017
Cybersecurity 86
Firewall Stocks
Relative Exposure to Sector Headwinds Ratings Driven by Negative Category View
Given our negative category view is a significant driver of our stock ratings, PANW
(Underperform, TP:$125, 14% downside), FTNT (Underperform, TP:$33, 14% downside),
CHKP (Neutral, TP:$110, 1% downside), we have attempted to contextualize the exposure
to each headwind that results in heterogeneous risk.
This analysis highlights the differentiated exposure to each risk factor. On an aggregated
basis, we believe Check Point to be the best positioned, and Fortinet the worst, to deal
with the sector headwinds we have discussed.
Figure 145: Relative Exposure to Sector Risks
Source: Credit Suisse Research.
Explanation of Rankings
Network Architectural Shift
Figure 146: CHKP Best Positioned, FTNT
Source: Credit Suisse Research.
Check Point has the most substantial firepower (we estimate ~$10bn vs PANW with
~$5bn and FTNT ~$4bn), and therefore the path of least resistance to acquire their way
into the future. It is followed by PANW, with the second most transformative firepower, and
a convincing forward-leaning product suite (VM-Series, Global Connect, etc.). FTNT is, in
our view, the most exposed given its historical competitive advantage generation via
hardware.
Check Point Palo Alto Networks Fortinet
CHKP PANW FTNT
Architectural Shift to Cloud ◔ ◑ ◕Cisco increasingly competitive ○ ◕ ◑Juniper has little share left to give ○ ● ◔Cloud transitionary headwinds ◔ ◑ ◑TAM expansion ◑ ◑ ●Competition in the mid market ◑ ○ ●Carrier Exposure ◔ ◑ ●Total ◔ ◑ ◕
Who is best equipped to deal with…
Check Point Palo Alto Networks Fortinet
CHKP PANW FTNT
Architectural Shift to Cloud ◔ ◑ ◕
Who is best equipped to deal with…
5 September 2017
Cybersecurity 87
Cisco Increasingly Competitive
Figure 147: CHKP Best Positioned, PANW Most Exposed
Source: Credit Suisse Research.
Cisco has been explicit about its intentions to compete for refreshing customers. Given
management expects imminent refresh cycles at PANW and FTNT, we therefore see
these names as the most exposed on a relative basis. PANW's refreshed product is
expected to account for more than FTNT in our model; we thus rank PANW as the most
exposed.
Check Point's maturity results both in a more linear refresh, as well as greater salesforce
experience with competitive defenses. Therefore, we believe them to be the least exposed
to Cisco's investments in its security portfolio.
Juniper Has Little Share Left to Give
Figure 148: PANW Highly Exposed, FTNT and CHKP Well Positioned
Source: Credit Suisse Research.
PANW has derived roughly much of its growth via share gain, and we therefore think that
Juniper's lack of share left to donate is likely a disproportionate negative for PANW. Given
CHKP derives less of its growth from share gain than we believe the younger FTNT to do,
we see CHKP the least exposed to this risk.
Cloud Transitionary Headwinds
Figure 149: PANW and FTNT Equally Exposed, CHKP Well Positioned
Source: Credit Suisse Research.
While we recognize to some extent each name is equally exposed to this risk, we believe
CHKP to be the best positioned to weather a transition for the following reasons: (1) this is
not CHKP's first rodeo, as it has weathered a software to hardware in the past; (2) top-line
consensus growth expectations are lowest for Check Point at ~7% NTM y/y growth vs
PANW at ~20% and FTNT at ~15%; and (3) CHKP has shown great price discipline in the
past, most notably when PANW aggressively entered the market in the early 2010s.
Check Point Palo Alto Networks Fortinet
CHKP PANW FTNT
Cisco increasingly competitive ○ ◕ ◑
Who is best equipped to deal with…
Check Point Palo Alto Networks Fortinet
CHKP PANW FTNT
Juniper has little share left to give ○ ● ◔
Who is best equipped to deal with…
Check Point Palo Alto Networks Fortinet
CHKP PANW FTNT
Cloud transitionary headwinds ◔ ◑ ◑
Who is best equipped to deal with…
5 September 2017
Cybersecurity 88
TAM Expansion
Figure 150: CHKP & PANW Least Exposed, FTNT Most Exposed
Source: Credit Suisse Research.
Again, somewhat of a homogenous risk; each incumbent has greatly expanded the
security pain points they address, and therefore it becomes incrementally harder to move
the TAM needle. However, we believe FTNT to have the most complete product suite with
its security fabric offering. While a clear positive historically, we believe it will make it
incrementally harder for FTNT to move the needle on its own TAM.
Competition in the Mid-Market
Figure 151: PANW Least Exposed, FTNT Most Exposed
Source: Credit Suisse Research.
The mid-market is highly competitive and saturated. We therefore rank exposure to this
risk simply as a function of exposure. PANW has principally enterprise customers, while
FTNT reports ~70% of billings to be derived from the entry-level and mid-range segments.
IDC data corroborate this, showing FTNT to have 56% exposure to the volume market vs
CHKP at 27% and PANW at only 14%. Comparing this against IDC data for high-end
deployments where FTNT has only 20% while PANW and CHKP have 59% and 53%,
respectively, informs our ranking.
Carrier Exposure
Figure 152: FTNT Highly Exposed to Carrier Customers
Source: Credit Suisse Research.
While historically a positive, we now view carrier exposure as a risk due to the higher
speed of virtualization of carrier customers. As above, we rank this simply based on our
view of percent of billings derived from carrier customers. FTNT has ~20% and is known
as the leader in this vertical. While neither PANW nor CHKP report their carrier exposure,
we view CHKP's installed base to be more diversified and therefore less exposed to carrier
virtualization relative to PANW.
Check Point Palo Alto Networks Fortinet
CHKP PANW FTNT
TAM expansion ◑ ◑ ●
Who is best equipped to deal with…
Check Point Palo Alto Networks Fortinet
CHKP PANW FTNT
Competition in the mid market ◑ ○ ●
Who is best equipped to deal with…
Check Point Palo Alto Networks Fortinet
CHKP PANW FTNT
Carrier Exposure ◔ ◑ ●
Who is best equipped to deal with…
5 September 2017
Cybersecurity 89
Relative Valuation Substantial Nuance in Firewall Valuation
Broad conclusions from our valuation work are as follows:
■ PANW Looks Misleadingly Cheap: On EV/uFCF, both Palo Alto Networks and
Fortinet appear inexpensive. Given higher relative growth expectations for PANW &
FTNT, the fact they trade in-line with CHKP is optically attractive. However, adjusting
out SBC (broadly accounting for the fact some cash would have had to have paid in
lieu of stock to retain talent) and adjusting for LT deferred revenue change (as yet un-
earned, and therefore expenses unpaid, revenue) shows PANW and FTNT to be much
more expensive than CHKP.
■ Only CHKP Trades on an Earnings Multiple: Looking at income statement multiples,
particularly non-GAAP P/E, reveals only CHKP to be trading within a reasonable range
on P/E, while both PANW and CHKP trade on revenues and cash flows. While we
appreciate higher growth expectations beget growth valuations, on a metric-specific
growth-adjusted basis, CHKP looks expensive and in-line on revenue growth.
■ Recurring Revenues Favor Fortinet: Fortinet is attractive on a recurring revenue
basis. While we think of recurring revenue multiples as more reflective of floor value
than intrinsic value; nonetheless recurring revenues provide more support to FTNT
than either PANW or CHKP. But some of this is discount is to be expected given its
greater mix of typically-higher-churn SMB customers.
Figure 153: Valuation Matrix
Source: Company data, Credit Suisse estimates.
Figure 154: Growth Rates Used in Adjusted Valuation (2Y CAGR)
Source: Company data, Credit Suisse estimates.
Absolute Valuation Analysis
NTM CY18 NTM CY18 NTM CY18
Cash Flow Statement Multiples
EV/UFCF 14.9x 14.5x 13.8x 12.0x 12.2x 11.5x
EV/UFCF Adjusted for SBC 16.4x 15.9x 37.8x 30.1x 19.2x 18.1x
EV/UFCF Adjusted for LT Deferred 15.7x 15.4x 21.3x 17.0x 16.8x 15.4x
EV/UFCF Adjusted for SBC & LT Deferred 17.4x 17.1x n/a n/a 33.8x 29.9x
Income Statement Multiples
EV/Sales 7.6x 7.4x 5.4x 5.0x 3.2x 3.1x
EV/Non-GAAP Operating Income 14.3x 13.8x 25.5x 22.6x 19.8x 17.4x
Non-GAAP P/E 20.5x 19.6x 44.2x 39.6x 38.8x 34.8x
GAAP P/E 23.2x 22.1x n/a n/a 92.7x 74.4x
EV/Recurring Revenue 10.9x 10.5x 8.3x 7.5x 5.1x 4.8x
CHKP PANW FTNT
Growth
2Y CAGR TTM-NTM FY18-FY17 2Y CAGR TTM-NTM FY18-FY17 2Y CAGR TTM-NTM FY18-FY17
uFCF 9% 9% 6% 18% 15% 31% 28% 29% 42%
Revenue 7% 7% 7% 21% 21% 18% 14% 14% 11%
Operating Income 6% 6% 7% 27% 27% 28% 23% 9% 22%
Non-GAAP EPS 9% 7% 9% 27% 22% 23% 22% 7% 17%
GAAP EPS 9% 6% 9% -32% -45% -40% 85% 13% 26%
Recurring Revenue 10% 10% 9% 32% 31% 26% 20% 21% 16%
CHKP PANW Fortinet
5 September 2017
Cybersecurity 90
Figure 155: Valuation Matrix Adjusted for Metric Specific 2Y CAGR
Source: Company data, Credit Suisse estimates.
Figure 156: Valuation Matrix Adjusted for Top-Line 2Y CAGR
Source: Company data, Credit Suisse estimates.
Growth adjusted (metric specific)
NTM CY18 NTM CY18 NTM CY18
Cash Flow Statement Multiples
EV/UFCF 1.75 1.70 0.77 0.67 0.44 0.41
EV/UFCF Adjusted for SBC 1.92 1.87 2.12 1.69 0.69 0.65
EV/UFCF Adjusted for LT Deferred 1.84 1.81 1.19 0.95 0.60 0.55
EV/UFCF Adjusted for SBC & LT Deferred 2.04 2.00 n/a n/a 1.21 1.07
Income Statement Multiples
EV/Sales 1.05 1.01 0.26 0.24 0.23 0.22
EV/Non-GAAP Operating Income 2.32 2.24 0.94 0.83 0.87 0.76
Non-GAAP P/E 2.19 2.09 1.65 1.48 1.75 1.57
GAAP P/E 2.45 2.33 n/a n/a 1.09 0.87
EV/Recurring Revenue 1.10 1.06 0.26 0.23 0.25 0.24
CHKP PANW FTNT
Growth adjusted (revenue growth)
NTM CY18 NTM CY18 NTM CY18
Cash Flow Statement Multiples
EV/UFCF 2.05 1.99 0.65 0.57 0.87 0.82
EV/UFCF Adjusted for SBC 2.25 2.19 1.79 1.42 1.38 1.30
EV/UFCF Adjusted for LT Deferred 2.16 2.12 1.01 0.80 1.20 1.10
EV/UFCF Adjusted for SBC & LT Deferred 2.39 2.35 n/a n/a 2.42 2.14
Income Statement Multiples
EV/Sales 1.05 1.01 0.26 0.24 0.23 0.22
EV/Non-GAAP Operating Income 1.97 1.90 1.21 1.07 1.42 1.24
Non-GAAP P/E 2.82 2.69 2.09 1.87 2.78 2.49
GAAP P/E 3.19 3.04 n/a n/a 6.63 5.32
EV/Recurring Revenue 1.50 1.44 0.40 0.36 0.37 0.34
CHKP PANW FTNT
5 September 2017
Cybersecurity 91
Relative HOLT® Perspective
HOLT Is Reflective of Our Views on Quality and SBC
Reflecting our fundamental view that Check Point is a high-quality wealth creator, in HOLT
it has succeeded in maintaining >15% CFROI® for ten years and has actually increased
returns from its 2013-14 nadir, which incidentally coincided with PANW's entry to the
market.
Figure 157: Check Point Has Maintained High and Stable Returns on Capital
(CFROI®); Adjusting Out SBC Has a de Minimis Impact on Returns and Forecast
Check Point HOLT CFROI profile
Source: HOLT, Credit Suisse Research.
Returns are materially lower for FTNT, and worst for PANW, although when adjusting
CFROI to exclude stock-based compensation (approximating non-GAAP), they are more
comparable (10% vs 7.4% LFY for CHKP and PANW, respectively).
Figure 158: Fortinet Has Seen Depressed Returns
on Capital in Recent Years as It Has Sacrificed
Margin for Investment in Sales and Marketing
Figure 159: Including SBC Palo Alto Networks Is Not
a Positive Spread Business; ex-SBC Returns in
FY16 Were ~7.5%...
Fortinet HOLT CFROI profile Palo Alto Networks HOLT CFROI profile
Source: HOLT, Credit Suisse Research. Source: HOLT, Credit Suisse Research.
The gap between returns on capital with, and without, accounting for stock-based
compensation expense has been broadening materially for FTNT, and even more so for
PANW over the last several years. This corroborates the conclusions of our
relative-adjusted multiple-based valuation method, which also depicts PANW as less
attractive than FTNT on UFCF ex SBC and FTNT in turn to be less attractive than CHKP.
(5 )
0
5
10
15
20
25
2007 2009 2011 2013 2015 2017
CFROI Forecast CFROI CFROI adjusted to exclude SBC
(5 )
0
5
10
15
20
25
2007 2009 2011 2013 2015 2017
CFROI
Forecast CFROI
CFROI adjusted to exclude SBC
(5 )
0
5
10
15
20
25
2007 2009 2011 2013 2015 2017
CFROI
Forecast CFROI
CFROI adjusted to exclude SBC
5 September 2017
Cybersecurity 92
Figure 160: The CFROI Spread Inclusive and Exclusive of SBC Shows the
Impact on PANW, Then FTNT's Returns to Be the Most Penal; CHKP's CFROI®
Exhibits Limited Sensitivity to Its Stock-Based Compensation Expense
Spread between HOLT CFROI including, and excluding Stock Based Compensation expense
Source: HOLT, Credit Suisse Research.
Implied Expectations Are Highest for PANW on a Relative Basis
Check Point has the lowest market-implied expectations (the Green dot, based on a
reverse DCF, shows the future level of returns required to validate today's price) relative to
FY2 CFROI (Pink bars: CFROI as implied by IBES consensus expectations).
However, while embedded expectations appear conservative at 18% market-implied
returns vs 22% FY2 CFROI forecast, on an absolute basis, they remain substantially
above market expectations for FTNT and PANW (at 8.5% and 10%, respectively).
In addition, the market expects CHKP to sustain high returns for a long period. CHKP has
sustained high and stable returns for a sufficient period to be awarded an eCAP, and an
eCAP is rewarded by lengthening the fade window to ten years (reflective of high-quality
companies tending to be more successful at generating excess returns for longer), thus
expectations for returns on capital in excess of 18% are embedded through 2026.
Figure 161: Check Point Has Maintained High Relative Returns on Capital, and
the Market Is Pricing for These Returns to Sustain over a Ten-Year Time
Horizon
Check Point returns on capital (CFROI) & Discount rate (%)
Source: HOLT, Credit Suisse Research.
Embedded expectations for FTNT imply a recovery in CFROI to 8.5% in 2021 from 5.2%
in 2016. This improvement is consistent with 2014 CFROI levels and suggests the market
is comfortable with the margin improvement guidance from management following
investment in sales capacity and marketing over the past several years having depressed
margins.
0%
2%
4%
6%
8%
2007 2009 2010 2012 2013 2014 2016
CHKP PANW FTNT
(5 )
0
5
10
15
20
25
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020
CFROI
Forecast CFROI
Discount rate
Historical median
Market impliedCFROI
2026
5 September 2017
Cybersecurity 93
Figure 162: The Market Is Pricing CFROI® to Improve to 2014 Levels
Fortinet returns on capital (CFROI) & Discount rate (%)
Source: HOLT, Credit Suisse Research.
PANW has the highest embedded market expectations of its peers, with an implied
recovery from sub-discount rate returns in 2016 to 10% CFROI in 2021. Interestingly the
market implied is equivalent to CFROI adjusted to exclude SBC in the forecast years,
suggesting the market appears somewhat prepared to look-through high levels of stock
based compensation expense at PANW.
Figure 163: Market Implied CFROI Calls for PANW CFROI Improvement to as Yet
Unachieved Levels
Palo Alto returns on capital (CFROI) & Discount rate (%)
Source: HOLT, Credit Suisse Research.
Sales Growth Expectations Are Highest for PANW
We sense check our belief that top-line growth expectations are the highest for PANW in
our valuation scenarios (included individually in the following company reports). Through
margin improvement driven scenarios, we can derive a long-term sales CAGR required to
justify the current share price.
Via simplistic margin scenarios, it becomes clear that, even when credited with unlikely
margin improvement, PANW's top-line growth expectations (in this case, >10% CAGR to
2026) are in excess of FTNT's (7.3%) and greatly in excess of CHKP (4.2%).
(5 )
0
5
10
15
20
25
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021
CFROI
Forecast CFROI
Discount rate
Historical median
Market impliedCFROI
(5 )
0
5
10
15
20
25
2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021
CFROI
Forecast CFROI
Discount rate
Historical median
Market impliedCFROI
5 September 2017
Cybersecurity 94
Figure 164: Assuming Stable Margins, the Market
Embeds a Long-Term Sales CAGR of 4% to Achieve
CHKP's Current Share Price
Figure 165: Should Margins Rise to the Historical
Peak, the Market Embeds a Long-Term Sales CAGR
of 7.3% to Achieve FTNT's Current Share Price
CHKP: Operating projections implied by current price: $111 per share FTNT: Operating projections implied by current price: $38 per share
Source: HOLT, Credit Suisse Research. Source: HOLT, Credit Suisse Research.
Figure 166: Assuming Margins Rise from Consensus Levels of (15%) to FTNT’s
Peak of 22%, PANW’s Current Price of $131 Implies a Sales CAGR of 11% over
the Next Ten Years
PANW: Operating projections implied by current price: $146 per share
Source: Company data, Credit Suisse estimates.
Sales, Margins, and SBC
CHKP’s high returns are driven by high and stable margins vs. FTNT and PANW. PANW’s
stock option expense has increased dramatically in the past years.
49.9 49.9
0
20
40
60
1996 2000 2004 2008 2012 2016 2020 2024Historical margins Forecast
Margins w/o SBC
7.75.0
(10)
0
10
20
30
1996 2000 2004 2008 2012 2016 2020 2024
Historical growth Forecast
Assumed long term
margins of 50%1
Solved for the long
term sales CAGR
required to get to
current price of $111
2
Consensus
Consensus
16.9
8.0
(10)
0
10
20
30
2007 2011 2015 2019 2023
Historical growth Forecast
9.5
21.5
0
8
16
24
32
2007 2011 2015 2019 2023Historical margins Forecast
Margins w/o SBC
Assumed long term
margins to rise from
9.5% to historical
peak of 21.5%
1
Solved for the long
term sales CAGR
required to get to
current price of $38
2
Consensus
Consensus
26.2
11.8
0
20
40
60
80
2007 2011 2015 2019 2023
Historical growth Forecast
(14.6)
21.5
(20)
(10)
0
10
20
30
2007 2011 2015 2019 2023
Historical margins Forecast Margins w/o SBC
Assumed long term margins
to rise from -14.6% to
21.5% based on historical
peak of FTNT
1
Solved for the long term
sales CAGR required to get
to current price of $146
2
Consensus
Consensus
5 September 2017
Cybersecurity 95
Figure 167: Sales, Margins, and Stock-Based Compensation Expense as a % of Sales
Source: HOLT, Credit Suisse Research.
What Is HOLT?
The HOLT methodology uses a proprietary performance measure known as Cash Flow
Return on Investment (CFROI®). This is an approximation of the economic return, or an
estimate of the average real internal rate of return, earned by a firm on the portfolio of
projects that constitute its operating assets.
A firm's CFROI can be compared directly with its real cost of capital (the investors' real
discount rate) to see if the firm is creating economic wealth. By removing accounting and
inflation distortions, the CFROI allows for global comparability across sectors, regions, and
time and is also a more comprehensive metric than the traditional ROIC and ROE.
63 3 3 4 6 7 8 9 10
0
10
20
30
2007 2010 2013 2016
Sales growth (%)
EBITDA margins (%)
FTNT PANWCHKP
(20 )
0
20
40
60
2007 2010 2013 2016
0
20
40
60
2007 2010 2013 2016
(20 )
0
20
40
60
2007 2010 2013 2016
EBITDA margins
Historical median
EBITDA margins w/o SBC
0
20
40
60
2007 2010 2013 2016
(20 )
0
20
40
60
2007 2010 2013 2016
0
20
40
60
2007 2010 2013 2016
Sales growth Historical CAGR
Stock option expense as % of sales
0 0 0 24 5
11
17
2429
0
10
20
30
2007 2010 2013 2016
5 4 3 3 3 3 4 4 5 5
0
10
20
30
2007 2010 2013 2016
SBC as % of sales Historical median
5 September 2017
Cybersecurity 96
Figure 168: How to Read a HOLT CFROI® Chart
Source: Credit Suisse HOLT.
Long-term level of returns
on capital required to
validate today’s
market value
Country market implied
discount rate adjusted for
company’s leverage and size
T+1 and T+2 returns on
capital forecasts based on
IBES consensus estimates
Adjusted historical returns on
capital based on HOLTs
proprietary framework
Market implied CFROI
CFROI Forecast
Historical CFROI
Market derived
discount rate
1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016 2018
Superior performance metric Market-calibrated valuationMarket Derived Discount Rate
CFROICash flows
Capital investment
Future value
Total Market
Value
=
(1 + DR)
Solve
Forecast
FCF
Forecast
CFROI is a cash-based return on capital metric that improves comparability of corporate performance across companies, geographies and time
Forecasted FCF calibrated to current
market values through observed, market implied discount rate
Calibrate future CFROI and growth rates embedded in the current stock price
The HOLT discount rate is forward-looking, derived from observed market valuation, and accurately reflects current investors’ risk appetite
Discount
rateFuture performance implied by
today’s stock price
Historical
returns
Competitive Lifecycle & fade
Empirically derived terminal value recognises competitive life-cycle of returns and growth (mean reverting fade concept)
Cumulative probability approximates
the likelihood of achieving future returns given the past return profile
Fading Turnaround?Mature
CFROI
Reinvestment
Growth
Discount
rate
5 September 2017
Cybersecurity 97
Stock Calls Palo Alto Networks: Lost in Palodise
Americas/United States Software
Palo Alto Networks, Inc. (PANW) Rating UNDERPERFORM Price (01-Sep-17, US$) 146.67 Target price (US$) 125.00 52-week price range (US$) 164.15 - 108.01 Market cap(US$ m) 13,468 Target price is for 12 months.
Research Analysts
Brad A Zelnick
212 325-6118
Jobin Mathew
212 325 9676
Syed Talha Saleem, CFA
212 538 1428
Lost in Palodise
Initiating Coverage with Underperform Rating and $125 Target Price
Despite being one of the most disruptive innovators in the security industry, we
believe investors are overly optimistic in Palo Alto Networks’ ability to sustain
over 2x market growth rates. We truly believe this is a great company with great
management, but not a great stock at current levels.
■ What Comes After the Perfect Storm? Past performance is no indicator of
future success. The market view that PANW continues to outpace market
growth by a factor of 2x is overly sanguine, in our view. We believe PANW’s
past outperformance was the result of a perfect storm of tailwinds that are
now subsiding and believe the current product cycle, while technologically
compelling, remains a source of disruption for longer than many anticipate.
■ Competitive Refresh Cycle: We believe a refresh cycle is indeed coming,
but may be less impactful than many anticipate. PANW's refresh is an
opportunity that invites competition at a time when products in the category
are less differentiated than ever. Meeting Street expectations relies on
defense as much as offense for the first time in PANW’s history.
■ Structural Limitations: Cloud mania is not just an issue for firewall
companies because of a ratable revenue transition, in our view. We believe
the entire category will face pressures of disaggregation as well as an
architectural shift that relies far less on perimeter-based security.
■ Valuation: Our $125 target price is based on our DCF analysis, which
assumes an 7.3% FCF CAGR over the next 10 years. While seemingly
inexpensive on FCF multiples, adjusting for stock comp expense and long-
term deferred revenues tells a completely different story. If we instead
consider simple P/E (CY2018), PANW trades at ~40x vs. CHKP at ~20x and
FTNT at ~35x. Upside risks to our target price include better unattached
subscription growth including cloud/virtual and endpoint adoption and a more
powerful refresh cycle.
Share price performance
On 01-Sep-2017 the S&P 500 INDEX closed at 2476.55
Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$145.18
Quarterly EPS Q1 Q2 Q3 Q4 2017A 0.55 0.63 0.61 0.92 2018E 0.68 0.80 0.84 1.00 2019E 0.88 0.99 0.97 1.25
Financial and valuation metrics
Year 7/16A 7/17A 7/18E 7/19E NON-GAAP EPS (CS adj., ) 1.89 2.71 3.29 4.09 Prev. EPS (CS adj., US$) P/E (CS adj.) (x) 77.5 54.1 44.6 35.9 P/E rel. (CS adj., %) - 256 234 209 Revenue (US$ m) 1,379 1,762 2,129 2,485 Non-GAAP Operating Income (US$ m)
271 355 451 570 Net Debt (US$ m) -1,438 -1,640 -2,029 -2,531 Unlevered Free Cash Flow (US$)
610 732 844 958 P/uFCF (x) 24.1 20.0 17.4 15.3
Number of shares (m) 91.82 Price/Sales (x) 7.66 Net debt (Next Qtr., US$ m) -1,692.6 Dividend (current, US$) - Dividend yield (%) - Source: Company data, Thomson Reuters, Credit Suisse estimates
5 September 2017
Cybersecurity 98
Palo Alto Networks, Inc. (PANW)
Price (01 Sep 2017): US$146.67; Rating: UNDERPERFORM; Target Price: US$125.00; Analyst: Brad Zelnick
Income Statement 7/16A 7/17A 7/18E 7/19E
Revenue (US$ m) 1,378.5 1,761.6 2,129.0 2,484.6 EBITDA 313.6 414.5 520.3 651.3 Operating profit 270.8 354.7 451.2 569.8 Recurring profit 278.8 367.3 463.8 586.5
Cash Flow 7/16A 7/17A 7/18E 7/19E
Cash flow from operations 659 871 922 1,056 CAPEX (73) (163) (100) (120) Free cashflow to the firm 586 708 822 936 Cash flow from investments (339) (473) (149) (132) Net share issue(/repurchase) 45 (365) (385) (385) Dividends paid 0 0 0 0 Issuance (retirement) of debt 0 0 0 0 Other (255) 189 2 (37) Cashflow from financing activities (209) (176) (383) (422) Effect of exchange rates 0 0 0 0 Changes in Net Cash/Debt 110 201 390 501 Net debt at end (1,438) (1,640) (2,029) (2,531)
Balance Sheet ($US) 7/16A 7/17A 7/18E 7/19E
Assets Other current assets 691 800 853 893 Total current assets 1,774 1,976 2,522 3,130 Total assets 2,858 3,438 4,176 5,035 Liabilities Short-term debt 0 0 0 0 Total current liabilities 847 1,201 1,471 1,770 Long-term debt 0 0 0 0 Total liabilities 1,963 2,679 3,276 3,845 Shareholder equity 895 760 900 1,189 Total liabilities and equity 2,858 3,438 4,176 5,035 Net debt (1,438) (1,640) (2,029) (2,531)
Per share 7/16A 7/17A 7/18E 7/19E
No. of shares (wtd avg) 91 93 97 99 CS adj. EPS 1.89 2.71 3.29 4.09 Prev. EPS (US$) Dividend (US$) 0.00 0.00 0.00 0.00 Free cash flow per share 6.42 7.58 8.45 9.45
Earnings 7/16A 7/17A 7/18E 7/19E
Sales growth (%) 48.5 27.8 20.9 16.7 EBIT growth (%) 80.5 31.0 27.2 26.3 Net profit growth (%) 84.1 46.6 26.3 26.5 EPS growth (%) 76.1 43.4 21.3 24.2 EBIT margin (%) 19.6 20.1 21.2 22.9
Valuation 7/16A 7/17A 7/18E 7/19E
EV/Sales (x) 8.73 6.71 5.37 4.40 EV/EBIT (x) 44.4 33.3 25.4 19.2 P/E (x) 77.5 54.1 44.6 35.9
Quarterly EPS Q1 Q2 Q3 Q4 2017A 0.55 0.63 0.61 0.92 2018E 0.68 0.80 0.84 1.00 2019E 0.88 0.99 0.97 1.25
Company Background
Palo Alto Networks is a leading provider of enterprise security. Core expertise in advanced firewalls that have advanced granular control over activity based on application and on user context have been extended to a platform NGFW approach.
Blue/Grey Sky Scenario
Our Blue Sky Scenario (US$) 168.00
Our Blue Sky scenario assumes a strong refresh cycle and upgrades driven by recent software innovation as well as continued success in growing the attached and non-attached subscription businesses.
Our Grey Sky Scenario (US$) 113.00
Our Grey sky scenario assumes high levels of competition on the refresh, in addition to pricing challenges and demand pauses against a backdrop of declining firewall relevance.
Share price performance
On 01-Sep-2017 the S&P 500 INDEX closed at 2476.55
Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$145.18
Source: Company data, Thomson Reuters, Credit Suisse estimates
5 September 2017
Cybersecurity 99
PANW: Our Take on the Key Debates
Initiating Coverage with Underperform Rating and $125 Target Price
Despite being one of the most disruptive innovators of the security industry, we believe
investors are overly optimistic regarding Palo Alto Networks’ ability to sustain above-
market top-line growth rates. We believe this is a great company with great management
but not a great stock at current levels.
Key Debates:
■ How Long Can PANW Outgrow the Market? At present, consensus expectations call for
PANW to outgrow the firewall market by a factor of 2x. Can this be sustained at scale?
■ How Big of a Growth Driver Can Subscription & Support Be? With a compelling
platform strategy, subscription is an important revenue driver. As share gains contribute
less at scale, how large is the attached and unattached subscription opportunity?
■ How Material Is the Refresh Opportunity? Management guidance and model
mechanics point toward a refresh opportunity in 2H17 and FY18. We think sizing this
opportunity is an important debate for investors.
Our Takes:
■ Growth Expectations Are Too Optimistic: Past performance isn’t an indicator of future
success. We think PANW enjoyed a perfect storm of tailwinds as it grew; now these
tailwinds are abating, or becoming headwinds. In addition, PANW appears highly exposed
to the sector headwinds (architectural and otherwise) we believe face firewall incumbents.
■ Remaining Subscription Headroom Unclear: Attached products (e.g., Global Protect,
WildFire) appear highly penetrated, but there remains headroom for unattached. However,
we think subscription is largely tied to physical box sales, and unattached is too small to
move the needle.
■ The Refresh Cycle Is Less Supportive than Some Presume: We think the refresh cycle
is potentially less of a support (20-30% vs 50% of product) than some in the market
believe and believe a bull case constructed off the refresh dynamic to be overly optimistic.
Risks to Our Takes:
■ Substantial Balance Sheet Capacity: PANW has substantial balance sheet capacity
and has showed willingness to deploy it in a transformational manner when reportedly
bidding upward of $3 billion for Tanium in fall 2015.
■ Strength and Resilience of Financial Model: The overall execution of the transition to a
subscription-based model may prove more successful than anticipated and could provide
access to the >$8 billion CLTV expansion opportunity that management estimates.
■ Becomes a Strategic Acquisition Target: Particularly at lower valuations, PANW could
become a potential target for a strategic buyer seeking to consolidate the market.
Estimates:
■ Revenue and EPS: We forecast FY18E/FY19E revenue growth at 21%/17% vs the
consensus at 22%/19% and EPS of $3.29/$4.09 vs the Street at $3.30/$4.12.
■ Cash Flow: We forecast 7.3% FCF 10 year FCF CAGR through 2027E.
■ Refresh Cycle: We model a ~5.5 year refresh cycle.
Valuation: ■ DCF: Our $125 target price is based on our DCF analysis, implying 14% downside and
11x EV/uFCF (CY2019) vs CHKP at 14.5x and FTNT at 11.5x.
5 September 2017
Cybersecurity 100
Key Charts
Figure 169: PANW Benefited from a Perfect Storm of
Factors and Has Taken Substantial Market Share…
Figure 170: ...The Market Expects PANW Billings to
Continue to Outgrow Competitors and the Market …
Source: IDC, Credit Suisse Research. Source: Factset, Credit Suisse Research.
Figure 171: …However, Management Guidance
Implies Its Refresh Cycle Has Lengthened…
Figure 172: …Refresh Cycle and Rate Assumptions
Sensitivity Show Diminished Refresh Opportunity…
Source: Company Management, Credit Suisse Research. Source: Credit Suisse Research.
Figure 173: …The Tailwind from Support Is
Challenging to Increase at the Same Rate… Figure 174: …with Valuation Highest (Adj. for SBC)
Source: Company data, Credit Suisse Research. Source: Company data, Credit Suisse estimates.
0%
20%
40%
60%
80%
2002 2006 2010 2014
Others
Fortinet
Check Point
Palo Alto
Cisco
Juniper
0%
10%
20%
30%
40%
50%
60%
70%
80%
Dec 2012 May 2014 Sep 2015 Feb 2017 Jun 2018
PANW CHKP FTNT
2
3
4
5
6
7
8
2013 2014 2015 2016 2017 2017
Refresh cycle guidance range
Midpoint
Refresh rate assumption (% )
80% 85% 90% 95% 100%
4.038% 40% 42% 45% 47%
4.531% 33% 35% 37% 39%
5.027% 29% 30% 32% 34%
5.523% 25% 26% 28% 29%
6.019% 21% 22% 23% 24%
6.515% 16% 17% 17% 18%
7.09% 10% 11% 11% 12%
Ave
rage
Ref
resh
(y)
30%
35%
40%
45%
50%
2008 2009 2010 2012 2013 2015 2016
FTNT PANW CHKP
14.9x12.2x 13.8x
16.4x 17.4x
37.8x
0x
10x
20x
30x
40x
CHKP FTNT PANW
EV/UFCF, NTM
EV/UFCF Adjusted for SBC, NTM
5 September 2017
Cybersecurity 101
Key Debates
■ How Long Can PANW Outgrow the Market?
Past performance is no indicator of future success. We believe the conventional logic that
Palo Alto Networks will continue to outgrow its competitors, and the market, for years to
come is overly sanguine.
Figure 175: PANW Consensus Estimates Imply it will Continue to Outgrow the
Firewall Market By a Factor of 2x...
US$ in millions, unless otherwise stated
Source: Company data, Thomson Reuters Datastream, Gartner, Credit Suisse research.
Figure 176: Company Messaging at Ignite 2016 Implies Long-Term Growth in
Excess of the Market
Source: Palo Alto Networks, Ignite 2016, Credit Suisse Research.
In our view, past outperformance of market growth is a function of a perfect storm of
positive factors, including (but not limited to):
− Surge in Industry Spending: Landmark breaches such as the Target credit card
hack (2013), Sony Pictures (2014), Ashley Madison (2015), and the Office of
Personnel Management (2015) drove a broad-based enterprise re-evaluation of
security posture. The benefits of the resulting increase in spending and accelerated
refresh accrued disproportionately, we think, to Palo Alto.
− Disruptive Message and Products: PANW got its proverbial foot in the door at
many enterprises due to the truly disruptive nature of its granular application control
capabilities. It then proceeded to expand its landing with an inspired platform vision,
very effectively messaged through the enticing narrative of Next-Generation
Firewall (NGFW) and single-pass architecture.
$9bn
$11bn$12bn
$12bn$13bn
0%
20%
40%
60%
$bn
$2bn
$4bn
$6bn
$8bn
$10bn
$12bn
$14bn
2016 2017E 2018E 2019E 2020E
PANW Revenue PANW y/y change (%) Firewall Market (Gartner)
Revenue growth >30%
High growth
20% - 30%
Growth
>Market
Long Term
5 September 2017
Cybersecurity 102
− Share Donation: As we have discussed at length, weak product offerings from
Juniper and Cisco left swathes of exposed brownfield opportunity. In addition, other
more competitive vendors (CHKP and FTNT) lacked the platform vision that PANW
leveraged to its success.
− Size Benefits: Small scale translated into a greater degree of nimbleness than the
large incumbents and endowed PANW with an ability to drive growth via expansion
into new channels, geographies, and product categories.
− Recurring Revenue Growth: PANW has been the ultimate aggregation play in
network security and security software more broadly. The consolidation of multiple
adjacencies into a single-platform approach created extraordinary value for
customers and generated shareholder value by propelling an ever increasing and
highly recurring subscription and support stream.
Figure 177: Palo Alto Networks Has Outgrown the Market and Taken Substantial
Share Since Its Entry in Late 2009
Revenue market share, Firewall and UTM,
Source: IDC, Credit Suisse Research.
We expect the majority of these tailwinds are now subsiding. Taking each in turn:
− Industry Spending: We still consider security spend to be an area of secular
growth, but while in 2014-15 accelerating spend coalesced around the network, we
now perceive the focus to be shifting toward areas more relevant in a cloud-first
architecture: identity, cloud based proxy, micro segmentation, etc.
− Product Convergence: While Palo Alto appliances remain undeniably of
exceptional quality, the competitive gap has materially closed in recent years.
Anecdotal evidence from our field conversations reflects the convergence evident
on Gartner's magic quadrant. Gartner’s statement that 'all vendors [now have]…
NGFWs… in essence there is no longer a 'next generation' in the firewall market'
(Enterprise Network Firewall Magic Quadrant 2017, Gartner) tempers the gravitas
of PANW's NGFW distinction.
0%
10%
20%
30%
40%
50%
60%
70%
80%
2002 2004 2006 2008 2010 2012 2014 2016
Others
Fortinet
Check Point
Palo Alto
Cisco
Juniper
5 September 2017
Cybersecurity 103
Figure 178: PANW Remains an Unequivocal Leader, but Has Lost Some
Momentum While Others Have Gained
Estimated based on 2010, 2011, 2013, 2014, 2015, 2016 and 2017 Magic Quadrants
Source: Gartner, Credit Suisse Research.
− Share Donation Reversal: Instead of easy brownfield wins, Palo Alto now faces its
first refresh cycle at scale as defender, not aggressor. We think this defense is
going to be made more challenging as a result of (1) product convergence, (2)
Cisco's focus on competing for share, and (3) execution risk inherent in PANW
weathering its first refresh cycle.
− Victim of Success: Each year PANW grows in scale, the more difficult it becomes
to maintain the same growth in the next. Now that Palo is greater in scale than any
of its pure-play peers, second only to Cisco, we believe that to maintain 20%-plus
growth, competitive share gain as a vehicle is limited; it requires PANW to grow the
category itself.
− How Much Attach Headroom Is Left? PANW has been extraordinarily successful
at growing the subscription and support segment of its business. Although partly a
function of an upward trend in support rate, it is primarily driven by subscription
attach. The addition of unattached subscriptions (Traps, AutoFocus, Aperture, and
VM-Series) in particular drove combined services as a percentage of thru-refresh
cycle (5y trailing) product from sub-40% in 2012 to just under 52% as of the last
print. We applaud its success here but wonder how much headroom remains.
PANW
5 September 2017
Cybersecurity 104
Figure 179: PANW Has Two Options to Continue to
Outgrow the Market: Take Share, or Grow the Market
Figure 180: PANW Has Attached more Rapidly and
to a Greater Extent than Competitors
2017E revenue (CSCO and FTNT are Security revenue), y/y growth 5 year through cycle attach rates. Annualized subscription and support as a percentage of 5 year trailing product
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
Ultimately, given some of the tailwinds that have helped Palo Alto Networks achieve such
extraordinary success appear to be abating, or have already turned, we find ourselves
somewhat more cautious on PANW's ability to meet growth expectations.
■ To What Extent Will the Refresh Cycle Be a Tailwind?
It has long been a cornerstone of the PANW bull case that a refresh cycle is nigh. Upon
arrival, the refresh will bring many positives, particularly less dependence on net new
business to drive product growth and up-sell opportunities on the refresh sale.
Contrary to conventional refresh cycle wisdom, we perceive risk to the construction of a
bull case upon an unequivocally positive view of the internal refresh opportunity. Not only
do we contend a refresh cycle doesn't de-risk the product revenue line as much as the
market might think, but also we see several other question marks:
− Trade-Down Effect: Refresh cycle bulls assume PANW customers will renew,
upgrade, and attach at high rates; in the context of other factors, we think there is
risk to these assumptions.
− Competition: Palo's refresh is Cisco's opportunity; it has said as much, and we
think its scale now means meeting Street expectations relies upon defense as
much as offense for the first time in PANW's history.
− Execution Risk: This represents PANW's first refresh, and thus requires a different
playbook. Despite our confidence in the execution ability of an exceptional
management team, we perceive a level of residual execution risk as PANW enters
this refresh.
The Refresh of Yore Cycle Is Nigh…
Management has communicated strongly that it expects a refresh cycle affecting H2 fiscal
2017 and FY2018. CFO Steffen Tomlinson said in late 2016 '… we look at the refresh
cycles that are intended to happen in the second half of the fiscal year', adding in June
2017 that '… into '18 the refresh would be building in significance and momentum.'
We recognize there is some history around refresh cycle anticipation; in late 2013, CEO
Mark McLaughlin explained that although it's hard to come by hard data 'around the
$2.3bn
$1.9bn $1.9bn
$1.5bn
$0.3bn
5%
23%
8%
17%
-10%-15%
0%
15%
30%
45%
60%
-500
0
500
1,000
1,500
2,000
2,500
CSCO PANW CHKP FTNT JNPR
CY17 Revenues
Growth
30%
35%
40%
45%
50%
2008 2009 2010 2012 2013 2015 2016
FTNT PANW CHKP
5 September 2017
Cybersecurity 105
refresh cycles [he'd] heard a number of anecdotal points that [suggested] a big refresh
cycle … in the next 12 to 15 months.' He went on to justify this from a pipeline perspective:
‘We think we can see that from what we're seeing from a pipeline perspective, close rates.
I mean, it all points that direction that there is a big refresh cycle in front of us.’
– Mark D. McLaughlin, CEO, November 25th 2013
While investors have before been disappointed by guided refresh cycles failing to
materialize, this time we recognize may be different. There is an organic mechanical
element given the sheer size of Palo's FY2010-13 cohort (~12,000 net customer additions).
In addition, there is also an inorganic inducement element given Palo's February launch of
PAN-OS v.8.0 (with 70 new features), three new virtual firewalls, and new hardware
products across the performance spectrum.
It Appears the Refresh Cycle Has Lengthened
Management and market understanding of the PANW refresh dynamic's shape and
cadence have proved elusive in the past. It seems apparent to us that early cohorts of
Palo customers have not refreshed quite as rapidly as initially expected. When we
aggregate senior management commentary around the expected refresh cycle, duration
has both lengthened and widened.
CEO Mr. McLaughlin described a typical refresh cycle as between three and four years in
late 2013, implying a mid-point of 3.5 years. Progressive increases were communicated by
various executives before settling on a floor of four years (the same as the 2013 ceiling
assumption) and a ceiling of seven years, implying a mid-point around 5.5 years. We
illustrate the progression in Figure 181 and Figure 182.
Figure 181: Analysis of Palo Alto Networks
Executive's Commentary Around Refresh Cycles…
Figure 182: … Suggests Their View of Refresh Cycle
Duration Has Lengthened Significantly
Source: Thomson Reuters Eikon, Credit Suisse Research. Source: Thomson Reuters Eikon, Credit Suisse Research.
'…firewall … is characterized by first of all, a refresh cycle that is three to five years.'
- René Bonvanie, Chief Marketing Officer, March 21st 2013
'…It's hard to be mathematically exact in this, but a number of sources of the refresh that
comes up every three or four years, really big ones. We think we're at the beginning of
one of those.'
– Mark D. McLaughlin, CEO, November 25th 2013
'…if you think about the history of the Company and size or magnitude of the revenue
base of the Company and a refresh cycle generally being three to five years'
- Mark D. McLaughlin, CEO, February 24th 2014
Name Position Date Floor Ceiling
René Bonvanie CMO Mar 2013 3 5
Mark D. McLaughlin CEO Nov 2013 3 4
Mark D. McLaughlin CEO Feb 2014 3 5
Mark D. McLaughlin CEO Mar 2015 4 5
Steffan C. Tomlinson CFO May 2015 4 5
Kelsey D. Turcotte VP IR Jun 2015 3 5
René Bonvanie CMO Apr 2016 4 7
Mark D. McLaughlin CEO Nov 2016 4 6
Kathy Bonanno VP Finance Jan 2017 4 7
Mark D. McLaughlin CEO May 2017 4 7
Steffan C. Tomlinson CFO Jun 2017 4 7
Refresh cycle commentary Years
2
3
4
5
6
7
8
2013 2014 2015 2016 2017 2017
Refresh cycle guidance range
Midpoint
Illustrative
5 September 2017
Cybersecurity 106
'Refreshes generally occur [every] 4 or 5 years'. I think there was a lag on that on what
should have been the most recent refresh cycle because of the 2008 recession.'
- Mark D. McLaughlin, CEO, March 4th 2015
'… We are seeing our own customers starting to refresh in the earlier cohorts. And that's
not surprising given four- to five-year refresh cycles.'
– Steffan Tomlinson, CFO, 27th May 2015
'Firewall typically has a useful life of anywhere three, four, five years. And so that's
where this concept of refresh comes in.
- Kelsey Turcotte, VP Investor Relations, June 3rd
2015
'Device refresh occurs somewhere, in the security business, occurs somewhere between
four and seven years.'
– René Bonvanie, Chief Marketing Officer, April 4th 2016
'…It's a little hard to call those, but generally four to six years, but that seems to be the
case still.'
- Mark D. McLaughlin, CEO, November 21st 2016
'… refresh cycle being between four years to seven years with a sort of bell curve
peaking around, let's call it 5.5 years.'
- Kathy Bonanno, SVP Finance, January 10th 2017 1/10/2017
'…if you think of like 4-to 7-year average refresh cycle, somewhere in there, the big, big,
big part of our customer base is going to be in refresh cycles … we think that that's
something that should provide a tailwind for us in the go forward.
– Mark D. McLaughlin, CEO, May 31st 2017
'…customers typically run firewalls for 4-7 years kind of range, so that FY'09-FY'13
cohort is ripe for refresh … well over 10,000 customers)'
- Steffan Tomlinson, CFO, June 6th 2017
Figure 183: PANW Now Suggests an Average 5.5-Year Refresh Cycle
Source: Company data, Credit Suisse estimates.
This Refresh Is Real
Assuming this 5.5-year refresh rate, and a (potentially conservative) 90% dollar renewal
rate on replacement hardware, we illustrate the mechanical nature of refresh in Figure 184.
LIFESPAN7 years4 years
Implies 5.5-year average
refresh cycle
5 September 2017
Cybersecurity 107
Figure 184: Assuming a 5.5-Year Refresh Rate and 90% Renewal Rate, We Can
See the Rising Impact of Refresh Product as a Percentage of the Product Line
Refreshed product as a % of our total product estimates (assuming 5.5 year refresh rate and 90% renewal rate)
Source: Palo Alto Networks, Credit Suisse Research, Credit Suisse Estimates.
Many argue, with good reason, this dynamic acts to support the product line, especially in
instances where customers can be upsold. Mechanically, the larger and larger cohorts of
2009-2013 become evident in the back half of FY17 and into FY18.
If we subtract our renewed product calculation from total product revenue to arrive at a
new product estimate, it becomes clear that consensus expectations for incremental
product are very low. This, it has been argued, is a reason to own the stock (i.e., greater
refreshing product supports product revenue, meaning new product estimates are handily
achievable). While we remain cognizant of the argument, we would argue that refresh isn’t
necessarily the support many assume.
Figure 185: Our (Somewhat Crude) Calculation of New-Product Shows
Expectations for Incremental Business are Low
New product (using consensus and assuming 5 year refresh rate and 90% renewal rate) y/y growth, %
Source: Palo Alto Networks, Credit Suisse Research, Credit Suisse Estimates.
From a mechanical perspective, the risk to refresh revenue being a true support is two-fold.
Either the refresh cycle continues to lengthen (that is, Figure 183 exhibits greater negative
skewness), or alternatively the dollar refresh rate is lower than we model.
16%
23%25%
28%
25%
31% 32%
38%
31%
2% 3% 4%5%
6% 7% 8%9%
12%
16%
23%
0%
5%
10%
15%
20%
25%
30%
35%
40%
2014 2015 2016 2017 2018
Estimated Reported
-20%
-10%
0%
10%
20%
30%
40%
50%
60%
2013 2014 2015 2016 2017 2018
Forecast New Product, y/y, %
5 September 2017
Cybersecurity 108
Figure 186: Positive vs Negative Skewness
Source: Credit Suisse research.
We are concerned the refresh cycle could lengthen due to:
− Execution Risk: Already Palo Alto Networks has experienced some level of
refresh pause due to the introduction of mandatory PAN-OS 8.0, a brand new OS
release, on all new product shipped. Large enterprises will typically wait to adopt a
new major release until a version X.1 or X.2. While bulls argue this is simply a
speed bump and that the new lineup will drive customers to refresh, we are
concerned this exemplifies the execution risk of PANW facing its first refresh at
scale.
− Trade-Down Effect: PANW products are of the utmost quality, and one of the
reasons for the increasing refresh length may be greater-than-expected product life.
A corollary of the trade-down effect we discuss below, we posit whether this has the
potential to result in continued cycle-lengthening. The disclosure in mid-2016 that
the '2009 cohort was 65% refreshed and there was dollar increase' (René Bonvanie,
Chief Marketing Officer, April 4th 2016) implies a long refresh tail.
− Architectural Shifts Delaying Decision-Making: We have noted management at
Fortinet cite service provider cloud transitions as creating a demand pause as
decisions are delayed by architectural discussions. We recognize PANW’s lower
relative exposure to the carrier market, but should this become a broader trend, we
believe it could result in further refresh lengthening.
'…the AWS/Azure piece is growing fast. And also, the traditional service provider also
starting consider offer the cloud solution now. So that may delay some of their decision
whether what kind of an architecture or infrastructure they may moving forward….'
– Ken Xie, Fortinet Chairman CEO
We are concerned dollar renewal could not be as strong as expectations:
− Competition: Cisco has explicitly stated it intends to take share from PANW upon
the refresh opportunity. We doubt it is the only incumbent who has lost share to
PANW since 2009 to have this view, and therefore expect PANW to face intense
refresh competition. This could be a headwind to customer renewals if competitors
succeed in their share attrition intentions. Given our view on trends toward product
parity, we consider this to be a greater risk than we perceive are built into the
Street's renewal assumptions.
− Execution Risk: The sales effort to defend against competitive refresh bids is not
only expensive but requires a different playbook. We believe this creates some
level of execution risk in customer retention and up-sell/cross-sell relative to a more
mature competitor, seasoned in retentive sales tactics.
5 September 2017
Cybersecurity 109
− Trade-Down Effect: Check Point is well known to have experienced a trade-down
effect in 2012 following a major product line revamp in late 2011. In the revamp, it
had tripled the performance of its boxes but left pricing comparable. This led a
portion of customers to choose lower price boxes rather than renew like-for-like.
‘the trade-down effect … because we introduced boxes at the same price level, but with 3
times the performance around this time last year. What that led to was a combination of
that macro environment, the increasing strength of the dollar on the FX side, leading to
shrinking budgets, which has resulted in folks, instead of buying the same level of box
trading down to something that was 2 times the power than the 3 times that we had
anticipated, or hoped for.’
– Kip Meintzer, VP IR, 11/07/2012
To quantify the potential impact of greater-than-expected risk to refresh rate and cycle
length, we have stress tested our model's assumptions below. We believe PANW bulls are
underwriting a scenario that assumes 40-50% of fiscal year 2018 product revenue derives
from refresh. We believe this is ambitious, as it implies a higher dollar refresh rate, shorter
average refresh cycle length, or combination of both. Every percentage point of
consensus product revenue growth not accounted for by refreshing boxes is a point of net
new product sale that must be captured.
Figure 187: If We Flex Refresh Cycle and Rate Assumptions, the New Product
Support/Tailwind from Refresh Reduces Dramatically
Percentage of FY18E new product accounted for by refreshed product
Source: Palo Alto Networks, Credit Suisse Research.
■ Services SaaS Transition as Growth Driver 2.0?
Linked but distinct, we consider the final over-arching debate in the stock to be around the
extent to which subscription growth can mature into a convincing growth engine. Palo Alto
Networks offers four attached (Wildfire, URL filtering, Threat prevention, and Global
Connect) and five unattached (Aperture, VM-Series, AutoFocus, Traps, and LightCyber)
subscription options.
Refresh rate assumption (% )
80% 85% 90% 95% 100%
4.0 36% 39% 41% 43% 45%
4.5 30% 32% 34% 36% 38%
5.0 26% 28% 29% 31% 33%
5.5 22% 24% 25% 27% 28%
6.0 19% 20% 21% 22% 23%
6.5 14% 15% 16% 17% 18%
7.0 9% 10% 10% 11% 11%Ave
rage
Ref
resh
(y)
5 September 2017
Cybersecurity 110
Figure 188: PANW Product, Subscription, and Support Revenue Breakdown
Source: Palo Alto Networks, Credit Suisse Research.
Figure 189: Palo Alto Networks' Platform Offering
Offers Attached and Unattached Subscriptions…
Figure 190: … Penetration Rates Would Imply There
Remains Expansion Opportunity
Orange represents attached, blue represents unattached subscription options
Penetration rates in customer base for PANW subscriptions
Source: Palo Alto Networks, Ignite 2016. Source: Palo Alto Networks, Credit Suisse Research.
It is argued that as penetration rates of these subscriptions (particularly the unattached)
increase, there exists an >$8bn install base expansion opportunity.
Figure 191: PANW's Assessment of Its CLTV Customer Expansion Opportunity
CLTV install base expansion opportunity. Upside CLTV equals the potential value of future orders from existing install base, assuming all customers acquired between 2010 and 2015 eventually purchase 11.8x the value of their initial purchase, less their total purchases through 2015
Source: Palo Alto Networks, Credit Suisse Research.
Hardware PerpetualAttached
subscriptions
Non-attached
subscriptionsSupport
Threat Prevention Traps
URL Filtering VM-Series Support
Appliances Panorama GlobalProtect AutoFocus Professional Services
Accessories VM-Series WildFire Aperture
LightCyber*
Product Recurring subscription and support revenue
Renewals
Aperture
WildFire
Threat Prevention
URL Filtering
VM-Series
AutoFocus Traps
GlobalProtect
0%
25%
50%
75%
100%
Traps VM GlobalProtect
WildFire URLFiltering
ThreatPrevention
Q2FY15 Q2FY16 Q4FY17
8.67.2
4.2 2.71.9 1.3
11.89.3
5.6
3.73
2.11.3
FY09 FY10 FY11 FY12 FY13 FY14 FY15
FY15 FY14
>$8bn opportunity
5 September 2017
Cybersecurity 111
We understand the attraction of SaaS-esque revenue streams; mix-shifting toward
subscription results in better gross margins, better operating margins, and stronger free
cash flow generation.
Figure 192: Palo Has Increased Its Attach per
Device to 2.6, Although This Loses Some Relevance
Given Unattached Subscriptions
Figure 193: Therefore We Prefer to Look at Services
Attach Through the Refresh Cycle, Which PANW
Has Grown Ahead of Competitors
PANW reported attach per device, disclosed biannually (excludes unattached subscriptions)
5 year through cycle attach rates
Source: Company data, Credit Suisse Research. Source: Company data, Credit Suisse Research.
Given the above, we understand the expectations around unattached subscription growth,
which has the potential to be gross margin positive. As we show in Figure 194, the mix-
shift toward subscription has been helpful in bringing up the GM from ~73% to 78% from
FY12 to FY15. We also note that in the short term, the mix-shift affects the operating
margin basis, as commissions are recognized earlier but over the long run are
incrementally beneficial. We note further room to grow these margins as the unattached
subscriptions increase their portion of revenue mix.
Figure 194: Mix Shift Driving GM Improvement… Figure 195: ..as Well as Operating Margin
Gross Margin improvement driven by mix shift Mix shift depressing near term margins, but net positive over time
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
Despite this, we assert that PANW is still a box-driven business, where subscription and
support upsell is only possible with continued product growth, while unattached
subscription revenue remains very small ($100mn run rate as of 1Q17).
1.51.6
1.7
1.9
2.12.2 2.2
2.3
2.6 2.6
1.3
1.6
1.9
2.2
2.5
2.8
2012 2013 2014 2015 2016
Subscriptions per device
30%
35%
40%
45%
50%
2008 2009 2010 2012 2013 2015 2016
FTNT PANW CHKP
72.7%
77.7%
70%
75%
80%
FY12 FY15
Gross Margin (%)
Services Billings Revenue Commission
Revenue to be recognized in future quarters
5 September 2017
Cybersecurity 112
" So those 4 nonattached subscription services as of our fiscal Q2 are north of $100
million run rate in terms of what we call billings and growing at triple digits, and we
plan on updating those metrics semiannually."
– Steffan C. Tomlinson, CFO, 06 June 2017
We also emphasize that PANW has saturated most options with regard to the
subscriptions it can add to its box and leverage its platform. This, in turn, indicates that it
will have limited opportunities in expanding PANW's TAM.
5 September 2017
Cybersecurity 113
Supports for Our Thesis
Company Negatives
■ Substantial Exposure to Sector Risks
We rank Palo Alto as more exposed to sector risks than Check Point but slightly less than
Fortinet. Areas of specific concern for PANW are the potential for increasing competition
from Cisco and the decreasing brownfield opportunity.
Figure 196: Relative Exposure to Sector Risks
Source: Credit Suisse Research.
■ Valuation – Expensive
While on traditional EV/uFCF, PANW appears inexpensive, this multiple is flattered by
both its billings duration and stock-based compensation. Indeed, when we adjust for these
factors, PANW begins to look expensive, even on a growth-adjusted basis.
Figure 197: Valuation Matrix
Source: Company data, Credit Suisse estimates.
Check Point Palo Alto Networks Fortinet
CHKP PANW FTNT
Architectural Shift to Cloud ◔ ◑ ◕Cisco increasingly competitive ○ ◕ ◑Juniper has little share left to give ○ ● ◔Cloud transitionary headwinds ◔ ◑ ◑TAM expansion ◑ ◑ ●Competition in the mid market ◑ ○ ●Carrier Exposure ◔ ◑ ●Total ◔ ◑ ◕
Who is best equipped to deal with…
Absolute Valuation Analysis
NTM CY18 NTM CY18 NTM CY18
Cash Flow Statement Multiples
EV/UFCF 14.9x 14.5x 13.8x 12.0x 12.2x 11.5x
EV/UFCF Adjusted for SBC 16.4x 15.9x 37.8x 30.1x 19.2x 18.1x
EV/UFCF Adjusted for LT Deferred 15.7x 15.4x 21.3x 17.0x 16.8x 15.4x
EV/UFCF Adjusted for SBC & LT Deferred 17.4x 17.1x n/a n/a 33.8x 29.9x
Income Statement Multiples
EV/Sales 7.6x 7.4x 5.4x 5.0x 3.2x 3.1x
EV/Non-GAAP Operating Income 14.3x 13.8x 25.5x 22.6x 19.8x 17.4x
Non-GAAP P/E 20.5x 19.6x 44.2x 39.6x 38.8x 34.8x
GAAP P/E 23.2x 22.1x n/a n/a 92.7x 74.4x
EV/Recurring Revenue 10.9x 10.5x 8.3x 7.5x 5.1x 4.8x
CHKP PANW FTNT
5 September 2017
Cybersecurity 114
■ Stock-Based Compensation Is High
Palo Alto Network has high levels of stock-based compensation in absolute terms as well
as relative to peers. We note that on a percentage of revenue basis, PANW's stock--based
compensation is over one-third of revenues, while the peer group average is just ~10%.
Figure 198: PANW Stock-Based Compensation Much Higher than Peers
Stock Based Compensation/Revenue, LFY, %
Source: Thomson Reuters Datastream.
We emphasize that high levels of stock-based compensation are not just dilutive to
investors but that they also negatively affect the economic return produced by the
company. In Figure 199, we illustrate this point using CFROI®, (a proxy for the company’s
economic return. (Refer to Appendix I for more details about the CFROI metric.) We show
the spread between PANW's CFROI including and excluding stock-based compensation
substantially reduces returns on capital.
Figure 199: Including and Excluding Stock-Based
Compensation PANW's CFROI…
Figure 200: … Pales in Comparison with Check
Point, with Returns Around 20%
Palo Alto Networks HOLT CFROI profile Check Point HOLT CFROI profile
Source: HOLT, Credit Suisse Research. Source: HOLT, Credit Suisse Research.
■ Is There a Residual Go-to-Market Issue Aside from Refresh Pause?
29%
11%10%
5% 5% 4% 3%
0%
10%
20%
30%
Palo Alto Symantec Fortinet Check Point Juniper Oracle Cisco
SBC as % of Revenues
Average
(5 )
0
5
10
15
20
25
2007 2009 2011 2013 2015 2017
CFROI
Forecast CFROI
CFROI adjusted to exclude SBC
(5 )
0
5
10
15
20
25
2007 2009 2011 2013 2015 2017
CFROI Forecast CFROI CFROI adjusted to exclude SBC
5 September 2017
Cybersecurity 115
PANW has retooled its sales strategy after a disappointing miss earlier in the year. We
believe that PANW is struggling with its go-to-market strategy and that, while the company
is spending increasing amounts of money on sales & marketing, the efficiency of that
spend in terms of attracting new business is trending downward, as highlighted in Figure
201. At the same time, we find that job posting trends suggest continued spending. (See
Figure 203.) We note here that that the company already trails the peer average for
revenues per employee and that continued headcount increase will continue to pressure
this down.
Figure 201: Despite Ticking Up Recently, S&M
Efficiency Has Trended Down…
Figure 202: …While Revenue per Employee Already
Below Peer Group Average
Product/ Sales & Marketing and New business / Sales & Marketing Revenue/Employees, LFY, $
Source: Company data, Credit Suisse estimates. Source: Thomson Eikon.
Figure 203: Matching Job Posting Trend for Palo
Alto Networks Rising...
Figure 204: ...While Job Seeker Interest Also in
Uptrend
Palo Alto Job posting matches indicates recent uptick Palo Alto Job seeker interest has also rebounded
Source: Indeed. Source: Indeed.
50%
60%
70%
80%
90%
100%
110%
120%
1Q15 1Q16 1Q17
New business/S&M
Product/S&M
$0k
$200k
$400k
$600k
$800k
Cisco Juniper CheckPoint
Palo Alto Symantec Oracle Fortinet
Revenue per Employee ($ k)
Average
0.000%
0.010%
0.020%
0.030%
0.040%
0.050%
0.060%
2014 2015 2016 2017
Job Postings
0.00000%
0.00010%
0.00020%
0.00030%
0.00040%
0.00050%
0.00060%
0.00070%
2014 2015 2016 2017
Jobseeker Interest
5 September 2017
Cybersecurity 116
■ Expectations Remain the Highest
Ultimately, billings expectations remain the highest for PANW relative to CHKP and FTNT.
As we have discussed, in the face of structural industry challenges alongside numerous
idiosyncratic risks (as discussed in the ‘Can PANW continue to outgrow the market’
debate), we (perhaps crudely) believe the asset with the highest inbuilt expectations to be
most at risk.
Figure 205: PANW Has Overtaken Its Competitors
on a Billings Basis…
Figure 206: … While Consensus Builds in a Billings
Recovery Through 2018
Billings (Revenue + Δ Deferred Revenue), $m, 4Q rolling average Billings (Revenue + Δ Deferred Revenue), y/y, %
Source: FactSet, Company data, Credit Suisse estimates. Source: FactSet, Company data, Credit Suisse estimates.
We also analyze expectations for PANW in terms of billings and note that, while PANW
has already overtaken its rivals in billings (absolute $ amounts, 4Q rolling average), the
consensus estimates indicate a recovery and re-acceleration (well ahead of the market
growth rate).
0
500
1,000
1,500
2,000
2,500
3,000
3,500
Dec 2012 May 2014 Sep 2015 Feb 2017 Jun 2018
PANW CHKP FTNT
0%
10%
20%
30%
40%
50%
60%
70%
80%
Dec 2012 May 2014 Sep 2015 Feb 2017 Jun 2018
PANW CHKP FTNT
5 September 2017
Cybersecurity 117
Risks to Our Thesis
Company Positives
■ Significant Balance Sheet Capacity and Willingness to Use It
While we estimate PANW to have just over half the firepower of CHKP to be used for M&A,
we believe both companies have a very measured track record and propensity to make
smaller, tuck-in acquisitions. Cumulatively, PANW has used approximately $300 million in
acquiring companies, the largest of which was the most recent deal to buy LightCyber for
$105 million. The measured, disciplined approach is somewhat understandable given what
have been lofty valuations in security for the past several years, although we believe that
is changing given what some suggest are as many as 3,000 cybersecurity companies in
the world today.
About a year ago, a CRN magazine article suggested PANW had unsuccessfully bid over
$3 billion for Tanium in fall 2015. Assuming this is true, it would seem to suggest a need
to acquire something transformative, which aligns with our view of the company’s
opportunity more generally. We can envision several private companies strategically
aligning with PANW and are open-minded to changing our view on the stock should that
eventuality occur.
Figure 207: We Estimate PANW Has ~$5bn of
Balance Sheet Capacity…
Figure 208: … This Is Substantially Less than CHKP
but Still Represents Significant Capacity
Assuming 3x leverage, Total capacity for M&A Potential Balance Sheet Capacity for M&A
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
■ Phenomenal Innovator and Category Creator
Without any doubt, PANW should be applauded as key innovator and the creator of the
NGFW category. PANW entered the market with true product and technology
differentiation. Of particular note, we think, was the tripartite identification technologies at
the core of PANW's NGFW:
− App-ID: Identification techniques that can classify all traffic, on all ports, at all
times, irrespective of protocol, encryption, or evasive tactics.
− User-ID: Integrates the platform with a variety of enterprise user directories (Active
Directory, Exchange, ZENworks, etc.) as opposed to only IP addresses.
Firepower analysis CHKP PANW FTNT
Earnings, NTM basis
EBITDA 1,083 409 257
Δ Deferred Revenue 178 397 234
Cash EBITDA 1,261 805 491
Deal related accretion (15% return) 774 460 365
Theoretical lending EBITDA 2,035 1,265 855
Cash, Next quarter
Liquid cash & investments* 1,380 1,170 959
Cash & investments 3,588 1,889 1,217
Theoretical debt capacity (3x)** 6,106 3,278 2,566
Liquid firepower 7,486 4,448 3,526
Total firepower 9,694 5,167 3,783
*Cash and ST investments adjusted for offshore cash (20% repatriation assumption)
and 10% of NTM revenue
** 3x theoretical lending EBITDA excluding outstanding debt
$9.9bn
$5.4bn
$4.0bn
$0bn
$2bn
$4bn
$6bn
$8bn
$10bn
$12bn
CHKP PANW FTNT
5 September 2017
Cybersecurity 118
− Content-ID: Combines a real-time threat prevention engine with cloud-based
analytics and a comprehensive URL categorization database to block a variety of
threats.
Figure 209: Core Identification Technologies
Source: Palo Alto Networks.
■ Single-Pass Architecture
Palo Alto also utilizes a single-pass architecture in its design framework for its NGFWs.
The single-pass parallel processing (SP3) architecture reduces the latency that is
associated with daisy-chained point product solutions to perimeter security. Single-pass
architecture is comprised of two complimentary technologies:
− Single-Pass Software: Performs operations once per packet, scanning content in
a stream-based fashion, avoiding latency and enabling high throughput.
− Parallel Processing Hardware: Separates the data and control planes to reduce
interdependence in combination with discrete, function-specific processing at the
hardware level.
Figure 210: Single Pass… Figure 211: …with Parallel Processing Hardware
Single-pass software performs operations once per packet Hardware acceleration for each major functionality block
Source: Palo Alto Networks. Source: Palo Alto Networks, Credit Suisse Research.
While the SP3 architecture (and more specifically, single-pass software) has been a
perceived differentiator in the market, for which we give the company a lot of credit, our
view is that it’s a religious argument and not universally better than multi-pass.
Continuing Innovation with PAN-OS 8.0
Earlier in the year, Palo Alto Networks also rolled out major updates to its PAN-OS, adding
new features across its entire technology platform from upgrades for cloud security, multi-
Control Plane
Data Plane
MANAGEMENTconfiguration | logging | reporting
SIGNATURE MATCHIPS | CC# | SSN
SECURITY PROCESSINGsession setup | SSL| IPSec | Decompression
Network Processingflow control | route | ARP | MAC lookup | QoS | NAT
RAM
RAM
CPU
RAMCPU SSD
Single Pass
Report & Enforce Policy
5 September 2017
Cybersecurity 119
method threat detection, credential threat prevention, as well new hardware. We note that
the early feedback on the products has been positive and could potentially be a risk to our
thesis if it drives an upgrade cycle.
Platform Success
We also credit Palo for succeeding in consolidating multiple adjacencies and offering
attached subscription services, creating a recurring subscription and support stream. We
also note that the company has been relatively successful in upselling non-attach
subscriptions (such as Aperture, Autofocus and LightCyber) after landing the customer.
We also appreciate the vision to offer a cloud-based offering such as WildFire, as the
market is clearly moving in that direction.
"Our ability over the next 3 years to expand within that customer base, to sell, not only our
next-generation firewall with our attached subscription services but the 4
unattached subscription services led by our endpoint solution called Traps; our virtual
firewall, Aperture; AutoFocus. We're coming out with user-behavior analytics, subscription
service by an acquisition that we did with LightCyber. We're continuing to add meaningful
subscriptions to the platform"
- Steffan C. Tomlinson, CFO
On the other hand, we recognize that the company has not been wholly successful in its
strategy in offering a unified security platform with end-to-end security. We specifically
note the lukewarm response to its Advanced Endpoint protection solution, Traps. While we
believe that consolidation spurred by PANW’s early adoption of an integrated platform
strategy has so far provided significant acceleration to recurring revenue growth, we see
this as a theme that has largely played out.
■ Wonderful Go-to-Market – Land and Expand
PANW also implemented a very effective go-to-market strategy, utilizing multiple
deployment mechanisms to substantially widen the prospective customer base. Rather
than boldly attempting to take share head-to-head with well entrenched competitors,
PANW enabled prospective clients to deploy alongside an extant firewall, widening sales
opportunities to IDP, web filtering, and other refreshes.
PANW offered three different deployment methods:
(1) Firewall Replacement: Deployed as a replacement for an enterprise's extant firewall
and other point products;
(2) Transparent In-line: Deployed via virtual wire mode in-line as a transparent
compliment to the existing perimeter architecture; and,
(3) Tap Mode: Giving administrator’s network visibility without the disruption of in-line
deployment.
5 September 2017
Cybersecurity 120
Figure 212: Original Deployment Options
Source: Palo Alto Networks.
Once PANW had gained a foot inside the datacenter, it was able to both accelerate
firewall refresh cycles and upsell as customers realized the rationalization advantages of
the PANW platform. That is, it can replace other daisy-chained point solutions and lower
overall cost while increasing efficacy. The success of this land-and-expand motion is
evident not only in PANWs market share gain but also as shown in Figure 213.
Figure 213: The 2009 Cohort’s Land-and-Expand Motion
Source: Palo Alto Networks.
Superlative Marketing
Palo Alto Networks has captured as much (if not more) mind-share than it has market
share. We believe René Bonvanie, PANW's chief marketing officer, and the third most
highly compensated CMO in America in 2014 (Forbes, see here) to be integral to PANW's
mind-share gain. The disruptive messaging of ‘Next-Generation Firewall,’ with a strong,
simple narrative of single-pass architecture has proven very effective with decision-makers
and technology workers in general.
1.0x 1.2x2.0x
3.5x
5.1x6.3x
8.6x
11.8x
14.4x
Land 2009 2010 2011 2012 2013 2014 2015 2016
Renewals
Support
Subscription
Product
5 September 2017
Cybersecurity 121
Figure 214: PANW Marketing Dollars Emphasize Their Narrative...
Source: Credit Suisse Research.
As of early last year, PANW's marketing team under Mr. Bonvanie was 150 strong (8% of
total sales & marketing headcount), with 10% of his team focused on operationalizing
data-driven models. Mr. Bonvanie’s predilection with prescriptive analytics means PANW
captures data on every customer interaction it can, which includes its social media
platforms such as Twitter and Linked as well as its user community group and blog.
" …I want to talk about what it takes to drive a machine where we acquire that many
customers, where we grow our business that fast, and how we apply science, data and
relentless focus and alignment with our sales teams, with our channel partners, with our
hosting partners, to get to these results."
- Rene Bonvanie, CMO, Ignite 2016
Figure 215: Positioning to Be a Thought Leader… Figure 216: …Several Venues to Gain Mind-Share
Source: Palo Alto Networks. Source: Palo Alto Networks.
■ Large TAM
Palo Alto Networks puts its own TAM at $24bn in 2020, rising from ~$19bn currently at a
CAGR of ~8%, with most of the TAM increase coming from the network security products.
This is constructed of IDC's 2020 network security, web security, and commercial endpoint
security forecast. We note that a large TAM gives Palo Alto more room to navigate the
hurdles we lay out in our thesis, such as the shifting security model from prevention to
detection.
Founding Member
>70% more marketing events
>80% more pipeline
> 300% increase in social media
>100% more EBC visits
Blog Traffic
>5 millionUp >100% y/y Up >80% y/y
Up >200% y/y >35,000
5 September 2017
Cybersecurity 122
Figure 217: Palo Alto Sees a Rising TAM for Itself…
Source: Company data, Credit Suisse estimates.
■ Leverage in the Model
Palo Alto Networks also benefits from inherent leverage in the subscription model, as we
have discussed earlier, and as Figure 194 and Figure 195 depict.
■ Partnerships and Joint Solutions
PANW has also built up a string of partnerships to address security in a cloud-centric
world. One example would be the Palo Alto Networks and VMware partnership in which a
uniform security approach across physical, virtualized, and cloud environments can be
implemented using a joint solution.
PANW and VMWare joint solution is built on the following main components:
(1) VMware NSX platform
(2) Palo Alto Networks VM-Series (Virtual NGFW)
(3) Palo Alto Networks Panorama (Centralized Management Platform)
Figure 218: PANW and VMW Joint Security Solution for Virtualized
Datacenters…
VMware NSX and Palo Alto Networks VM-Series Integrated Solution
Source: Vmware, Credit Suisse Research.
$19.1bn TAM
$14.7bn Network,$4.4bn Endpoint
$24bn TAM
$18.8bn Network,$5.2bn Endpoint
2017 2020
Cloud AdminPanorama registers the VM-Series with NSX manager
ManagerReal-time contextual updates on VM-Series changes
Security Admin
VM-Series deployed
automatically by NSX; policies
then steer select traffic to VM-
Series for inspection
AppWeb DB
NSX vSwitch
VMware ESG
Automated licensing
policy and deployments
5 September 2017
Cybersecurity 123
VMware NSX network virtualization platform provides the network virtualization layer,
while the joint solution works to deploy the Virtual appliance over each ESXi server, with
traffic inserted into the path of the virtual security appliance. The VM-Series natively
analyzes all traffic in a single pass to determine the application identity, the content within,
and the user identity. At the same time, context is shared between VMware NSX and
Panaroma so that whenever applications are deployed and moved from server to server,
security policies can continue to be enforced and there is separation of duty between
security and virtualization administrators.
The joint solution provides several significant benefits such as:
− Visibility into East-West Traffic: Deploying the VMware and PANW joint solution
has the additional benefit of offering visibility into server-to-server traffic within the
data center (which represents 80% of overall data center traffic). NSX's native
security capability, including kernel-based distributed firewalling, enables traffic flow
between ESXi servers to be automatically steered to the Palo Alto Virtual security
appliance (VM-Series) for granular inspection based on applications, content, and
users. Unlike current network security solutions built on a perimeter-based security
model, the VMware-PANW solution gives full visibility into data center traffic flows.
− Automation: Palo Alto's security management platform (Panoroma) works with the
NSX manager to automate the deployment and provisioning of security services.
Panorama registers the virtual PANW security device (VM-Series) with the NSX
manager, which then deploys the VM-Series on every ESXi Server in automated
fashion.
− Seamless Traffic Steering: The stateful, in-kernel NSX distributed firewall steers
traffic to PANW VM-Series via NSX APIs without needing to manually make
configuration changes to virtual networking elements.
■ A Strategic Asset
We appreciate the importance and role of PANW as an innovator in the NGFW space and
note that it remains a strategic asset (with interest from large-cap companies such as
CSCO). While we believe that both PANW and CSCO have significant portfolio overlap,
we do believe that it will bring scale to CSCO's security business, helping it transition
faster toward one of its strategic areas.
“...key priority areas such as security, the Internet of Things (IoT),
collaboration, next generation data center and cloud.”
Cisco 10-Q, February 2017
“…..first priority will be strategic investments that we will make, and then, obviously,
followed with a focus on continued capital allocation and our commitment to returning
capital to shareholders. It would be a combination”
Chuck Robbins, CEO – 15th February 2017
We, however, do point out that any M&A involving PANW will be a large-sized deal and
present material integration risk (with ~4,340 employees).
5 September 2017
Cybersecurity 124
Management and Board
Management
Palo Alto has plenty of impressive figures from the cybersecurity space on its
management team. Nir Zuk, the company founder, occupies the CTO role, and Rick
Howard, the chief security officer, brings 30 years of experience with US Army cyber
intelligence to Palo Alto. In Figure 219, we present a table of key management figures.
Figure 219: PANW Management
Source: Proxy Statement, FactSet, Credit Suisse estimates.
Interestingly, PANW’s management has less experience in the C-Suite than most. Part of
this can be attributed to the extensive military careers of some of its executives. The total
management experience per executive is closer to average when compared with our
coverage universe. Given the average age of a Palo Alto executive is only 55, this makes
sense.
Name Compensation Beneficial ownership C-Suite Experience
Position Year Prior Experience
Age Joined Salary ($) Bonus ($) Stock($) Number of Value of
shares shares
Mark McLaughlin 2011 $575,000 $632,500 $4,715,436 508,864 $74,650,349 ■ Chairman and CEO, Palo Alto Networks: 2011-Present
CEO & Chairman ■ President and CEO, VERISIGN: 2009-2011
51 ■ Executive Vice President, VERISIGN: 2000-2007
■ JD: Seattle University School of Law, BS: United States Military Academy
Nir Zuk 2005 $400,000 $200,000 $25,804,377 1,958,676 $287,337,769 ■ Founder and Chief Technology Officer, Palo Alto Netoworks: 2005-2017
Founder, CTO and Director ■ Chief Technology Officer, NetScreen: 2002-2004
45 ■ Founder and Chief Technology Officer, OneSecure: 1999-2002
■ BA: Tel Aviv University
Steffan Tomlinson 2012 $400,000 $240,000 $12,902,119 115,984 $17,014,853 ■ Chief Financial Officer, Arista Networks: 2011-2012
Chief Financial Officer ■ Chief Financial Officer, Aruba Networks: 2005-2011
44 ■ Vice President, Peribit Networks: 2000-2005
■ MBA: Santa Clara University, BA: Trinity College - Hartford
Rene Bonvanie 2009 $350,000 $175,000 $10,321,723 107,136 $15,716,851 ■ Vice President, Worldwide Marketing, Palo Alto Networks: 2009-2011
Chief Marketing Officer ■ SVP Marketing, SaaS and Information Technology, Serena Software: 2007-2009
55 ■ Senior Vice President of Global Marketing, SAP AG: 2006-2007
■ BA: Vrije Universiteit Amsterdam
Mark Anderson 2012 $700,000 $420,000 $30,105,176 208,419 $30,575,067 ■ Senior Vice President, Worlwide Field Operations, Palo Alto: 2012-2016
President ■ Various Roles including Executive Vice President: F5 Networks: 2004-2012
54 ■ Executive Vice President, North American Sales, Lucent Technologies: 2003-2004
■ BA: York University, Toronto
Rick Howard 2013 NA NA NA NA NA ■ Chief Information Security Officer, TASC, Inc: 2012-2013
Chief Security Officer ■ iDefense General Manager and Intelligence Director, Verisign: 2006-2012
■ US Army Computer Emergency Response Team Chief: 2002-2004
■ MS: United States Naval Postgraduate School, BS: United States Military Academy
Lee Klarich 2006 NA NA NA 385,807 $56,597,887 ■ Executive Vice President, Palo Alto: 2006-Present
EVP, Product Management ■ Director, Product Management, Juniper Networks: 2004-2006
42 ■ Product Line Manager, NetScreen Technologies: 2000-2004
■ BS: Cornell University
5 September 2017
Cybersecurity 125
Figure 220: PANW Executives Have Less C-Suite
Experience than Most…
Figure 221: But Their Overall Experience Is Closer
to Average
Source: Proxy Statement, FactSet, Credit Suisse estimates. Source: Proxy Statement, FactSet, Credit Suisse estimates.
Board
PANW’s board is a collection of impressive industry and venture capital figures. Alumni
from Red Hat, VMware, and VeriSign make up the backbone of the directorate, and they
are joined by venture capital veterans such as Asheem Chandra of Greylock and James
Goetz of Sequoia.
0 5 10 15 20
CRM
ORCL
CHKP
VMW
ADBE
SPLK
INTU
RHT
MSFT
AKAM
FTNT
HDP
NOW
SYMC
PANWManagement C-Suite
Experience Per Executive
VP
CEO
CFO
0 5 10 15 20 25 30 35 40
AKAM
CHKP
CRM
ORCL
SPLK
MSFT
VMW
ADBE
NOW
FTNT
PANW
RHT
INTU
HDP
SYMC Board Experience Per Director
CEO/CFO
Other Executive
Relevant Industry
Other Industry
Finance
5 S
epte
mb
er 2
017
Cy
be
rsec
urity
126
Figure 222: Palo Alto Networks (PANW) Board of Directors
Source: Proxy Statement, FactSet, Credit Suisse estimates.
Name Beneficial ownership of shares Committee memberships C-Suite Experience
Position Director Independent Other Board Prior Experience and Principal occupation
Age Since? Director? Affiliations? Number of shares Value of shares Audit Comp. Gov.
Mark McLaughlin 2011 No 0 508,864 $74,650,349 ■ Chairman and CEO, Palo Alto Networks: 2011-Present
CEO & Chairman ■ President and CEO, VERISIGN: 2009-2011
51 ■ Executive Vice President, VERISIGN: 2000-2007
■ JD: Seattle University School of Law, BS: United States Military Academy
Nir Zuk 2005 No 0 1,958,676 $287,337,769 ■ Founder and Chief Technology Officer, Palo Alto Netoworks: 2005-2017
Founder, CTO and Director ■ Chief Technology Officer, NetScreen: 2002-2004
46 ■ Founder and Chief Technology Officer, OneSecure: 1999-2002
■ BA: Tel Aviv University
Asheem Chandna 2005 Yes 8 108,223 $15,876,314 a a ■ Partner, Greylock Partners: 2003-2017
Director Chair ■ Director, Imperva: 2003-2013
53 ■ Vice President, Business Development, Check Point Software: 1996-2003
■ MS, BS: Case Western Reserve University
James Goetz 2005 Yes 11 286,259 $41,994,195 a a ■ Managing Parter, Sequoia Capital Operations: 2005-2017
Director ■ Partner, Accel Partners: 2000-2004
50 ■ Cofounder, Vital Signs: 1996-1999
■ MS: Stanford University, BS: University of Cincinnati
Frank Calderoni 2016 Yes 0 9,228 $1,353,748 a ■ President and CEO, Anaplan: 2017-Present
Director ■ Executive Vice President and CFO, Red Hat: 2015-2017
52 ■ Executive Vice President and CFO, Cisco: 2004-2015
■ MBA: Pace University, BS: Fordham University
Carl Eschenbach 2013 Yes 1 5,191 $761,520 a a ■ Partner, Sequoia Capital Operation, 2016-Present
Director ■ President and COO, Vmware: 2011-2016
49 ■ Executive Vice President of WW Field Operations
■ BA: DeVry University
Daniel Warmenhoven 2012 Yes 1 23,517 $3,449,944 a a ■ Lead Independent Director, Palo Alto Networks: 2012-Present
Director Chair ■ Chief Executive Officer, NetApp: 1994-2009
65 ■ Chairman and CEO, N.E.T: 1989-1993
■ BS: Princeton University
John Donovan 2012 Yes 0 22,598 $3,315,127 a ■ Chief Technology Officer or Chief Strategy Officer: 2012-2017
Director ■ Chief Technology Officer, AT&T: 2008-2012
56 ■ Executive Vice President, Product, Sales, and Marketing, Verisign: 2006-2008
■ MBA: University of Minnesota, BS: University of Notre Dame
Stanley Meresman 2014 Yes 4 15,504 $2,274,437 a ■ Director, Snap Inc: 2015- Present
Director Chair ■ General Partner and COO, Technology Crossover Ventures
69 ■ Senior Vice President and CFO, Silicon Graphics
■ MBA: Stanford University, BS: University of California, Berkeley
Mary Pat McCarthy 2016 Yes 2 6,480 $950,616 a ■ Director, Palo Alto Networks: 2016-Present
Director ■ Director, Tesoro: 2012-Present
61 ■ Partner, KPMG: 1977-2011
■ BS: Creighton University
5 September 2017
Cybersecurity 127
Valuation We use Discounted Cash Flows to estimate the intrinsic value for FTNT at $125/share,
representing 14% downside. This informs our Underperform Rating, and is supported by
our multiples based relative valuation work. In addition, we have constructed blue-sky and
grey-sky scenarios. The Blue Sky assumes a 2.5% terminal growth rate, and the grey
assumes 0%, reflecting our view on the outlook for the space as a whole.
Figure 223: Blue-Sky/Grey-Sky Pricing Figure 224: Blue-Sky/Grey-Sky Scenarios
Source: Company Data, Credit Suisse estimates. Source: Company Data, Credit Suisse estimates.
Target Scenario
Our base case assumes a five-year transition period with FCF growth declining smoothly
from an estimated 9% in 2021. This scenario assumes the firewall market decelerates
broadly in line with our expectations (we model a 1.5% terminal growth rate from 2027E),
and PANW experiences enhanced competition from peers through its refresh cycle.
Blue-Sky Scenario
For our blue-sky scenario, we again model a five-year transition period but drive higher
free cash growth, which assumes a strong refresh cycle and upgrades driven by recent
software innovation as well as continued success in growing the attached and non-
attached subscription businesses. Our blue-sky scenario yields a $168 warranted price,
which represents 15% upside potential.
Grey-Sky Scenario
In the grey-sky scenario, we use a five-year transition period and lower free cash flow
growth assumption. Our Grey sky scenario assumes high levels of competition on the
refresh, in addition to pricing challenges and demand pauses against a backdrop of
declining firewall relevance.
Current Price $147 23.4x FY19E uFCF (SBC adj.)
Target Price $125 -14% 19.6x FY19E uFCF (SBC adj.)
Blue Sky $168 15% 27.2x FY19E uFCF (SBC adj.)
Grey sky $113 -23% 17.4x FY19E uFCF (SBC adj.)
Our Target Price scenario assumes the firewall market decelerates broadly in line with
our expectations (we model a 1% terminal growth rate from 2027E), and PANW
experiences enhanced competition from peers through its refresh cycle.
Our Blue Sky scenario assumes a strong refresh cycle and upgrades driven by recent
software innovation as well as continued success in growing the attached and non-
attached subscription businesses.
Our Grey sky scenario assumes high levels of competition on the refresh, in addition to
pricing challenges and demand pauses against a backdrop of declining firewall
relevance.
Target Price
Current Price
Grey Sky
Blue Sky
$125
$147
$113
$168
5 September 2017
Cybersecurity 128
Figure 225: Share Price Sensitivity to Cost of Equity and UFCF Growth Rate
Source: Company data, Credit Suisse estimates.
Figure 226: PANW Valuation Matrix
Source: Company data, Credit Suisse estimates.
Share price sensitivity to cost of equity and UFCF growth rate
Unlevered Free Cash Flow FY3 growth rate
125.466 10.0% 12.5% 15.0% 17.5% 20.0% 22.5% 25.0% 27.5% 30.0%
8.0% $154 $163 $174 $185 $196 $209 $222 $235 $250
8.5% $147 $156 $165 $176 $187 $198 $210 $223 $237
9.0% $140 $149 $158 $168 $178 $189 $201 $213 $226
9.5% $135 $143 $152 $161 $171 $181 $192 $204 $216
Terminal 10.0% $130 $138 $146 $155 $165 $174 $185 $196 $207
Cost of 10.5% $126 $134 $142 $150 $159 $168 $178 $189 $200
Equity 11.0% $123 $130 $137 $145 $154 $163 $172 $182 $193
11.5% $119 $126 $133 $141 $149 $158 $167 $176 $187
12.0% $116 $123 $130 $137 $145 $153 $162 $171 $181
12.5% $113 $120 $126 $134 $141 $149 $158 $166 $176
13.0% $111 $117 $123 $130 $138 $145 $154 $162 $171
13.5% $109 $114 $121 $127 $135 $142 $150 $158 $167
14.0% $106 $112 $118 $125 $132 $139 $147 $155 $163
14.5% $104 $110 $116 $122 $129 $136 $143 $151 $160
Valuation Matrix FY2016 (A) FY2017 (A) FY2018 (E) FY2019 (E) NTM LTM
Sales $1,379 $1,762 $2,129 $2,485 2 $2,039 $1,653
EBITDA $807 $1,017 $1,233 $1,427 3 $1,162 $967
EPS $1.89 $2.71 $3.29 $4.09 4 $3.24 $2.45
CFO $659 $871 $922 $1,056 5 $911 $816
FCF $586 $708 $822 $936 6 $785 $686
UFCF $610 $732 $844 $958 7 $801 $702
EV/Sales 7.3x 5.7x 4.7x 4.1x 4.9x 6.1x
EV/EBITDA 12.5x 9.9x 8.2x 7.1x 8.7x 10.4x
P/E 77.5x 54.1x 44.6x 9.0x 11.3x 14.9x
EV/CFO 15.3x 11.6x 10.9x 9.5x 11.0x 12.3x
EV/FCF 17.2x 14.2x 12.2x 10.8x 12.8x 14.7x
EV/UFCF 16.5x 13.7x 11.9x 10.5x 12.6x 14.3x
EV/Sales 8.7x 6.8x 5.7x 4.8x 5.9x 7.3x
EV/EBITDA 14.9x 11.8x 9.8x 8.4x 10.4x 12.5x
P/E 77.5x 54.1x 44.6x 35.9x 45.2x 59.8x
EV/CFO 18.3x 13.8x 13.1x 11.4x 13.2x 14.8x
EV/FCF 20.6x 17.0x 14.7x 12.9x 15.3x 17.6x
EV/UFCF 19.8x 16.4x 14.3x 12.6x 15.0x 17.2x
y/y, % y/y, % y/y, % y/y, % 2016-2019 CAGR
Revenue 48.5% 27.8% 20.9% 16.7% 21.7%
EBITDA 41.4% 26.1% 21.2% 15.7% 21.0%
EPS 76.1% 43.4% 21.3% 24.2% 29.3%
CFO 86.7% 32.3% 5.8% 14.5% 17.0%
FCF 83.8% 20.8% 16.1% 13.8% 16.9%
UFCF 78.6% 20.2% 15.2% 13.5% 16.3%
Esti
ma
tes
Ta
rge
tC
urr
en
tG
row
th
5 September 2017
Cybersecurity 129
Figure 227: PANW DCF Scenarios
Source: Company data, Credit Suisse estimates.
Target Price
HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL TP Value distribution
2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E 2027E Perpetuity
Period 1 2 3 4 5 6 7 8 9 10
Current risk-free rate of return 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0%
Beta 1.30 1.30 1.30 1.30 1.30 1.30 1.30 1.30 1.25 1.20 1.15 1.10 1.05 1.00
Equity Risk Premium 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2%
Cost of equity 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 11.8% 11.5% 11.2% 10.9% 10.6% 10.2%
FCF Growth Rate 529.8% 78.6% 20.2% 15.2% 13.5% 10.0% 9.0% 7.8% 6.5% 5.3% 4.0% 2.8% 1.5%
Discount Factor 1.12 1.20 1.34 1.50 1.68 1.87 2.08 2.31 2.55 2.81
Free cash flow ($M) 54.2 341.2 609.5 732.4 844 958 1,053 1,148 1,237 1,317 1,387 1,442 1,482 1,504 17,208
Stock Based Compensation Expense 70.9 163.2 285.3 342.2 372.6 434.8
SBC as % of FCF 131% 48% 47% 47% 44% 45% 45.4% 45.4% 39.0% 32.6% 26.2% 19.8% 13.4% 7.0%
FCF adjusted for SBC -16.7 178.0 324.3 390.2 471.2 522.7 575.0 626.8 754.5 887.9 1,023.3 1,156.5 1,283.2 1,398.7 17,208.2
NPV of Free cash flow ($M) 420.3 437.4 429.2 417.3 449.3 474.3 491.6 501.2 503.0 6,119.0
Cumulative NPV of FCF ($M) 420.3 857.7 1,286.9 1,704.1 2,153.5 2,627.7 3,119.3 3,620.5 4,123.5 10,243
Cumulative NPV of FCF ($M) 10,243$
Shares outstanding (M) 93
NPV/Share of FCF 110$
(Net Cash) / Share 15.69$
Total NPV/Share 125
Current price / Share $147
Upside / Downside Potential -14%
Blue Sky
HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL BS Value distribution
2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E 2027E Perpetuity
Cost of equity 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 11.8% 11.5% 11.2% 10.9% 10.6% 10.2%
FCF Growth Rate 529.8% 78.6% 20.2% 15.2% 13.5% 16.0% 16.0% 13.8% 11.5% 9.3% 7.0% 4.8% 2.5%
Discount Factor 1.12 1.20 1.34 1.50 1.68 1.87 2.08 2.31 2.55 2.81
Free cash flow ($M) 54.2 341.2 609.5 732.4 844 958 1,111 1,288 1,466 1,634 1,785 1,910 2,001 2,051 26,500
Stock Based Compensation Expense 70.9 163.2 285.3 342.2 372.6 434.8
SBC as % of FCF 131% 48% 47% 47% 44% 45% 45.4% 45.4% 39.5% 33.6% 27.7% 21.8% 15.9% 10.0% 0%
FCF adjusted for SBC -16.7 178.0 324.3 390.2 471.2 522.7 606.4 703.4 886.6 1,085.0 1,290.7 1,493.8 1,682.9 1,846.0 26,499.8
NPV of Free cash flow ($M) 420 437 453 468 528 580 620 647 660 9,423
Cumulative NPV of FCF ($M) 420 858 1,310 1,779 2,307 2,886 3,506 4,154 4,813 14,236
Cumulative NPV of FCF ($M) 14,236$
Shares outstanding (M) 93
NPV/Share of FCF 153$
(Net Cash - 10% of Revenues) / Share 15.69$
Total NPV/Share 168
Current price / Share $147
Upside / Downside Potential 15%
Grey sky
HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL GS Value distribution
2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E 2027E Perpetuity
Cost of equity 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 12.1% 11.8% 11.5% 11.2% 10.9% 10.6% 10.2%
FCF Growth Rate 529.8% 78.6% 20.2% 15.2% 13.5% 10.0% 10.0% 8.3% 6.7% 5.0% 3.3% 1.7% 0.0%
Discount Factor 1.12 1.20 1.34 1.50 1.68 1.87 2.08 2.31 2.55 2.81
Free cash flow ($M) 54.2 341.2 609.5 732.4 844 958 1,053 1,159 1,255 1,339 1,406 1,453 1,477 1,477 14,423
Stock Based Compensation Expense 70.9 163.2 285.3 342.2 372.6 434.8
SBC as % of FCF 131% 48% 47% 47% 44% 45% 45.4% 45.4% 41.2% 36.9% 32.7% 28.5% 24.2% 20.0% 0%
FCF adjusted for SBC -16.7 178.0 324.3 390.2 471.2 522.7 575.0 632.5 738.4 844.3 946.0 1,039.1 1,119.0 1,181.5 14,422.6
NPV of Free cash flow ($M) 420 437 429 421 440 451 455 450 439 5,128
Cumulative NPV of FCF ($M) 420 858 1,287 1,708 2,148 2,599 3,053 3,503 3,942 9,071
Cumulative NPV of FCF ($M) 9,071$
Shares outstanding (M) 93
NPV/Share of FCF 97$
(Net Cash - 10% of Revenues) / Share 15.69$
Total NPV/Share 113
Current price / Share $147
Upside / Downside Potential -23%
5 September 2017
Cybersecurity 130
HOLT®
PANW – HOLT Market-Implied Scenario and Sensitivity Analysis
Assuming margins rise from consensus levels of 15% to its historical peak of 22%,
PANW’s current stock price of $146 implies a sales CAGR of 12% over the next ten years.
Figure 228: CFROI (%) Figure 229: Valuation Sensitivity Analysis
Source: HOLT, Credit Suisse Research. Source: HOLT, Credit Suisse Research.
Assumptions and Methodology
■ EBITDA Margins: FY1-FY3 based on IBES estimates; FY4 onward they are assumed
to rise up to 21.5% based on historical peak levels
■ Sales Growth: FY1 based on IBES estimates; for FY2-FY10, solved for the implied
CAGR required to reach the respective values per share
■ Asset Efficiency: Assumed constant from LFY levels
■ Fade Window: Used ten years of explicit forecasts for comparison with CHKP
■ Fade: After year ten, the HOLT methodology calculates the terminal value by fading
returns on capital and growth toward cost of capital and GDP growth, respectively
Figure 230: Assuming Margins Rise to 21.5% in the
Long Term from Consensus Levels of -15%...
Figure 231: …Indicates PANW's Current Price
Implies a CAGR of 11% over Ten Years
Source: HOLT®, Credit Suisse Research. Source: HOLT®, Credit Suisse Research.
(5.3)
23.5
(10 )
0
10
20
30
2007 2011 2015 2019 2023
Historical CFROI Forecast Discount Rate
- 600 bps - 400 bps - 200 bps 0 bps +200 bps +400 bps
5.8% 7.8% 9.8% 11.8% 13.8% 15.8%
- 1500 bps 6.5% $19 $26 $36 $49 $66 $88
- 1200 bps 9.5% $29 $39 $52 $69 $90 $119
- 900 bps 12.5% $39 $51 $68 $88 $115 $149
- 600 bps 15.5% $49 $63 $83 $107 $139 $180
- 300 bps 18.5% $59 $76 $99 $127 $163 $210
0 bps 21.5% $69 $88 $114 $146 $188 $241
2018 - 2026 Sales CAGR
26E EBITDA
Margins v
(14.6)
21.5
(20)
(10)
0
10
20
30
2007 2011 2015 2019 2023
Historical margins Forecast Margins w/o SBC
Assumed long term margins
to rise from (14.6%) to
21.5%
1
26.2
11.8
0
10
20
30
40
50
60
70
80
2007 2011 2015 2019 2023
Historical growth Forecast
Solved for the long term sales CAGR required to get to current price of $146
2
Consensus
5 S
epte
mb
er 2
017
Cy
be
rsec
urity
131
Figure 232: PANW Income Statement
US$ in millions, except per share items
Source: Company data, Credit Suisse estimates.
Palo Alto Networks (PANW)
Income Statement$ in Millions except per share items
Fiscal year end: July 31st
2016 (A) Oct '16 Jan '17 Apr '17 Jul '17 2017 (A) Oct '17 Jan '18 Apr '18 Jul '18 2018 (E) Oct '18 Jan '19 Apr '19 Jul '19 2019 (E)
Full Year 1Q17 2Q17 3Q17 4Q17 Full Year 1Q18E 2Q18E 3Q18E 4Q18E Full Year 1Q19E 2Q19E 3Q19E 4Q19E Full Year
Non-GAAP Income Statement
Total Revenue 1,378.5 398.1 422.6 431.8 509.1 1,761.6 486.7 514.6 528.3 599.5 2,129.0 572.7 598.5 604.8 708.7 2,484.6
y/y change 49% 34% 26% 25% 27% 28% 22% 22% 22% 18% 21% 18% 16% 14% 18% 17%
Product 670.8 163.8 168.8 164.2 212.3 709.1 171.5 178.9 175.7 222.9 749.0 178.4 186.1 181.0 234.1 779.5
y/y change 36% 11% -1% 1% 11% 6% 5% 6% 7% 5% 6% 4% 4% 3% 5% 4%
Subscription & Support 707.7 234.3 253.8 267.6 296.8 1,052.5 315.2 335.7 352.6 376.6 1,380.0 394.4 412.4 423.8 474.6 1,705.2
y/y change 63% 57% 54% 46% 42% 49% 35% 32% 32% 27% 31% 25% 23% 20% 26% 24%
Total cost of revenue 301.1 81.9 90.5 101.7 115.6 389.7 104.5 110.9 110.7 118.5 444.6 109.9 117.9 123.5 136.3 487.6
Gross profit, non-GAAP 1,077.4 316.2 332.1 330.1 393.5 1,371.9 382.2 403.7 417.6 481.0 1,684.5 462.8 480.6 481.2 572.4 1,997.0
Gross margin 78% 79% 79% 76% 77% 78% 79% 78% 79% 80% 79% 81% 80% 80% 81% 80%
Research & development 146.7 45.4 47.3 47.7 50.4 190.8 47.2 49.9 51.2 58.1 206.5 55.6 58.1 58.7 68.7 241.0
% of total revenue 11% 11% 11% 11% 10% 11% 10% 10% 10% 10% 10% 10% 10% 10% 10% 10%
Sales & marketing 584.9 175.3 175.0 178.9 197.1 726.3 214.1 214.6 220.3 250.0 899.0 252.1 248.7 251.4 284.9 1,037.1
% of total revenue 42% 44% 41% 41% 39% 41% 44% 42% 42% 42% 42% 44% 42% 42% 40% 42%
General & administrative 75.0 23.7 26.7 24.2 25.5 100.1 29.2 30.9 31.7 36.0 127.7 34.4 35.9 36.3 42.5 149.1
% of total revenue 5% 6% 6% 6% 5% 6% 6% 6% 6% 6% 6% 6% 6% 6% 6% 6%
Total operating expenses, non-GAAP 806.6 244.4 249.0 250.8 273.0 1,017.2 290.6 295.4 303.2 344.1 1,233.3 342.0 342.7 346.3 396.2 1,427.2
% of total revenue 59% 61% 59% 58% 54% 58% 60% 57% 57% 57% 58% 60% 57% 57% 56% 57%
Operating income, non-GAAP 270.8 71.8 83.1 79.3 120.5 354.7 91.6 108.3 114.4 136.9 451.2 120.8 138.0 134.9 176.2 569.8
Operating margin 19.6% 18.0% 19.7% 18.4% 23.7% 20.1% 18.8% 21.0% 21.7% 22.8% 21.2% 21.1% 23.1% 22.3% 24.9% 22.9%
Interest income (expense), net -0.1 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
Other income (expense), net 8.1 2.3 3.3 3.5 3.5 12.6 2.9 3.0 3.2 3.5 12.6 3.7 4.1 4.3 4.6 16.7
Interest & other income (expense), net, non-GAAP 8.0 2.3 3.3 3.5 3.5 12.6 2.9 3.0 3.2 3.5 12.6 3.7 4.1 4.3 4.6 16.7
Pretax income, non-GAAP 278.8 74.1 86.4 82.8 124.0 367.3 94.5 111.3 117.6 140.4 463.8 124.5 142.0 139.2 180.8 586.5
Pretax margin 20% 19% 20% 19% 24% 21% 19% 22% 22% 23% 22% 22% 24% 23% 26% 24%
Tax expense, non-GAAP 106.0 22.9 26.8 25.7 38.5 113.9 29.3 34.5 36.5 43.5 143.8 38.6 44.0 43.2 56.0 181.8
Effective tax rate 38% 30.9% 31.0% 31.0% 31% 31% 31% 31% 31% 31% 31% 31% 31% 31% 31% 31%
Net Income, non-GAAP 172.8 51.2 59.6 57.1 85.5 253.4 65.2 76.8 81.1 96.9 320.0 85.9 98.0 96.1 124.8 404.7
EPS, non-GAAP $1.89 $0.55 $0.63 $0.61 $0.92 $2.71 $0.68 $0.80 $0.84 $1.00 $3.29 $0.88 $0.99 $0.97 $1.25 $4.09
Fully diluted shares 91.4 93.2 93.9 93.3 93.3 93.4 95.2 95.9 96.6 97.3 97.2 98.0 98.6 99.3 100.0 99.0
Research AnalystsBrad Zelnick
(212) 325 [email protected]
Jobin Mathew(212) 325 9676
Syed Talha Saleem, CFA(212) 538 1428
5 S
epte
mb
er 2
017
Cy
be
rsec
urity
132
Figure 233: PANW Balance Sheet
US$ in millions, except per share items
Source: Company data, Credit Suisse estimates.
Palo Alto Networks (PANW)
Balance Sheet$ in Millions except per share items
Fiscal year end: July 31st
2016 (A) Oct '16 Jan '17 Apr '17 Jul '17 2017 (A) Oct '17 Jan '18 Apr '18 Jul '18 2018 (E) Oct '18 Jan '19 Apr '19 Jul '19 2019 (E)
Full Year 1Q17 2Q17 3Q17 4Q17 Full Year 1Q18E 2Q18E 3Q18E 4Q18E Full Year 1Q19E 2Q19E 3Q19E 4Q19E Full Year
Current Assets
Cash and Equivalents 734.4 839.4 761.4 692.0 744.3 744.3 797.3 893.1 1,016.7 1,134.0 1,134.0 1,290.4 1,401.4 1,565.7 1,635.4 1,635.4
Short-Term Investments 551.2 550.6 593.0 680.0 630.7 630.7 630.7 630.7 630.7 630.7 630.7 630.7 630.7 630.7 630.7 630.7
Accounts Receivable - net 348.7 346.5 386.1 364.1 432.1 432.1 414.8 480.1 458.0 535.3 535.3 495.8 543.2 511.1 601.8 601.8
Prepaid Expenses and Other 139.7 129.4 139.9 159.1 169.2 169.2 170.0 178.3 194.2 221.8 221.8 211.9 221.4 223.8 262.2 262.2
Total Current Assets 1,774.0 1,865.9 1,880.4 1,895.2 1,976.3 1,976.3 2,012.8 2,182.3 2,299.7 2,521.8 2,521.8 2,628.8 2,796.8 2,931.2 3,130.1 3,130.1
Non-current Assets
Property Plant & Equipment - Net 117.2 125.0 154.1 192.3 211.1 211.1 256.8 296.8 337.4 380.2 380.2 429.1 478.8 528.6 581.7 581.7
Long Term Investments 652.8 708.4 790.5 719.1 789.3 789.3 789.3 789.3 789.3 789.3 789.3 789.3 789.3 789.3 789.3 789.3
Goodwill 163.5 163.5 163.5 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8 238.8
Other Intangible Assets 44.0 41.7 39.5 56.5 53.7 53.7 53.7 53.7 53.7 53.7 53.7 53.7 53.7 53.7 53.7 53.7
Other Noncurrent Assets 106.7 103.7 146.6 148.2 169.1 169.1 144.6 171.6 170.9 191.8 191.8 159.7 203.6 201.6 240.9 240.9
Total assets 2,858.2 3,008.2 3,174.6 3,250.1 3,438.3 3,438.3 3,496.0 3,732.5 3,889.7 4,175.6 4,175.6 4,299.4 4,561.0 4,743.2 5,034.5 5,034.5
Current Liabilities
Accounts Payable - Trade 30.2 29.2 28.0 33.2 35.5 35.5 32.0 39.5 37.6 42.7 42.7 37.7 45.9 43.1 50.5 50.5
Accrued Compensation 73.5 59.0 78.8 76.4 117.5 117.5 79.3 102.7 89.8 124.1 124.1 89.1 115.5 104.9 127.6 127.6
Accrued Expenses and Other 39.2 48.4 58.8 60.1 79.9 79.9 61.4 69.6 71.2 76.4 76.4 68.7 83.8 84.7 70.9 70.9
Deferred Revenue (Short-Term) 703.9 758.1 828.0 885.0 968.4 968.4 1,016.8 1,082.9 1,147.9 1,228.2 1,228.2 1,301.9 1,380.1 1,449.1 1,521.5 1,521.5
Convertible Debt 0.0 506.2 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
Total Current Liabilities 846.8 1,400.9 993.6 1,054.7 1,201.3 1,201.3 1,189.6 1,294.7 1,346.5 1,471.4 1,471.4 1,497.4 1,625.3 1,681.7 1,770.4 1,770.4
Non-current Liabilities
Convertible Debt (Long-Term) 500.2 0.0 512.3 518.4 524.7 524.7 524.7 524.7 524.7 524.7 524.7 524.7 524.7 524.7 524.7 524.7
Deferred Revenue (Long-Term) 536.9 601.5 670.6 726.8 805.1 805.1 861.5 934.7 1,004.8 1,100.2 1,100.2 1,155.2 1,213.0 1,273.7 1,337.3 1,337.3
Other Noncurrent Liabilities 79.4 80.2 127.5 137.1 147.6 147.6 144.6 171.6 170.9 179.4 179.4 171.8 179.5 181.4 212.6 212.6
Stockholder Equity
Additional Paid In Capital 1,515.5 1,543.1 1,613.3 1,615.8 1,599.7 1,599.7 1,653.6 1,714.4 1,779.6 1,862.4 1,862.4 1,942.1 2,029.9 2,119.5 2,236.6 2,236.6
Accumulated Other Comprehensive Income 1.0 -1.9 -5.1 -4.2 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4 -3.4
Retained Earnings (Accumulated Deficit) -621.6 -677.0 -737.6 -798.5 -836.7 -836.7 -874.5 -904.2 -933.4 -959.1 -959.1 -988.5 -1,008.0 -1,034.4 -1,043.7 -1,043.7
Total Shareholders Equity 894.9 864.2 870.6 813.1 759.6 759.6 775.7 806.8 842.8 899.9 899.9 950.2 1,018.5 1,081.7 1,189.5 1,189.5
Total Liabilities & Shareholders Equity 2,858.2 3,008.2 3,174.6 3,250.1 3,438.3 3,438.3 3,496.0 3,732.5 3,889.7 4,175.6 4,175.6 4,299.4 4,561.0 4,743.2 5,034.5 5,034.5
Research AnalystsBrad Zelnick
(212) 325 [email protected]
Jobin Mathew(212) 325 9676
Syed Talha Saleem, CFA(212) 538 1428
5 S
epte
mb
er 2
017
Cy
be
rsec
urity
133
Figure 234: PANW Statement of Cash Flow
US$ in millions, except per share items
Source: Company data, Credit Suisse estimates.
Palo Alto Networks (PANW)
Statement of Cash Flows$ in Millions except per share items
Fiscal year end: July 31st
2016 (A) Oct '16 Jan '17 Apr '17 Jul '17 2017 (A) Oct '17 Jan '18 Apr '18 Jul '18 2018 (E) Oct '18 Jan '19 Apr '19 Jul '19 2019 (E)
Full Year 1Q17 2Q17 3Q17 4Q17 Full Year 1Q18E 2Q18E 3Q18E 4Q18E Full Year 1Q19E 2Q19E 3Q19E 4Q19E Full Year
Cash From Operating Activities
Net Income (192.7) (56.9) (60.6) (60.9) (38.2) (216.6) (37.8) (29.7) (29.2) (25.7) (122.4) (29.4) (19.5) (26.4) (9.3) (84.6)
Stock-based Compensation 392.8 113.3 127.3 116.2 117.7 474.5 121.7 128.6 132.1 149.9 532.3 143.2 149.6 151.2 177.2 621.2
Tax Benefit From Exercise of Stock Options - - - - - - - - - - - - - - - -
Depreciation and Amortization 42.8 13.6 14.4 15.1 16.7 59.8 15.7 16.7 17.2 19.5 69.1 18.9 19.7 19.8 23.1 81.5
Other Amortization of Non-Cash Expenses/Gains 3.0 0.7 0.7 0.7 0.6 2.7 0.6 0.6 0.6 0.6 2.4 0.6 0.6 0.6 0.6 2.4
Amortization of debt discount & issuance costs 23.4 6.0 6.1 6.2 6.2 24.5 5.5 5.5 5.5 5.5 21.9 5.5 5.5 5.5 5.5 21.9
Other - - - 20.9 20.9 - - - - - - - - -
Changes in working capital & other assets/liabilities
Accounts Receivable (136.4) 2.2 (39.5) 22.4 (68.0) (82.9) 17.3 (65.3) 22.2 (77.3) (103.2) 39.5 (47.4) 32.2 (90.7) (66.5)
Prepaid Expenses (31.2) 10.1 (51.7) (8.0) 1.5 (48.1) 23.7 (35.3) (15.2) (48.5) (75.3) 42.0 (53.4) (0.3) (77.8) (89.5)
Accrued Compensation/Payroll Expense (6.3) (14.5) 19.8 (3.6) 41.1 42.8 (38.2) 23.4 (12.9) 34.3 6.6 (35.0) 26.4 (10.6) 22.7 3.4
Accounts Payable 15.1 1.8 (1.6) 2.6 3.1 5.9 (3.5) 7.5 (1.8) 5.1 7.2 (5.0) 8.3 (2.8) 7.4 7.8
Accrued and Other Liabilities 21.0 8.4 60.4 8.2 (23.8) 53.2 (21.4) 35.2 0.9 13.6 28.2 (15.2) 22.8 2.8 17.4 27.8
Deferred Revenue 527.1 118.8 139.0 112.3 161.7 531.8 104.8 139.3 135.1 175.8 555.0 128.7 135.9 129.7 136.1 530.4
Other Non-Cash Items - - - - 2.8 2.8 - - - - - - - - - -
Cash from Operations 658.6 203.5 214.3 211.2 242.3 871.3 188.2 226.5 254.3 252.9 921.8 293.7 248.4 301.5 212.0 1,055.6
y/y change 87% 39% 39% 24% 29% 32% -8% 6% 20% 4% 6% 56% 10% 19% -16% 15%
Cash From Investing Activities
Net proceeds (purchases) of investments (266.4) (50.3) (128.4) (27.5) (12.3) (218.5) (12.3) (12.3) (12.3) (12.3) (49.2) (12.3) (12.3) (12.3) (12.3) (12.3)
Capital Expenditures (72.5) (20.9) (44.7) (48.6) (49.2) (163.4) (30.0) (23.3) (23.3) (23.3) (100.0) (30.0) (30.0) (30.0) (30.0) (120.0)
Acquisition of Business - (90.7) - (90.7) - - - - - - - - - -
Cash From Investing Activities (338.9) (71.2) (173.1) (166.8) (61.5) (472.6) (42.3) (35.6) (35.6) (35.6) (149.2) (42.3) (42.3) (42.3) (42.3) (132.3)
Cash from Financing
Sales of shares through employee equity incentive plans 45.3 22.7 0.9 22.2 0.6 46.4 - - - - - - - - - -
Tax Benefit From Stock Based Compensation - - - (11.0) (10.4) - - - - - - - - - -
Repurchase of Common Stock - (50.0) (120.1) (125.0) (115.9) (411.0) (95.0) (95.0) (95.0) (100.0) (385.0) (95.0) (95.0) (95.0) (100.0) (385.0)
Total Cash Flows From Financing 38.9 (27.3) (119.2) (113.8) (125.7) (364.6) (95.0) (95.0) (95.0) (100.0) (385.0) (95.0) (95.0) (95.0) (100.0) (385.0)
FX impact on cash - - - - - - - - - - - - - - - -
Cash balance, beginning of period 375 734 839 761 691 734 746 797 893 1,017 746 1,134 1,290 1,401 1,566 1,134
Net change in cash 359 105 (78) (69) 55 13 51 96 124 117 388 156 111 164 70 501
Cash balance, end of period 734 839 761 691 746 746 797 893 1,017 1,134 1,134 1,290 1,401 1,566 1,635 1,635
Research AnalystsBrad Zelnick
(212) 325 [email protected]
Jobin Mathew(212) 325 9676
Syed Talha Saleem, CFA(212) 538 1428
5 September 2017
Cybersecurity 134
Credit Suisse PEERs PEERs is a global database that captures unique information about companies within the
Credit Suisse coverage universe based on their relationships with other companies – their
customers, suppliers and competitors. The database is built from our research analysts’
insight regarding these relationships. Credit Suisse covers over 3,000 companies globally.
These companies form the core of the PEERs database, but it also includes relationships
on stocks that are not under coverage.
Figure 235: Palo Alto PEERs
Source: Company data, Credit Suisse estimates
5 September 2017
Cybersecurity 135
Fortinet: Fortinet & Unfortified = Underperform
Americas/United States Software
Fortinet, Inc. (FTNT) Rating UNDERPERFORM Price (01-Sep-17, US$) 38.30 Target price (US$) 33.00 52-week price range (US$) 41.10 - 28.61 Market cap(US$ m) 6,734 Target price is for 12 months.
Research Analysts
Brad A Zelnick
212 325-6118
Jobin Mathew
212 325 9676
Syed Talha Saleem, CFA
212 538 1428
Unfortified
Initiating Coverage with Underperform Rating and $33 Target Price
We respect FTNT as a highly innovative company with differentiated hardware,
superb product offerings, and a world-class founder-led executive team;
however, we remain convinced the weight of potential headwinds facing FTNT
tilts the relative risk/reward balance negatively.
■ Most Highly Exposed to Category Risks: Our analysis of sector headwinds
implies FTNT faces the greatest risk of the three firewall names. With the
least firepower and apparent willingness to strategically acquire as perimeter
security loses relevance, FTNT's outsized exposure to the SMB market and
carrier vertical are additional concerns.
■ Hardware Increasingly Irrelevant in the Cloud: Like Netscreen before it,
Ken Xie founded FTNT on the premise of ASIC architecture. Performant,
cost-effective hardware has differentiated FTNT in the past, particularly in the
carrier vertical (performance focused) and SMB segment (price sensitive);
however, we struggle to see how competitive advantage bestowed by
superior silicon can sustain as successfully in the cloud.
■ Outsized SMB Exposure: Fortinet should trade at a discount to CHKP and
particularly PANW given its substantially lower enterprise exposure (56% vs
PANW at 14% volume, respectively, on IDC data). We prefer enterprise
exposure on balance due to its higher renewal rates, and while some consider
the SMB market attractive given a recent a spending cycle, we believe it to be
increasingly competitive (50% more concentrated on the
Herfindahl-Hirschman Index, an indicator of competition) vs the high end.
■ Valuation: We see FTNT as expensive on an absolute basis but less so once
adjusted for growth; we think of FTNT as in-between CHKP (best) and PANW
(worst) on valuation. Our DCF valuation implies a $33 TP. Risks to our target
include an ability to gain significant share, stronger than expected midmarket
spending cycle, and acquisition of the company.
Share price performance
On 01-Sep-2017 the S&P 500 INDEX closed at 2476.55
Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$36.83
Quarterly EPS Q1 Q2 Q3 Q4 2016A 0.12 0.14 0.18 0.30 2017E 0.17 0.27 0.23 0.27 2018E 0.22 0.26 0.27 0.34
Financial and valuation metrics
Year 12/15A 12/16A 12/17E 12/18E NON-GAAP EPS (CS adj., ) 0.51 0.74 0.94 1.10 Prev. EPS (CS adj., US$) P/E (CS adj.) (x) 74.9 51.6 40.6 34.8 P/E rel. (CS adj., %) - 244 213 202 Revenue (US$ m) 1,009 1,275 1,493 1,657 Non-GAAP Operating Income (US$ m)
133 193 238 292 Net Debt (US$ m) -1,164 -1,311 -1,515 -1,802 Unlevered Free Cash Flow (US$) 242 268 309 439 P/uFCF (x) 15.8 14.3 12.4 8.7
Number of shares (m) 175.84 Price/Sales (x) 4.82 Net debt (Next Qtr., US$ m) -1,475.3 Dividend (current, US$) - Dividend yield (%) - Source: Company data, Thomson Reuters, Credit Suisse estimates
5 September 2017
Cybersecurity 136
Fortinet, Inc. (FTNT)
Price (01 Sep 2017): US$38.3; Rating: UNDERPERFORM; Target Price: US$33.00; Analyst: Brad Zelnick
Income Statement 12/15A 12/16A 12/17E 12/18E
Revenue (US$ m) 1,009.3 1,275.4 1,492.8 1,657.0 EBITDA 164.9 241.6 307.6 375.8 Operating profit 133.3 193.1 238.2 291.6 Recurring profit 135.5 193.3 251.3 303.6
Cash Flow 12/15A 12/16A 12/17E 12/18E
Cash flow from operations 283 340 466 541 CAPEX (37) (67) (150) (93) Free cashflow to the firm 245 273 316 447 Cash flow from investments (1) (74) (163) (93) Net share issue(/repurchase) 7 (66) (108) (160) Dividends paid 0 0 0 0 Issuance (retirement) of debt - - - - Other (116) (54) 9 (0) Cashflow from financing activities (109) (120) (99) (160) Effect of exchange rates 0 0 0 0 Changes in Net Cash/Debt 173 146 204 287 Net debt at end (1,164) (1,311) (1,515) (1,802)
Balance Sheet ($US) 12/15A 12/16A 12/17E 12/18E
Assets Other current assets 36 33 46 55 Total current assets 1,271 1,539 1,782 2,128 Total assets 1,791 2,140 2,569 2,981 Liabilities Short-term debt 0 0 0 0 Total current liabilities 679 829 1,015 1,221 Long-term debt 0 0 0 0 Total liabilities 1,035 1,302 1,624 1,940 Shareholder equity 755 838 945 1,041 Total liabilities and equity 1,791 2,140 2,569 2,981 Net debt (1,164) (1,311) (1,515) (1,802)
Per share 12/15A 12/16A 12/17E 12/18E
No. of shares (wtd avg) 175 175 181 187 CS adj. EPS 0.51 0.74 0.94 1.10 Prev. EPS (US$) Dividend (US$) 0.00 0.00 0.00 0.00 Free cash flow per share 1.40 1.56 1.75 2.39
Earnings 12/15A 12/16A 12/17E 12/18E
Sales growth (%) 31.0 26.4 17.0 11.0 EBIT growth (%) 9.2 44.9 23.3 22.4 Net profit growth (%) 10.6 44.9 31.9 20.8 EPS growth (%) 7.0 45.2 27.3 16.6 EBIT margin (%) 13.2 15.1 16.0 17.6
Valuation 12/15A 12/16A 12/17E 12/18E
EV/Sales (x) 5.52 4.25 3.50 2.98 EV/EBIT (x) 41.8 28.1 21.9 16.9 P/E (x) 74.9 51.6 40.6 34.8
Quarterly EPS Q1 Q2 Q3 Q4 2016A 0.12 0.14 0.18 0.30 2017E 0.17 0.27 0.23 0.27 2018E 0.22 0.26 0.27 0.34
Company Background
Fortinet is a cybersecurity company selling appliances, software, and services. Fortinet has a platform approach to security called the Fortinet Security Fabric which enables third-party devices to share information with Fortinet appliances.
Blue/Grey Sky Scenario
Our Blue Sky Scenario (US$) 44.00
For our blue sky scenario we again model a 5-year transition period, but drive higher free cash growth, which assumes Fortinet enjoys a stronger than expected appliance refresh cycle tailwind in addition to virtual firewall retaining more relevance than we expect, and FTNT successfully selling into this virtual market. Our blue sky scenario yields a $42 warranted price.
Our Grey Sky Scenario (US$) 30.00
In the grey sky scenario, we use a 5-year transition period and lower free cash flow growth assumption. The scenario results in a share price of $29. In this scenario, Fortinet struggles to attain significant virtual share, this is against a backdrop of declining firewall relevance and significant price pressures.
Share price performance
On 01-Sep-2017 the S&P 500 INDEX closed at 2476.55
Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$36.83
Source: Company data, Thomson Reuters, Credit Suisse estimates
5 September 2017
Cybersecurity 137
FTNT: Our Takes on the Key Debates
Initiating Coverage with Underperform Rating and $33 Target Price
We respect Fortinet as an innovative vendor that provides exceptional products and an
integrated platform offering few competitors can match. Successes in hardware, however,
may not translate into the cloud, and FTNT faces the most risk from sector headwinds.
Key Debates:
■ Is Exposure to SMB a Positive? The SMB market is growing rapidly as agnostic attacks
threaten SMBs more than ever (e.g., ransomware) and regulation enforces greater
controls and accountability (GDPR for instance). Is FTNT's exposure here attractive?
■ How Does Competitive Advantage Translate to Cloud? As the virtual form factor
becomes an increasingly important method of consumption, debates surround whether
FTNT will retain its silicon-based competitive advantage in the cloud.
■ Is Carrier Market Exposure a Blessing or Curse? FTNT's success in the carrier market
has been a blessing in the past, while now investors are debating if this will continue.
Our Takes:
■ Despite Growth, Competitive Pressures Render SMBs Unattractive: In addition to
lower renewal rates, the SMB market is increasingly fragmented and competitive, and we
think these dynamics apply pricing pressure to vendors operating in this end of the market.
■ Silicon Isn’t a Competitive Advantage Anymore: We struggle to see how the
competitive advantage bestowed by superior silicon can be sustained as successfully in
the cloud.
■ Carrier Market Rapidly Virtualizing: We are concerned FTNT's ~20% carrier billings may
mature into a curse. Our field conversations underline that the carrier market is virtualizing
rapidly, and we think this may cannibalize appliance demand.
Risk to Our Takes:
■ Legendary Leadership: We view the dual leadership of Fortinet by Ken and Michael Xie,
CEO and CTO, respectively, to be a key strength. Given the brothers' track record of
disruptive innovation in the space, we don’t count out their ability to re-adapt FTNT's
strategy beyond the successful formula of the past five years.
■ Transformative M&A: We estimate FTNT could deploy as much as $4bn for
transformative M&A, albeit lower than peers (60% less than CHKP and 20% less than
PANW). This still represents non-trivial balance sheet capacity.
■ Becomes a Strategic Target: Given its relatively small market cap, FTNT could
represent a potential target for a strategic buyer. recognize
Estimates:
■ Revenue and EPS: We forecast FY17E/FY18E revenue growth at 17%/11% vs the
consensus at 17%/15%, with EPS of $0.94/$1.10 in FY17E/ FY18E vs Street estimates at
$0.95/$1.14.
Valuation: ■ DCF: Our discounted cash flow analysis yields a target price of $33, implying 14%
downside risk and 10x FY18E EV/uFCF; 13.5x when adjusted for SBC.
■ Relative Valuation: Expensive on an absolute basis but less so once adjusted for
growth, we think of PANW as in between CHKP (best) and PANW (worst) on valuation.
5 September 2017
Cybersecurity 138
Key Charts
Figure 236: Highly Exposed to the SMB Market… Figure 237: ...Which Remains the Most Competitive
Fortinet 2016 Revenue Exposure by server class Herfindahl-Hirschman Index, 4Q moving average
Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.
Figure 238: FTNT Most Exposed to Sector Risks…. Figure 239: …with an Elongating Refresh Cycle
Our sector risk exposure ranking Refresh cycle impact on product at different lengths
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
Figure 240: Less Balance Sheet Capacity… Figure 241: …Valuation in Middle vs Firewall Peers
Our estimates for balance sheet capacity EV/uFCF adjusted for SBC, and Non-GAAP P/E
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
High-end
Midrange
Volume
20%
24%56%
FTNT
0.00
0.05
0.10
0.15
0.20
0.25
2002 2005 2008 2011 2014
High-end
Midrange
Volume
Check Point Palo Alto Networks Fortinet
CHKP PANW FTNT
Architectural Shift to Cloud ◔ ◑ ◕
Cisco increasingly competitive ○ ◕ ◑
Juniper has little share left to give ○ ● ◔
Cloud transitionary headwinds ◔ ◑ ◑
TAM expansion ◑ ◑ ●
Competition in the mid market ◑ ○ ●
Carrier Exposure ◔ ◑ ●
Total ◔ ◑ ◕
Who is best equipt to deal with…
5%
10%
15%
20%
25%
30%
35%
2008 2010 2012 2014 2016
4 years
4.5 years
5 years
5.5 years
6 years
6.5 years
7 years
$9.9bn
$5.4bn
$4.0bn
$0bn
$2bn
$4bn
$6bn
$8bn
$10bn
$12bn
CHKP PANW FTNT
16.4x19.2x
37.8x
20.5x
38.8x
44.2x
0x
10x
20x
30x
40x
50x
CHKP FTNT PANW
EV/uFCF Adjusted for SBC, NTM
Non-GAAP P/E, NTM
5 September 2017
Cybersecurity 139
Supports for Our Thesis
Company Negatives
■ Most Exposed to Sector Risks
In our ranking of relative exposure to category risks, Fortinet appears the most exposed.
We believe it to be at substantial risk as the architectural shift to cloud accelerates via both
its hardware-based competitive advantage and carrier exposure. (Carriers are rapidly
virtualizing.) In addition, we believe exposure to the highly competitive mid-market, along
with limited ability to further expand TAM, are all incremental relative negatives.
Figure 242: Relative Exposure to Sector Risks
Source: Credit Suisse Research.
■ Less Relative Firepower Makes Deployment of Strategic Capital Challenging
We estimate FTNT could deploy ~$4bn for transformative M&A. This is ~60% less than
CHKP and ~25% less than PANW. Given our views on the market direction and declining
relevance of perimeter security, we see Fortinet's more limited ability to make
transformative acquisitions as a relative negative. We believe management is liklely less
willing to make a transformative acquisition just given past tuck in deal activity.
Check Point Palo Alto Networks Fortinet
CHKP PANW FTNT
Architectural Shift to Cloud ◔ ◑ ◕Cisco increasingly competitive ○ ◕ ◑Juniper has little share left to give ○ ● ◔Cloud transitionary headwinds ◔ ◑ ◑TAM expansion ◑ ◑ ●Competition in the mid market ◑ ○ ●Carrier Exposure ◔ ◑ ●Total ◔ ◑ ◕
Who is best equipped to deal with…
5 September 2017
Cybersecurity 140
Figure 243: We Estimate FTNT Has ~$4bn in
Aggregate Firepower…
Figure 244: … This Is ~60% Less than CHKP and
~25% Less than PANW
US$ in millions, unless otherwise stated US$ in millions, unless otherwise stated
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
■ Hardware-Based Competitive Advantage, Does It Translate to the Cloud?
Fortinet has, we think, generated substantial competitive advantage via its ASIC-based
architecture, which is highly performant and offers excellent cost/throughput ratios and
substantial power savings. These performance advantages have, in turn, contributed to
FTNT's success in the carrier and telecommunications market (where performance is key)
and the SMB market (where there’s cost sensitivity).
While in the past it has been easy to interpret Fortinet's hardware differentiation as a
competitive advantage, it seems logical to us that any advantage bestowed by superior
silicon will diminish as virtualization increases.
■ Absolute Valuation Is Unattractive, Except on EV/Sales
Fortinet isn’t noticeably cheap relative to PANW or CHKP on any absolute adjusted cash
flow or income statement multiple, excepting EV/Sales, which appears to be a function of
depressed margins, and a different business mix.
FTNT trades ~54% less expensive than CHKP and ~28% less expensive than PANW on
CY18 recurring revenues. This would seem to be due to lower renewal rates given greater
SMB exposure, which reduces the value to investors of this revenue stream relative to
higher renewal rate competitors. We calculate that a 5% reduction in renewal rate (from
95-90%) erases 25% of the recurring revenue stream’s NPV. While intuitively, PANW's
higher renewal rates should result in a higher recurring revenue multiple than that of
CHKP, we would note CHKP's substantially higher operating margin.
FTNT trades at a discount to CHKP and PANW on recurring revenue, which we largely
attribute to its depressed margins (18% in CY18 vs 22% and 53% for PANW and CHKP,
respectively). Even normalizing for margin, and certainly growth for that matter, we would
expect FTNT to be less expensive on recurring revenue given its significant SMB
exposure (56% for FTNT vs 14% and 27% for PANW, and CHKP, respectively7). We
estimate. To put this in perspective, we calculate a reduction in renewal rate from 95-90%
7 IDC ‘volume’ pricing bands used as a proxy
Firepower analysis CHKP PANW FTNT
Earnings, NTM basis
EBITDA 1,083 394 279
Δ Deferred Revenue 178 412 250
Cash EBITDA 1,261 806 529
Deal related accretion (15% return) 774 460 383
Theoretical lending EBITDA 2,035 1,266 912
Cash, Next quarter
Liquid cash & investments* 1,380 1,170 964
Cash & investments 3,588 1,889 1,222
Theoretical debt capacity (3x)** 6,106 3,281 2,735
Liquid firepower 7,486 4,450 3,699
Total firepower 9,694 5,170 3,957
*Cash and ST investments adjusted for offshore cash (20% repatriation assumption)
and 10% of NTM revenue
** 3x theoretical lending EBITDA excluding outstanding debt
$9.9bn
$5.4bn
$4.0bn
$0bn
$2bn
$4bn
$6bn
$8bn
$10bn
$12bn
CHKP PANW FTNT
5 September 2017
Cybersecurity 141
would erode 25% of the NPV of the intrinsic value of a recurring revenue stream in a runoff
scenario.
Figure 245: Relative Valuation, Absolute Multiples
Source: Company data, Credit Suisse estimates.
■ Fortinet Is More an SMB than an Enterprise Focused Vendor
Despite the lumpier sales cycles, we prefer exposure to enterprise customers. Firms
serving enterprise customers in general enjoy far superior renewal rates relative to those
with SMB customers.
Figure 246: The Impact of Renewal Rates on Valuation Is Clear When We Look
at the Financial NPV of Recurring Revenues with Varying Renewal Rates
Impact of varying renewal rates on a floor value analysis of recurring revenue as % of FTNT EV. Assumes a 75% runoff margin on cash recurring revenues
Source: Company data, Credit Suisse estimates.
Fortinet has the least exposure to enterprise customers of the firewall names we are
initiating upon. Using IDC data (which splits appliance sales into server class: volume,
mid-range, and high end) as a proxy exhibits this. Only 20% of 1Q17 appliance revenue
was generated via high-end server deployments, or 40% less than Palo Alto Networks.
Absolute Valuation Analysis
NTM CY18 NTM CY18 NTM CY18
Cash Flow Statement Multiples
EV/UFCF 14.9x 14.5x 13.8x 12.0x 12.2x 11.5x
EV/UFCF Adjusted for SBC 16.4x 15.9x 37.8x 30.1x 19.2x 18.1x
EV/UFCF Adjusted for LT Deferred 15.7x 15.4x 21.3x 17.0x 16.8x 15.4x
EV/UFCF Adjusted for SBC & LT Deferred 17.4x 17.1x n/a n/a 33.8x 29.9x
Income Statement Multiples
EV/Sales 7.6x 7.4x 5.4x 5.0x 3.2x 3.1x
EV/Non-GAAP Operating Income 14.3x 13.8x 25.5x 22.6x 19.8x 17.4x
Non-GAAP P/E 20.5x 19.6x 44.2x 39.6x 38.8x 34.8x
GAAP P/E 23.2x 22.1x n/a n/a 92.7x 74.4x
EV/Recurring Revenue 10.9x 10.5x 8.3x 7.5x 5.1x 4.8x
CHKP PANW FTNT
82%
67%
59%
53%49%
46%43%
41% 40% 39% 37%
30%
40%
50%
60%
70%
80%
90%
95% 90% 85% 80% 75% 70% 65% 60% 55% 50% 45%
FTNT
Renewal rate% o
f EV
acc
ount
ed fo
r by
Rec
urrin
g R
even
ue F
loor
5 September 2017
Cybersecurity 142
Figure 247: Fortinet Has Lower Share in the
High-End, and the Market Is Less Fragmented
Figure 248: Fortinet Has High Share in the Volume
Market, but It Is Fragmented
High-end server class market share (FTNT bottom in red) Volume server class market share (FTNT bottom in red)
Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.
Figure 249: Fortinet Has Low High-End Exposure…
Figure 250: …Relative to Competitors Such as
PANW
Fortinet 2016 Revenue Exposure by server class Palo Alto Networks 2016 Revenue Exposure by server class
Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.
Looking at Fortinet's own reported billings metrics gives some credence to the IDC data.
High-end units account for just under 40% of billings on a trailing 12-month basis.
Assuming the high end is somewhat flattered in billings as opposed to revenue (enterprise
customers are more likely to pay in advance), a similar picture emerges – Fortinet is more
SMB than enterprise focused.
0%
10%
20%
30%
40%
50%
60%
70%
2006 2008 2010 2012 2014 2016
0%
10%
20%
30%
40%
50%
60%
70%
2002 2004 2006 2008 2010 2012
High-end
Midrange
Volume
20%
24%56%
FTNT
Renewal rate
59%27%
14%
High-endMidrange
Volume
PANW
5 September 2017
Cybersecurity 143
Figure 251: Fortinet’s High-End Billings Have Grown Slightly in Recent Years
Percent of Reported Billings by Product Segment
Source: Company data, Credit Suisse Research.
While it seems plain that FTNT's primary success is not in the enterprise, we do credit it
with having grown high-end billings substantially faster (35% vs 25%) than entry and
mid-range billings. This corroborates Gartner’s assertion that ‘Fortinet is present in an
increasing number of these [enterprise firewall] deals visible to Gartner, often because it
offers “good enough” features at a significantly lower price.’ (G00294631)
Figure 252: High-End Billings Have Grown on Average Faster Than Entry and
Mid-Level, Albeit with More Volatility
Source: Company data, Credit Suisse estimates.
The Low End Is Substantially More Competitive than High End
Not only are renewal rates less attractive outside the enterprise segment of the market,
but the lower end is also substantially more competitive. Using IDC revenue data to
estimate the Herfindahl-Hirschman Index (an indicator of competition) for each segment
IDC tracks reveals substantially more competition in the mid-range and volume segments
of the market. Not only are there more players, but we have been hearing of more
competitiveness as players such as WatchGuard and SonicWALL have made significant
strides more recently.
High-End
Mid-Range
Entry-Level
0%
20%
40%
60%
80%
100%
2009 2010 2011 2012 2013 2014 2015 2016 2017
25%
35%
0%
10%
20%
30%
40%
50%
60%
70%
80%
2010 2011 2012 2013 2014 2015 2016 2017
Entry Level Mid-Range High-End
5 September 2017
Cybersecurity 144
Figure 253: The Midrange and Volume Segment of the Market Are Substantially
Less Consolidated (and Therefore Competitive) than the High End
Herfindahl-Hirschman Index, 4Q moving average
Source: IDC, Credit Suisse Research.
Competition Tends to Translate into Price Pressure…
We believe consolidation translates to pricing power, and vice-versa. Therefore, we expect
higher levels of competition in the mid- and volume markets to translate into higher-price
competitiveness. Looking at the volume market ASP relative to the five largest market
players suggests that while there hasn’t been broad-based pressure, pricing has come
down for the five largest in aggregate.
Figure 254: Pricing for the Five Largest Players Appears to Have Been Slightly
More Pressured Relative to the Market as a Whole
ASP (Vendor revenue/Units), Firewall and UTM, 4Q rolling average, inflation adjusted (US PPI)
Source: iDC, Credit Suisse Research.
If we look at pricing across the product spectrum for the five largest players since 2010, it
seems clear there has been weakness in volume relative to the high end. While the
mid-range hasn’t been weak, per se, it has been weaker than the high end since 2014.
0.00
0.05
0.10
0.15
0.20
0.25
2002 2004 2006 2008 2010 2012 2014 2016
High end, 4Qma Midrange, 4Qma Volume, 4Qma
1,000
1,300
1,600
1,900
2,200
2,500
2,800
1,000
1,200
1,400
1,600
1,800
2,000
2,200
2003 2005 2007 2009 2011 2013 2015 2017
Volume ASP Volume ASP (CHKP, PANW, FTNT, JNPR, CSCO)
5 September 2017
Cybersecurity 145
Figure 255: Pricing Has Been Strongest in the High End, Slightly Weaker in the
Mid-Range, and Weakest in Volume
CHKP, PANW, FTNT, JNPR, CSCO ASP (Vendor revenue/Units), Firewall and UTM, 4Q rolling average, inflation adjusted (US PPI)
Source: iDC, Credit Suisse Research.
■ Carrier Exposure, a Challenge as They Virtualize
Fortinet's highly performant products have previously given the company an edge in the
telecom service provider vertical. Anecdotally, we believe FTNT to be the leader in this
vertical, and over the last 12 months, it has generated ~20% of billings from service
providers. While this has reduced slightly as a percent of total billings as other verticals
have grown faster, it remains a material part of FTNT's business and has slowed
substantially from 2015 highs in recent quarters; last quarter it was described by FTNT
CFO Mr. Del Matto as 'the most disappointing part of the business…' (Q2 2017 Fortinet
Earnings Call, Q&A Session).
Figure 256: Service Provider Has Grown in Dollar
Terms, but Reduced as a % of Billings
Figure 257: Growth Has Substantially Retreated
from 2015 Peaks and Was Weak Last Quarter
Service provider as a % of total billings, reported Service provider growth, implied from reported, y/y, %
Source: Company data, Credit Suisse Research. Source: Company data, Credit Suisse estimates.
We believe from conversations in the field that the service provider vertical is virtualizing
network infrastructure at an increasing rate. Discussions on FTNT's 2Q Q&A call, we think,
give credence to our view that carrier exposure is a risk.
0.6
0.7
0.8
0.9
1.0
1.1
1.2
2010 2011 2012 2013 2014 2015 2016 2017
Top-5 High-End ASP Top-5 Mid-range ASP Top-5 Volume ASP
10%
15%
20%
25%
30%
35%
2011 2012 2013 2014 2015 2016
Service provider share of billings
-10%
0%
10%
20%
30%
40%
50%
2012 2013 2014 2015 2016
Service provider verticalgrowth, y/y, %
5 September 2017
Cybersecurity 146
'…the AWS/Azure piece is growing fast. And also, the traditional service provider also
starting consider offer the cloud solution now. So that may delay some of their
decision whether what kind of an architecture or infrastructure they may moving
forward… Before, it's kind of a separate team for cloud and service provider. Now it's one
team, so we feel that's also helping, like make future trend or direction.'
– Ken Xie, Chairman CEO
'… I mentioned there is a cloud trend. So that also may take a little bit long time to
evaluate. And also we started to offer the new 7000 series, and that also takes a long time
to evaluate. So we have the new platform and especially in the bigger enterprise service
provider, they take a longer time and whether using the new one or the old one, also takes
some time. So we do see a lot of test and interesting discussion…'
– Ken Xie, Chairman CEO
'They [telecom carriers] are more focused on cash flow […] and they do more pay-as-
you-go. I think that’s a shift in their business.'
- Andrew Del Matto, CFO, 7/26/2017
'What's happening now is that really, large service providers and large enterprises,
some of them are trying to design and think about their next generation network…
that's not a trend that we saw in 2012 or 2013. It's not just a matter of refreshing gear,
what they bought how many years ago. It's really in strategic discussions on how they
move forward for the future years. '
– Michelle Spolver, Chief Communications Officer, 10/27/2016
Fortinet's exposure to the service provider vertical is significant, and thus any deferred
spending patterns or competitive threats with the segment bring material risk. As we show
in Figure 258, lumpy service provider demand (which we proxy through service provider
billings growth) has manifested in the company's reported product growth.
Figure 258: Service Provider Demand Patterns Have Material Impact on FTNT
Source: Company data, Credit Suisse Research.
■ Refresh Cycle Unlikely to Be a Near-Term Tailwind
Fortinet has started to speak about a refresh opportunity that it anticipates will contribute
to 2018 product revenues. We expect the impact of this refresh cycle to be somewhat
muted as the average refresh appears to be elongating to some degree.
'When you get into '18, that's 4 years ago roughly from that happening and then spending
started to happen in '14, early '14. So I think probably somewhere in '18, you would begin
to see that click…'
- Andrew Del Matto, CFO, 04/27/2017
-20%
0%
20%
40%
60%
2013 2014 2015 2016 2017
Product Growth y/y (%)
Service Provider Billings Growth (%)
5 September 2017
Cybersecurity 147
Figure 259: Assuming a Five-Year Refresh Cycle Implies 2013 Was the Peak of
the Last Refresh Cycle…
Refreshed product as a % of total new product (assuming 5 year refresh rate and 75% renewal rate) 4QMA
Source: IDC, Credit Suisse Research.
'The refresh cycle. Most people, generally, the products are deployed for 3 to 5 years. I
mean, the life of the product, they can go beyond 5 years. And I think some customers
probably stretch it a little bit. But generally speaking, think about 3 to 5 years. You can
all look at the models. If you go back in history, it looks like '14 and '15 were pretty good
years. So maybe if you walk forward some average of the 3 to 5 year, you'll probably get a
sense. I don't -- when we talk about it internally, we're not thinking '17 or as much as
we're thinking somewhere beyond that. '17's probably a bit early.'
- Andrew Del Matto, CFO, 06/07/2017
'… I would probably say the deal in the cycles are elongated more than they were
then, because it's sort of a dynamic shift that's happening …it takes a lot longer. It's
not just a matter of refreshing gear, what they bought how many years ago. It's really in
strategic discussions on how they move forward for the future years. So I would probably
say that the cycles are longer now than they were four years ago'.
– Michelle Spolver, Chief Communications Officer, 10/27/2016
Management have spoken about the previous refresh cycle as having begun in 'late '13,
that was really the kickoff for the last big, I think, spike, if you will, in spending. And then it
went on for a couple of years…' (Andrew Del Matto, CFO, 04/27/2017)
If we try and back that out via our (admittedly somewhat crude) new product calculation, it
appears that to fit into this time frame, the average refresh would have been between five-
and-a-half and seven years in length.
10%
15%
20%
25%
30%
2009 2010 2011 2012 2012 2013 2014 2015 2016
5 September 2017
Cybersecurity 148
Figure 260: Cycle Elongation Appears Evident When We Try to Back Out Fortinet's Internal Refresh Cycle
Refreshed product as a % of total product (assuming varying refresh cycle and 75% renewal rate) smoothed via 5Q centralized average
Source: Company data, Credit Suisse estimates.
■ High Levels of Earnings Volatility Remain a Question Mark
Fortinet exhibits rather high levels of volatility around earnings announcements. While not
the foremost risk we have discussed, an average relative move of 7.4% since 2012 on
earnings is, we believe, worth investor cognizance. It would seem the business is more
difficult to forecast over the past couple of years, perhaps the result of a broader shift to
cloud and virtual infrastructure.
Figure 261: Fortinet an Average 7.4% Relative One-Day Move Following
Earnings
Stock price movement the day after earnings were reported
Source: FactSet, Credit Suisse Research.
5%
10%
15%
20%
25%
30%
35%
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
4 years
4.5 years
5 years
5.5 years
6 years
6.5 years
7 years
-4%-4%
13%
-1%
-6%
8%
4%
-20%
11%9%
-8%
-1%
7%4%
2%1%
4%
-3%
21%
-17%
-25%
-15%
-5%
5%
15%
25%
20172016201520142013
5 September 2017
Cybersecurity 149
Risks to Our Thesis
Company Positives
■ ASIC Hardware Is a Relative Advantage
Under the leadership of Ken Xie, we believe Fortinet has become the industry leader in
ASIC (application-specific integrated circuit) based firewall appliances. Ken Xie said in
February 2017 that this endows Fortinet with a seven- to ten-year hardware advantage
compared with competitors.
'But on the cost base -- on the performance base, the ASIC definitely have a huge
advantage over the CPU. It can be 10x to 100x, more like computing advantage and also
the cost advantage there. But the virtual edition environments really, they can leverage
some of the free computing power…'
– Ken Xie, Founder, Chairman & CEO, 10/22/2015
ASIC architectures mean the hardware chips are specifically designed for select
use-cases. The use-case-specific nature of these processors results in substantial cost
advantages on a throughput basis, in addition to power saving relative to general purpose
hardware. Gartner notes, in particular, it accelerates packet processing for deep packet
inspection.
Ken Xie pioneered the use of ASIC technology for security appliances with his first
company, NetScreen, and has continued in the same vein with Fortinet. Fortinet was the
first company to increase firewall speed to one terabit per second in 2014, and our field
conversations and broader research confirm Fortinet is renowned for performance in
high-traffic conditions.
We believe performance and cost – the true benefits of custom hardware – have been key
contributors to FTNT's success in the carrier market where performance is key, and also in
the SMB market where cost is of primary import.
In competitive situations, ‘feedback from Gartner clients indicates that Fortinet wins when
value (dollar per protected MB) is a strong part of the evaluation. [Fortinet] has intrinsic
pricing advantages due to the way it produces its hardware.’ (G00294631)
Figure 262: Fortinet Offers Attractive Cost per Protected Packet According to
NSS Labs 2017 Firewall Test
Total Cost of Ownership per Protected Mbps
Source: NSS Labs, Credit Suisse Research.
0 5 10 15 20 25 30 35 40 45
Fortinet 6000
Sophos
Watchguard
Forcepoint
Fortinet 32000
Check Point
Palo Alto Networks
Cisco
Sonicawall
Barracuda Networks
Sonicwall
5 September 2017
Cybersecurity 150
We also believe the ASIC architecture enhances Fortinet's competitive advantage when it
comes to the internal segmentation firewall use-case. The higher speed of internal
networks requires high-speed, low-latency appliances, which in turn is best achieved via
purpose-built hardware.
We believe internal segmentation demand to be incremental, and given it tends to be
enterprises looking to implement these sorts of network architectures, the trend also offers
FTNT an opportunity to increase its high-end mix and market share.
'… the traditional firewall protection, even at the perimeter … is no longer enough. There
are so many ways you can bypass that… So that's where we see the big enterprise …
starting evaluating and consider all of this internal segmentation there … most of the
internal segmentation is all high end. They need high speed, like 40 gig, 100 gig, minimal
10 gig in the space, and also the same through port wire speed. Because the internal
network is much, much faster 10 to 100X faster than the Internet connection. So without
high speed, without low latency, they cannot deploy internally to do the segmentation.'
- Ken Xie, Founder, Chairman & CEO, 2Q2015 earnings call
While we expect internal segmentation demand to be incremental in nature, our field
conversations suggest customers aren’t yet segmenting their networks to the same
granularity needed to offset the rate at which network perimeters are dissolving.
Additionally, some enterprises eschew using security appliances, instead looking further
down the stack in their network topology and relying on the inherent security of products
such as VMware’s NSX to achieve their internal segmentation security goals.
■ Security Fabric Differentiates the Firm Through Product Integration
Fortinet emphasizes that its products are differentiated via their integration into a security
fabric. This unified end-to-endpoint approach to address all threats an enterprise might
face yields what we perceive to be a cohesive and comprehensive platform offering.
The fabric weaves together enterprise firewall, cloud security, advanced threat protection,
connected UTM, application security, secure access, and security operations.
Figure 263: Fortinet’s Goal Is to Create a Security 'Fabric' to Provide End-to-End
Enterprise Security
Source: Fortinet.
Client
Advanced Threat
Intelligence NOC/SOC
Cloud
Application
Partner API
Access
Network
5 September 2017
Cybersecurity 151
Customers demand strong integrated platforms, as they tend to outperform disparate
best-of-breed products in terms of efficacy, efficiency, and cost. We have addressed this
at length in section ‘TAM Expansion is Limited’.
The platform approach aggregates a number of adjacencies and is therefore accretive to
security appliance vendors’ TAMs. We believe this theme of aggregation to have been an
attractive security play over the last several years and FTNT to have been one of the most
successful consolidators, with products addressing a multiplicity of security pain points. A
recent example from June of 2016 is the acquisition of AccelOps, which adds the ~$2bn
SIEM (security information and event management) market to Fortinet’s TAM.
As a result, however, we think it will be even more difficult for FTNT relative to other
vendors to move the needle on its TAM. Additionally, given the majority of FTNT's value
proposition to customers is via consolidation and hardware, we are concerned by the
pressures it faces with disaggregation of adjacencies as workloads increasingly move to
the cloud.
■ Highly Rated Products
Fortinet products are highly rated. Whether during our conversations in the field, by
Gartner, NSS Labs, or other third-party reviews, Fortinet repeatedly stands out for the
depth, breath, integration, and particularly price performance of its security product
portfolio.
In the Enterprise Network Firewall (NGFW) market, the FortiGate offering has enjoyed
positive momentum over the last five years as it progressed from a challenger to leader in
Gartner’s magic quadrant. Prior to this, Fortinet had enjoyed five years of positive
momentum as it transitioned from the visionaries to challengers quadrants.
Figure 264: Fortinet Has Enjoyed Year-on-Year
Positive Momentum Toward the Leadership Quadrant
on Gartner's Enterprise Network Firewall MQ
Figure 265: Despite Slight Negative Momentum, in
Its Key Competency, UTM, Fortinet Has Been a
Leader Every Year Since Inception
Estimated based on 2006, 2007, 2008, 2010, 2011, 2013, 2014, 2015, 2016 and 2017 Enterprise Network Firewall Magic Quadrants
Estimated based on 2009, 2010, 2012, 2013, 2014, 2015, 2016 and 2017 UTM (SMB multifunction firewall) Magic Quadrants
Source: Gartner, Credit Suisse Research. Source: Gartner, Credit Suisse Research.
Fortinet Fortinet
5 September 2017
Cybersecurity 152
Not only is Fortinet a leader in the Enterprise Network Firewall market, but it also the only
vendor to have remained a leader every year since 2009 on Gartner's Unified Threat
Management (UTM) magic quadrant.
If we look on a pure performance basis, NSS Labs (an independent security analysis and
testing firm) consistently ranks Fortinet highly relative to competitors on TCO per protected
Mbps and effectiveness in blocking simulated threats.
Figure 266: NSS Labs Consistently Ranks Fortinet Highly on Efficacy and Cost
Source: NSS Labs, Credit Suisse estimates.
Fortinet has substantially expanded its cloud offerings to help the security fabric scale to
the cloud. FortiGate VM integrates Fortinet and VMware products to help Fortinet scale to
software-defined networks, and Fortinet products are also available in both AWS and
Azure.
More broadly, Fortinet also offers FortiMail, which enables email screening and FortiWeb
for web application scanning and behavioral attack detection. Fortinet also provides
secure switching and access control solutions for network authentication. The company
offers single sign-on identity management with FortiAuthenticator and multi-factor tokens.
Fortinet allows customers to monitor the entire system with its FortiSIEM (security
information and event management) product. FortiSIEM allows customers to monitor their
security on a “single pane of glass” with cross-correlated analytics that can scale to IoT
devices and the cloud.
5 September 2017
Cybersecurity 153
It also offers enterprises the ability to integrate third-party products with its fabric as
“Fabric-Ready partners.” Fortinet recently added Microsoft as a partner to better expand
its cloud security capabilities. Fortinet currently counts 27 total partners. Fortinet’s wide
product offerings are designed to integrate all aspects of network security. Ken Xie says
that “our view is that if the network is involved, then we are there to protect it.”
■ Vision of the Xie Brothers Should Not Be Under-Estimated
We view the dual leadership of Fortinet by Ken and Michael Xie, CEO and CTO,
respectively, to be a key strength. We see the brothers' track record of innovation in the
space as supportive, and Ken Xie's commentary around the 'fourth era of firewall' (see
here) as evidence that Fortinet recognizes and is prepared (or preparing) to adapt its
strategy beyond its successful formula of the past five years.
The Xie brothers are legendary figures in the security industry. Ken has been the CEO of
Fortinet since the company’s inception in 2000. He started his first security company, SIS,
designing software firewalls while he was still studying for his second master’s degree at
Stanford.
Ahead of their time in understanding the limitations of selling software-only firewalls, Ken
and Michael founded one of the security industry's first aggregation plays – Netscreen – in
1996. Here, they developed and sold the industry's first ASIC-based firewall appliances.
Ken’s brother Michael has tended to hold technical positions, serving as chief architect for
NetScreen, and then chief technology officer since 2010 at Fortinet. In his tenure at
Fortinet, he has overseen execution of the brothers' consolidative vision for “unified threat
management,” the guiding tenet behind the Fortinet security fabric. Michael holds multiple
patents and is the author of several books.
While the benefits of founder-led technology companies are sometimes hard to quantify,
we look to Credit Suisse HOLT research, which shows since late 2014 founder-led have
substantially outperformed both S&P500 tech.
Figure 267: Founder-Led Technology Companies Have Outperformed Their
Non-Founder Led Peers and the S&P 500 Tech Index
Source: Credit Suisse HOLT.
Founder-led firms also generally place more emphasis on innovation, as evidenced by
increased cash deployed in R&D and capex, with greater research efficiency, as
evidenced by higher R&D turnover.
90
100
110
120
130
140
Aug 2014 Feb 2015 Aug 2015 Feb 2016 Aug 2016
Founder Led Tech Non-Founder Led Tech SP500 Tech
5 September 2017
Cybersecurity 154
Figure 268: Founder-Led Firms Deploy
More of Their Cash Toward R&D and
Capex
Figure 269: Founder-Led Firms Are
Also More Efficient in R&D, with
Higher Turnover
R&D + Capex as a percentage of cash deployed Sales/Capitalized R&D
Source: Credit Suisse HOLT. Source: Credit Suisse HOLT.
It's worth noting that with Gil Shwed at Check Point and Nir Zuk at Palo Alto, it appears
almost a pre-requisite for success that at-scale NGFW vendors have retained a
founder technologist executive.
Therefore, while it remains a benefit, we don't think this represents a material advantage
on a relative basis. Illustrating this, CHKP has the best R&D efficiency of the peer group
(software >5bn in market cap) followed by FTNT and PANW, both in the top-third.
Figure 270: PANW & FTNT Have Above Average R&D Efficiency
Sales / Capitalized R&D (R&D Efficiency), Software >5bn in market capitalization
Source: Credit Suisse HOLT, Credit Suisse Research.
Additionally, while FTNT devotes the most to R&D as a percentage of revenue, both
PANW and CHKP spend more in dollar terms.
62.8%
40.3%
0%
10%
20%
30%
40%
50%
60%
70%
Founder Ran Non-Founder Ran
2.1
1.8
1.6
1.7
1.8
1.9
2.0
2.1
2.2
Founder Ran Non-Founder Ran
2.92.3
2.22.12.1
2.02.02.0
1.91.7
1.61.61.6
1.51.51.5
1.31.31.3
1.21.2
0.90.9
0.7
CHKPVEEVCRM
OTEXULTI
FTNTLOGMPANW
NOWMSFTADBECTXSORCL
CAINTURHT
SPLKSYMCVMW
GWREDATATEAMWDAYADSK
5 September 2017
Cybersecurity 155
Figure 271: Palo Alto Spends the Most on R&D in
Absolute Dollar Terms…
Figure 272: … FTNT Spends 180bps More than
PANW and 370bps More than CHKP as % of Revenue
Non-GAAP R&D Expense, quarterly, $m Non-GAAP R&D Expense, % of revenue, 4Q rolling average
Source: Company data, Credit Suisse Research, Credit Suisse Estimates. Source: Company data, Credit Suisse Research, Credit Suisse Estimates.
■ Fully Ramped Sales Capacity
Fortinet has invested heavily in its go-to-market engine, which has more recently stabilized
and ramped to productivity. The company sees additional tailwinds from its 'fork-lift'
investments in its sales and marketing model, guiding for operating margin improvement of
150bps to 200bps per year, aiming for 25% OM by 2022, and long-term OM of 25%.
"We feel like we've made a lot of the forklift investments we needed to make to just get
the marketing team, the business, the process in place for the lead generation and giving
them information to expand our footprint within the installed base."
- Andrew H. Del Matto, CFO, 7th August 2017
"And then we've also made big investments in our sales and marketing go-to-market
engine in the enterprise over the last really 3 or 4 years. And that's a forklift investment
that we're pretty much through. And so now we're basically focused on just
productivity -- driving productivity and sales, which drives a lower cost of sales and
marketing. And again, that's how -- the combination of that, the lower sales and marketing
costs through the higher productivity, scaling that out along with the higher gross margin
drives an expanded margin"
- Andrew H. Del Matto, CFO, 13th June 2017
We see indications of a productivity ramp, as shown in Figure 273, with a recovering
billings per S&M employee as well as revenues per S&M employee. Also, we do point out
that product revenue metrics as well as new business metrics seem to be stabilizing.
0
10
20
30
40
50
60
2010 2011 2012 2013 2014 2015 2016
FTNT PANW CHKP
5%
7%
9%
11%
13%
15%
17%
19%
21%
2010 2011 2012 2013 2014 2015 2016
CHKP FTNT PANW
5 September 2017
Cybersecurity 156
Figure 273: Billings Indicates Recovery… Figure 274: ...Product and New Business Stabilizing
Billings in US$ thousand Product and Overall revenues in US$ thousands
Source: Company data, Credit Suisse Research. Source: Company data, Credit Suisse Research.
■ Leverage from Rising Subscriptions
Fortinet is also benefiting from a rising subscription mix, up ~5% over the last two years,
with GM rising from 71% to 75%. We see the rising mix of high-margin subscription as a
tailwind for GM, combined with investments made in go-to-market resulting in a higher OM
profile.
"We feel like we've built that go-to-market model out. … we guided operating margin
improvement after 2017 of 150 to 200 basis points per year, with the goal of reaching 25%
operating margins by 2022. So the goal is 25% operating margins by 2022. And then
we want to remain in the range of 25% to 30% thereafter…. the way you get there, again,
is drive the higher-margin recurring revenue streams, expand the gross margin"
- Andrew H. Del Matto, CFO, 13th June 2017
Figure 275: Subscription Mix Rising… Figure 276: …with a Rising Corp. Gross Margin
Fortinet Billings Mix Fortinet Gross Margin, %
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
$k
$200k
$400k
$600k
$800k
$1000k
$k
$50k
$100k
$150k
$200k
$250k
Jun-14 Jun-16
Current Billings/ (S+M employees)Billings TTM/ (S+M employees)
$k
$50k
$100k
$150k
$200k
$250k
Jun-14 Jun-16
Product/(S+M employees)Revenues/(S+M employees)
47% 47% 43%
51% 50% 55%
0%
25%
50%
75%
100%
2014 2015 2016
ProfessionalServices
Subscription,Support &Maintenance
Product
67.5%
70.0%
72.5%
75.0%
77.5%
2014 2015 2016 2017
Gross Margin (%)
5 September 2017
Cybersecurity 157
■ International Exposure and Diversified Customer Verticals
Fortinet also has a large international business, with ~60% of LTM revenues outside of the
Americas. In terms of customer verticals, service providers, governments and financial
services remain the biggest verticals (in terms of Billings). We do highlight that the
exposure to international markets also comes with potential FX impact as well as inherent
lumpiness from high exposure to a service provider.
"We are a little more exposed than other companies are to Europe because of our globally
distributed business."
- Kelly Blough, IR, 26 July 2017
Figure 277: International Business Accounts for
Majority of Sales…
Figure 278: ..with Service Providers, Govt, and
Financials Verticals Largest for Billings
Revenue by Geography LTM Verticals by bookings, LTM
Source: Company data. Source: Company data.
■ Appears Less Expensive on a Growth-Adjusted Basis
On a growth-adjusted basis, FTNT appears less expensive, almost across the board. We
would highlight that on a recurring revenue basis, it trades almost exactly in-line with
PANW. (Given FTNT's lower recurring rates, perhaps investors slightly undervalue
PANW's subscription and maintenance revenue stream?)
Figure 279: Valuation Matrix Metric Specific Growth Adjusted
Source: Company data, Credit Suisse estimates.
Americas
EMEA
APAC
42%
42%
37%
21%
FTNT
Service Provider
Government
Financial ServicesEducation
Retail
Others 20.5%
15.6%
12.0%10.1%
8.2%
33.5%
FTNT
Growth adjusted (metric specific)
NTM CY18 NTM CY18 NTM CY18
Cash Flow Statement Multiples
EV/UFCF 1.75 1.70 0.77 0.67 0.44 0.41
EV/UFCF Adjusted for SBC 1.92 1.87 2.12 1.69 0.69 0.65
EV/UFCF Adjusted for LT Deferred 1.84 1.81 1.19 0.95 0.60 0.55
EV/UFCF Adjusted for SBC & LT Deferred 2.04 2.00 n/a n/a 1.21 1.07
Income Statement Multiples
EV/Sales 1.05 1.01 0.26 0.24 0.23 0.22
EV/Non-GAAP Operating Income 2.32 2.24 0.94 0.83 0.87 0.76
Non-GAAP P/E 2.19 2.09 1.65 1.48 1.75 1.57
GAAP P/E 2.45 2.33 n/a n/a 1.09 0.87
EV/Recurring Revenue 1.10 1.06 0.26 0.23 0.25 0.24
CHKP PANW FTNT
5 September 2017
Cybersecurity 158
Figure 280: Valuation Matrix Revenue Growth Adjusted
Source: Company data, Credit Suisse estimates.
■ Becomes a Strategic Asset in a Consolidating Sector
We do appreciate the strategic value of Fortinet, the smallest of three firewall names
analyzed herein. One potential suitor for the company might be Symantec, which might
see value in combining firewall and Bluecoat proxy solutions in a consolidation play. This
becomes especially true if proxy becomes integrated into NGFW even more and
Symantec realizes that it has to offer a complete solution to be competitive.
On the other hand, Fortinet itself developed organically for the most part as a founder-led
company. Any potential strategic play would have material integration risk, in terms of
retaining top talent (including the founders). We note the debacle of the
Juniper-Netscreen acquisition, where the business struggled to survive as part of a larger
organization and lost share to rivals.
Growth adjusted (revenue growth)
NTM CY18 NTM CY18 NTM CY18
Cash Flow Statement Multiples
EV/UFCF 2.05 1.99 0.65 0.57 0.87 0.82
EV/UFCF Adjusted for SBC 2.25 2.19 1.79 1.42 1.38 1.30
EV/UFCF Adjusted for LT Deferred 2.16 2.12 1.01 0.80 1.20 1.10
EV/UFCF Adjusted for SBC & LT Deferred 2.39 2.35 n/a n/a 2.42 2.14
Income Statement Multiples
EV/Sales 1.05 1.01 0.26 0.24 0.23 0.22
EV/Non-GAAP Operating Income 1.97 1.90 1.21 1.07 1.42 1.24
Non-GAAP P/E 2.82 2.69 2.09 1.87 2.78 2.49
GAAP P/E 3.19 3.04 n/a n/a 6.63 5.32
EV/Recurring Revenue 1.50 1.44 0.40 0.36 0.37 0.34
CHKP PANW FTNT
5 September 2017
Cybersecurity 159
Management and Board
Management
Fortinet remains a founder-led company. Brothers Ken and Michael Xie, who founded the
company together in 2000, serve as CEO and CTO, respectively. Other senior
management have a range of technical and industry experience. Philip Quade, the chief
security officer, previously led the Cyber Task Force at the NSA, for example.
Figure 281: FTNT Executive Management
Source: Company data, Credit Suisse estimates.
Fortinet management scores near the median on most of the metrics we track. C-Suite
experience is distributed mostly across CEO and VP level positions, with few former
CFOs. There is also limited financial services experience on the Fortinet management
team.
Name Compensation Beneficial ownership of shares C-Suite Experience
Position Year Prior Experience
Age Joined Salary ($) Bonus ($) Stock($) Number of Value of
Shares Shares
Ken Xie 2000 $437,750 $301,689 $1,474,006 12,481,891 $478,056,425 ■ Founder and Chief Executive Officer, Fortinet: 2000-2017
CEO and Chairman ■ Founder, President and Chief Executive Officer, NetScreen Technologies:1996-2000
54 ■ Founder, SIS: 1993-1996
■ MS: Stanford University, MS, BA: Tsinghua University
Michael Xie 2000 $386,250 $133,138 $1,343,805 12,432,000 $476,145,600 ■ Founder and Chief Technology Officer, Fortinet: 2000-2017
President, CTO, and Director ■ Former Vice President of Engineering, ServGate Technologies
48 ■ Former Software Director and Architech, NetScreen
■ MS: Tsinghua University, MS: University of Manitoba
Andrew Del Matto 2014 $403,143 $206,555 $975,303 31,541 $1,208,020 ■ Chief Financial Officer, Fortinet: 2014-2017
Chief Financial Officer ■ Various Executive Positions, including Chief Accounting Officer, Symantec: 2005-2013
58 ■ Senior Finance Leadership Roles, Inktomi
■ MBA: Golden Gate University, BS: Ohio University
John Whittle 2006 $354,868 $170,086 $975,303 64,158 $2,457,251 ■ Vice President and General Counsel, Fortinet: 2006-Present
VP, Corporate Development, ■ Vice President and General Counsel, Corio: 2000-2005
General Counsel ■ Attorney, Wilson Sonsin Goodrich & Rosati: 1996-2000
48 ■ JD: Cornell University, BA: University of Virginia
Philip Quade 2017 NA NA NA NA NA ■ Former NSA Director's Special Assistant for Cyber
Chief Information Security Officer ■ Former Chief of the NSA Cyber Task Force, with White House Relationship Responsibility
■ Former Chief Operating Officer, NSA Information Assurance Directorate
■ BS: University of Maryland
Patrice Perche 2004 NA NA NA NA NA ■ Executive Vice President, Fortinet: 2005-Present
Sr. EVP, Worldwide Sales ■ Co-Founder and CEO, Risc Group
■ Over 20 Years of IT Industry Experience
■ MS: Insa Lyon
John Maddison 2012 NA NA NA NA NA ■ Vice President, Fortinet: 2012-Present
SVP, Products and Solutions ■ Former General Manager and Senior Vice President, Trend Micro
■ Former Senior Director of Product Management, Lucent Technologies
■ BS: Plymouth University, United Kingdom
Lisa McGill 2016 NA NA NA NA NA ■ Former Senior Vice President, Brocade Communications
SVP, People ■ Former Senior Vice President, Foundry Networks
■ Held Various Senior Human Resources Positions at Alcatel and PricewaterhouseCoopers
■ MBA: Pepperdine University, BS: University of Phoenix
Stacey Wu 2016 NA NA NA NA NA ■ Former Vice President, Marketing and Demand Generation, Avaya
SVP, Global Marketing ■ Former Vice President, Strategic Marketing and Planning, Symantec
■ Held Various Marketing Leadership Positions at Check Point, NEC, and HP
■ MBA: Massachusetts Institute of Technology, BS: San Francisco State University
5 September 2017
Cybersecurity 160
Figure 282: Fortinet Scores Toward the Middle of
the Pack in Overall Experience
Figure 283: It Also Is Close to Average in C-Suite
Experience
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
Board
Ken Xie and Michael Xie form the backbone of the board, but figures from outside tech,
such as Gary Locke, the former US ambassador to China, and William Neukom, the
former president of the American Bar Association, are also represented.
0 5 10 15 20 25 30 35
ORCL
VMW
AKAM
RHT
SPLK
FTNT
PANW
SYMC
NOW
HDP
CHKP
Management Experience Per Executive
Relevant Industry
Other Executive
CEO/CFO
Other Industry
Finance
0 5 10 15 20
ORCL
CHKP
VMW
RHT
SPLK
AKAM
FTNT
HDP
SYMC
PANW
NOW
Management C-Suite Experience Per Executive
VP CEO CFO
5 S
epte
mb
er 2
017
Cy
be
rsec
urity
161
Figure 284: FTNT Board
Source: Company data, Credit Suisse estimates.
Name Beneficial ownership of shares Committee memberships C-Suite Experience
Position Director Independent Other Board Prior Experience and Principal occupation
Age Since? Director? Affiliations? Number of Value of Audit Comp. Gov.
Shares Shares
Ken Xie 2000 No 1 12,481,891 $478,056,425 ■ Founder and Chief Executive Officer, Fortinet: 2000-2017
CEO and Chairman ■ Founder, President and Chief Executive Officer, NetScreen Technologies:1996-2000
54 ■ Founder, SIS: 1993-1996
■ MS: Stanford University, MS, BA: Tsinghua University
Michael Xie 2001 No 0 12,432,000 $476,145,600 ■ Founder and Chief Technology Officer, Fortinet: 2000-2017
President, CTO, and Director ■ Former Vice President of Engineering, ServGate Technologies
48 ■ Former Software Director and Architech, NetScreen
■ MS: Tsinghua University, MS: University of Manitoba
Ming Hsieh 2013 Yes 1 5,332 $204,216 a a a ■ Chairman and Chief Executive Officer, Fulgent Therapeutics: 2012-Present
Director ■ President, 3M Cogent: 2010-2012
61 ■ Founder, President, and Chief Executive Officer, Cogent: 1990-2010
■ MS, BS: University of Southern California
Gary Locke 2015 Yes 2 13,750 $526,625 a ■ Chairman, Locke Global Strategies
Director Chair ■ United States Ambassador to China: 2011-2014
67 ■ United States Secretary of Commerce: 2009-2011
■ JD: Boston University, BA: Yale University
William Neukom 2013 Yes 1 39,275 $1,504,233 a a ■ Founder, President, and Chief Executive Officer, World Justice Project: 2006-Present
Director Chair ■ President, American Bar Association: 2007-2008
75 ■ Managing General Partner and Chief Executive Officer, San Francisco Baseball Associates: 2008-2011
■ LL.B: Stanford University, BA: Dartmouth College
Christopher Paisley 2004 Yes 5 68,275 $2,614,933 a a ■ Dean's Executive Professor of Accounting, Leavey School of Business: 2001-Present
Director Chair ■ Former Chief Financial Officer, 3Com: 1985-2000
64 ■ Director, Equinix
■ MBA: Universicle of California, Los Angeles, BA: University of California, Santa Barbara
Judith Sim 2015 Yes 0 15,000 $574,500 a ■ Chief Marketing Officer, Oracle: 2005-Present
Director ■ Various Marketing and Customer-Related Positions, Oracle: 1991-2005
48 ■ BS: University of California, Davis
5 September 2017
Cybersecurity 162
As with management, the board scores near average on most of the metrics on our
scorecard. Experience per director is close to the median, though the breadth of different
backgrounds is wider than most. In the aggregate, experience is slightly below average
since the board is small.
Figure 285: Fortinet Has a Wide Spectrum of
Experience on Its Board
Figure 286: Due to the Smaller Size, Aggregate
Experience Is Lower
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
Fortinet has two law degrees on its board, more on a per-director basis than any other
company in our coverage. Gary Locke received a JD from Boston University and William
Neukom achieved an LLB from Stanford.
Figure 287: Fortinet Has More Law Degrees than Any Other Company in Our
Coverage Universe
Source: Company data, Credit Suisse estimates.
0 5 10 15 20 25 30 35 40
AKAM
CHKP
ORCL
SPLK
VMW
NOW
FTNT
RHT
PANW
HDP
SYMC
Board Experience Per Director
Relevant Industry
Other Executive
CEO/CFO
Other Industry
Finance
0 50 100 150 200 250 300 350 400
AKAM
ORCL
NOW
CHKP
SYMC
PANW
SPLK
VMW
RHT
FTNT
HDP
Aggregate Board Experience
Relevant Industry
Other Executive
CEO/CFO
Other Industry
Finance
0 0.5 1 1.5 2
SYMC
ORCL
RHT
FTNT
AKAM
NOW
HDP
CHKP
PANW
SPLK
VMW
Degrees Per Director
BA/BS
MBA
MS
JD
PhD
5 September 2017
Cybersecurity 163
Valuation We use Discounted Cash Flows to estimate the intrinsic value for FTNT at $33/share,
representing 14% downside. This informs our Underperform Rating, and is supported by
our multiples based relative valuation work. In addition, we have constructed blue-sky and
grey-sky scenarios. The Blue Sky assumes a 2.5% terminal growth rate, and the grey
assumes 0%, reflecting our view on the outlook for the space as a whole.
Figure 288: Blue-Sky/Grey-Sky Pricing Figure 289: Blue-Sky/Grey-Sky Schematic
Source: Check Point, Credit Suisse estimates. Source: Check Point, Credit Suisse estimates.
Target Scenario
Our base case assumes a five-year transition period, with FCF growth declining smoothly
from an estimated 5% in 2020. This scenario assumes the firewall market decelerates
broadly in-line with our expectations (we model a 1.5% terminal growth rate from 2026E),
and Fortinet is disproportionately impacted due to its exposure to service providers.
Blue-Sky Scenario
For our blue-sky scenario, we again model a five-year transition period but drive higher
free cash growth, which assumes Fortinet enjoys a stronger-than-expected appliance
refresh cycle tailwind, in addition to virtual firewall retaining more relevance than we
expect, and FTNT successfully sells into this virtual market. Our blue-sky scenario yields a
$44 warranted price, which represents 14% upside potential.
Grey-Sky Scenario
In the grey-sky scenario, we use a five-year transition period and lower free cash flow
growth assumption. The scenario results in a share price of $30, implying 23% downside
risk to the current share price. In this scenario, Fortinet struggles to attain significant virtual
share; this is against a backdrop of declining firewall relevance and significant price
pressures.
Current Price $38 16.4x FY18E uFCF (SBC adj.)
Target Price $33 -14% 13.5x FY18E uFCF (SBC adj.)
Blue Sky $44 14% 19.3x FY18E uFCF (SBC adj.)
Grey sky $30 -23% 11.7x FY18E uFCF (SBC adj.)
This scenario assumes the firewall market decelerates broadly in line with our
expectations (we model a 1% terminal growth rate from 2026E), and Fortinet is
disproportionately impacted due to its exposure to Service providers.
Fortinet enjoys a stronger than expected appliance refresh cycle tailwind in addition to
virtual firewall retaining more relevance than we expect, and FTNT successfully selling
into this virtual market.
Fortinet struggles to attain significant virtual share, this is against a backdrop of
declining firewall relevance and significant price pressures.
Target Price
Current Price
Grey Sky
Blue Sky
$33
$38
$30
$44
5 September 2017
Cybersecurity 164
Figure 290: Share Price Sensitivity to Cost of Equity and UFCF Growth Rate
Source: Company data, Credit Suisse estimates.
Figure 291: Fortinet Valuation Matrix
Source: Company data, Credit Suisse estimates.
Share price sensitivity to cost of equity and UFCF growth rate
Unlevered Free Cash Flow FY3 growth rate
33.46557 5.0% 7.0% 9.0% 11.0% 13.0% 15.0% 17.0% 19.0% 21.0%
8.0% $38 $40 $42 $44 $46 $48 $50 $52 $54
8.5% $37 $39 $40 $42 $44 $46 $48 $50 $52
9.0% $36 $37 $39 $40 $42 $44 $46 $48 $50
9.5% $35 $36 $38 $39 $41 $42 $44 $46 $48
Terminal 10.0% $34 $35 $37 $38 $40 $41 $43 $45 $46
Cost of 10.5% $33 $34 $36 $37 $39 $40 $42 $43 $45
Equity 11.0% $32 $34 $35 $36 $38 $39 $41 $42 $44
11.5% $32 $33 $34 $35 $37 $38 $40 $41 $43
12.0% $31 $32 $33 $35 $36 $37 $39 $40 $42
12.5% $30 $32 $33 $34 $35 $37 $38 $39 $41
13.0% $30 $31 $32 $33 $35 $36 $37 $39 $40
13.5% $30 $31 $32 $33 $34 $35 $36 $38 $39
14.0% $29 $30 $31 $32 $33 $35 $36 $37 $39
14.5% $29 $30 $31 $32 $33 $34 $35 $37 $38
Valuation Matrix 2015 (A) 2016 (A) 2017 (E) 2018 (E) NTM LTM
Sales $1,009 $1,275 $1,493 $1,657 2 $1,539 $1,331
EBITDA $133 $193 $238 $292 3 $253 $206
EPS $0.51 $0.74 $0.94 $1.10 4 $0.99 $0.80
CFO $283 $340 $466 $541 5 $505 $369
FCF $283 $340 $466 $541 6 $505 $369
UFCF $242 $268 $309 $439 7 $335 $313
EV/Sales 4.7x 3.8x 3.2x 2.9x 3.1x 3.6x
EV/EBITDA 35.9x 24.8x 20.1x 16.4x 18.9x 23.2x
P/E 72.2x 49.7x 39.1x 8.4x 9.3x 11.6x
EV/CFO 16.9x 14.1x 10.3x 8.9x 9.5x 13.0x
EV/FCF 16.9x 14.1x 10.3x 8.9x 9.5x 13.0x
EV/UFCF 19.8x 17.8x 15.5x 10.9x 14.3x 15.3x
EV/Sales 5.3x 4.2x 3.6x 3.2x 3.5x 4.0x
EV/EBITDA 40.4x 27.9x 22.6x 18.4x 21.3x 26.1x
P/E 72.2x 49.7x 39.1x 33.5x 37.3x 46.4x
EV/CFO 19.0x 15.8x 11.5x 10.0x 10.7x 14.6x
EV/FCF 19.0x 15.8x 11.5x 10.0x 10.7x 14.6x
EV/UFCF 22.3x 20.1x 17.4x 12.2x 16.1x 17.2x
y/y, % y/y, % y/y, % y/y, % CAGR
Revenue 31.0% 26.4% 17.0% 11.0% 18.0%
EBITDA 9.2% 44.9% 23.3% 22.4% 29.8%
EPS 7.0% 45.2% 27.3% 16.6% 29.2%
CFO 43.7% 20.4% 37.1% 15.9% 24.2%
FCF 43.7% 20.4% 37.1% 15.9% 24.2%
UFCF 50.2% 10.9% 15.1% 42.4% 22.0%
Esti
mate
sTarg
et
Cu
rre
nt
Gro
wth
5 September 2017
Cybersecurity 165
Figure 292: Fortinet DCF Scenarios
Source: Company data, Credit Suisse estimates.
‘
Target Price
HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL TP Value distribution
2013A 2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E Perpetuity
Period 1 2 3 4 5 6 7 8 9 10
Current risk-free rate of return 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0%
Beta 1.40 1.40 1.40 1.40 1.40 1.40 1.40 1.40 1.33 1.26 1.20 1.13 1.07 1.00
Market rate of return 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2%
Cost of equity 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.3% 11.9% 11.5% 11.1% 10.7% 10.2%
FCF Growth Rate 23.8% 52.4% 9.3% 15.1% 42.4% 6.5% 5.0% 4.4% 3.8% 3.3% 2.7% 2.1% 1.5%
Discount Factor 1.06 1.16 1.31 1.48 1.66 1.85 2.07 2.29 2.54 2.80
Free cash flow ($M) 130.0 160.9 245.2 268.1 309 439 468 491 513 533 550 565 576 585 6,694
Stock Based Compensation Expense 31.1 41.3 66.6 87.1 99.8 111.9
SBC as % of FCF 24% 26% 27% 32% 32% 25% 25.5% 25.5% 22.3% 19.2% 16.0% 12.8% 9.7% 6.5%
FCF adjusted for SBC 98.8 119.6 178.6 181.0 208.8 327.4 348.7 366.1 398.5 430.6 462.0 492.2 520.7 547.0 6,693.7
NPV of Free cash flow ($M) 196.7 281.9 266.4 248.2 240.6 232.4 223.6 214.5 205.1 2,391.7
Cumulative NPV of FCF ($M) 196.7 478.7 745.1 993.3 1,233.9 1,466.2 1,689.9 1,904.4 2,109.5 4,501
Cumulative NPV of FCF ($M) 4,501$
Shares outstanding (M) 178
NPV/Share of FCF 25$
(Net Cash) / Share 8.22$
Total NPV/Share 33
Current price / Share $38
Upside / Downside Potential -13%
Blue Sky
HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL BS Value dist ribut ion
2013A 2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E Perpetuity
Cost of equity 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.3% 11.9% 11.5% 11.1% 10.7% 10.2%
FCF Growth Rate 23.8% 52.4% 9.3% 15.1% 42.4% 15.0% 12.0% 10.4% 8.8% 7.3% 5.7% 4.1% 2.5%
Discount Factor 1.06 1.16 1.31 1.48 1.66 1.85 2.07 2.29 2.54 2.80
Free cash flow ($M) 130.0 160.9 245.2 268.1 309 439 505 566 625 680 729 771 802 822 10,622
Stock Based Compensation Expense 31.1 41.3 66.6 87.1 99.8 111.9
SBC as % of FCF 24% 26% 27% 32% 32% 25% 25.5% 25.5% 22.3% 19.2% 16.0% 12.8% 9.7% 6.5% 0%
FCF adjusted for SBC 98.8 119.6 178.6 181.0 208.8 327.4 376.5 421.7 485.4 549.8 612.7 671.8 724.6 768.7 10,622.0
NPV of Free cash flow ($M) 196.7 281.9 287.7 285.9 293.0 296.7 296.6 292.8 285.4 3,795.3
Cumulative NPV of FCF ($M) 196.7 478.7 766.3 1,052.2 1,345.3 1,641.9 1,938.5 2,231.3 2,516.7 6,312
Cumulative NPV of FCF ($M) 6,312$
Shares outstanding (M) 178
NPV/Share of FCF 35
(Net Cash - 10% of Revenues) / Share 8.22$
Total NPV/Share 44
Current price / Share $38
Upside / Downside Potential 14%
Grey sky
HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL GS Value dist ribut ion
2013A 2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E Perpetuity
Cost of equity 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.7% 12.3% 11.9% 11.5% 11.1% 10.7% 10.2%
FCF Growth Rate 23.8% 52.4% 9.3% 15.1% 42.4% 6.0% 3.0% 2.5% 2.0% 1.5% 1.0% 0.5% 0.0%
Discount Factor 1.06 1.16 1.31 1.48 1.66 1.85 2.07 2.29 2.54 2.80
Free cash flow ($M) 130.0 160.9 245.2 268.1 309 439 466 480 492 501 509 514 517 517 5,046
Stock Based Compensation Expense 31.1 41.3 66.6 87.1 99.8 111.9 0.0 0 0 0 0 0 0 0 0
SBC as % of FCF 24% 26% 27% 32% 32% 25% 25.5% 25.5% 22.3% 19.2% 16.0% 12.8% 9.7% 6.5% 0%
FCF adjusted for SBC 98.8 119.6 178.6 181.0 208.8 327.4 347.0 357.5 381.9 405.4 427.6 448.2 466.7 483.1 5,045.6
NPV of Free cash flow ($M) 197 282 265 242 231 219 207 195 184 1,803
Cumulative NPV of FCF ($M) 197 479 744 986 1,217 1,436 1,643 1,838 2,022 3,825
Cumulative NPV of FCF ($M) 3,825$
Shares outstanding (M) 178
NPV/Share of FCF 21.5
(Net Cash - 10% of Revenues) / Share 8.22$
Total NPV/Share 29.669834
Current price / Share $38
Upside / Downside Potential -23%
5 September 2017
Cybersecurity 166
HOLT
FTNT – HOLT Market-Implied Scenario and Sensitivity Analysis
Assuming margins rise from consensus levels of 10% to historical peak of 22%, FTNT’s
current price of $38 implies a sales CAGR of 8% over the next ten years
Figure 293: CFROI® (%) Figure 294: Valuation Sensitivity Analysis
Source: HOLT, Credit Suisse Research. Source: HOLT, Credit Suisse Research.
Assumptions and Methodology
■ EBITDA Margins: FY1-FY3 based on IBES estimates; FY4 onward are assumed to
rise up to 21.5% based on historical peak levels
■ Sales Growth: FY1 based on IBES estimates; for FY2-FY10, we solved for the implied
CAGR required to get to the respective values per share
■ Asset Efficiency: assumed constant from LFY levels
■ Fade Window: Used ten years of explicit forecasts for comparison with CHKP
■ Fade: After year ten, the HOLT methodology calculates the terminal value by fading
returns on capital and growth toward cost of capital and GDP growth, respectively
Figure 295: Operating Projections Implied by Current Price: $37 per Share
Source: HOLT, Credit Suisse Research.
5.9
16.8
0
3
6
9
12
15
18
2007 2011 2015 2019 2023
Historical CFROI Forecast Discount Rate
-200 bps 0 bps +200 bps +400 bps +600 bps +800 bps
6.0% 8.0% 10.0% 12.0% 14.0% 16.0%
- 1200 bps 9.5% $17 $20 $23 $27 $33 $40
- 900 bps 12.5% $21 $24 $29 $35 $42 $52
- 600 bps 15.5% $25 $29 $35 $42 $51 $64
- 300 bps 18.5% $28 $34 $41 $49 $61 $75
0 bps 21.5% $32 $38 $46 $57 $70 $87
+ 300 bps 24.5% $36 $43 $52 $64 $79 $98
26E EBITDA
Margins ˅
2018 - 2026 Sales CAGR
16.9
8.0
(10)
0
10
20
30
2007 2011 2015 2019 2023
Historical growth Forecast
9.5
21.5
0
8
16
24
32
2007 2011 2015 2019 2023Historical margins Forecast
Margins w/o SBC
Assumed long term margins to rise from
9.5% to historical peak of 21.5%
1 Solved for the long term sales CAGR
required to get to current price of $38
2
Consensus
Consensus
5 S
epte
mb
er 2
017
Cy
be
rsec
urity
167
Figure 296: Fortinet Income Statement, Non-GAAP
Source: Company data, Credit Suisse estimates.
Fortinet (FTNT)
Income Statement$ in Millions except per share items
Fiscal year end: December 31
2015 (A) Mar '16 Jun '16 Sep '16 Dec '16 2016 (A) Mar '17 Jun '17 Sep '17 Dec '17 2017 (E) Mar '18 Jun '18 Sep '18 Dec '18 2018 (E)
Full Year 1Q16 2Q16 3Q16 4Q16 Full Year 1Q17 2Q17 3Q17 4Q17 Full Year 1Q18 2Q18 3Q18 4Q18 Full Year
Pro-Forma Income Statement
Product Revenue 476.8 124.6 136.6 128.0 158.9 548.1 135.3 142.7 138.2 168.5 584.6 138.0 148.4 142.4 175.2 603.9
Services and Other Revenue 532.5 160.0 174.8 188.7 203.9 727.3 205.3 220.8 232.9 249.2 908.2 248.9 257.7 267.2 279.3 1,053.1
Total Revenues 1,009.3 284.6 311.4 316.6 362.8 1,275.4 340.6 363.5 371.1 417.7 1,492.8 386.8 406.1 409.6 454.5 1,657.0
y/y change 31% 34% 30% 22% 22% 26% 20% 17% 17% 15% 17% 14% 12% 10% 9% 11%
Total Cost of Revenue, non-GAAP 274.0 74.1 79.8 79.4 85.3 318.6 85.6 90.6 92.2 105.6 374.1 94.5 100.1 99.0 114.6 408.2
Cost of Product Revenue 184.7 47.9 50.2 47.1 53.3 198.5 52.7 58.2 58.0 69.1 238.0 57.9 62.3 59.8 73.6 253.6
% product gross margin 61% 62% 63% 63% 66% 64% 61% 59% 58% 59% 59% 58% 58% 58% 58% 58%
Cost of Services and Other Revenue 89.3 26.2 29.6 32.3 32.0 120.1 33.0 32.4 34.2 36.6 136.1 36.5 37.8 39.2 41.0 154.5
% services gross margin 83% 84% 83% 83% 84% 83% 84% 85% 85% 85% 85% 85% 85% 85% 85% 85%
Non-GAAP Gross Profit 735.3 210.5 231.6 237.2 277.6 956.9 255.0 272.9 278.9 312.0 1,118.7 292.4 305.9 310.6 339.9 1,248.8
% Non-GAAP Gross Margin 73% 74% 74% 75% 76% 75% 75% 75% 75% 75% 75% 76% 75% 76% 75% 75%
Research and Development, non-GAAP 133.6 37.6 38.0 39.6 37.7 153.0 43.3 42.9 47.9 56.0 190.0 47.2 48.7 50.8 58.2 204.9
% of total revenue 13% 13% 12% 13% 10% 12% 13% 12% 13% 13% 13% 12% 12% 12% 13% 12%
Sales and Marketing, non-GAAP 420.9 130.3 145.7 137.5 144.9 558.4 151.4 146.6 155.9 167.1 620.9 170.0 170.6 170.0 172.7 683.2
% of total revenue 42% 46% 47% 43% 40% 44% 44% 40% 42% 40% 42% 44% 42% 42% 38% 41%
General and Administrative, non-GAAP 50.4 12.9 12.1 14.4 13.8 53.2 17.3 17.7 17.1 17.5 69.6 17.7 17.7 16.8 16.8 69.1
% of total revenue 5% 5% 4% 5% 4% 4% 5% 5% 5% 4% 5% 5% 4% 4% 4% 4%
Other non-GAAP Adjustments 2.9 0.4 0.3 0.2 0.0 0.8 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
Total Operating Expenses, non-GAAP 602.0 180.4 195.6 191.3 196.4 763.8 212.0 207.2 220.8 240.6 880.5 235.0 237.0 237.6 247.7 957.2
y/y change 41% 37% 35% 23% 15% 27% 17% 6% 15% 22% 15% 11% 14% 8% 3% 9%
% of total revenue 60% 63% 63% 60% 54% 60% 62% 57% 60% 58% 59% 61% 58% 58% 55% 58%
Non-GAAP Operating Income 133.3 30.1 36.0 45.9 81.1 193.1 43.0 65.7 58.1 71.5 238.2 57.4 68.9 73.0 92.2 291.6
% Non-GAAP Operating Margin 13% 11% 12% 15% 22% 15% 13% 18% 16% 17% 16% 15% 17% 18% 20% 18%
Total Other Income (Expense), GAAP 2.1 0.4 0.4 1.1 -1.7 0.2 2.7 4.4 3.0 3.0 13.1 3.0 3.0 3.0 3.0 12.0
Income Before Taxes 135.5 30.5 36.3 47.0 79.4 193.3 45.7 70.1 61.1 74.5 251.3 60.4 71.9 76.0 95.2 303.6
Income Taxes 46.1 10.4 12.4 14.9 26.2 63.8 14.6 22.4 19.5 23.8 80.4 19.3 23.0 24.3 30.5 97.1
Effective Tax Rate 34% 34% 34% 32% 33% 33% 32% 32% 32% 32% 32% 32% 32% 32% 32% 32%
Non-GAAP Net Income 89.4 20.1 24.0 32.2 53.2 129.5 31.0 47.7 41.5 50.6 170.9 41.1 48.9 51.7 64.8 206.4TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE TRUE
Diluted Non-GAAP EPS $0.51 $0.12 $0.14 $0.18 $0.30 $0.74 $0.17 $0.27 $0.23 $0.27 $0.94 $0.22 $0.26 $0.27 $0.34 $1.10
Diluted Shares Outstanding 174.9 174.3 172.1 177.9 176.7 174.6 178.3 179.7 181.6 184.3 181.0 185.6 186.8 188.1 189.3 187.4
Research AnalystsBrad Zelnick
(212) 325 [email protected]
Jobin Mathew(212) 325 9676
Syed Talha Saleem, CFA(212) 538 1428
5 S
epte
mb
er 2
017
Cy
be
rsec
urity
168
Figure 297: Fortinet Balance Sheet
Source: Company data, Credit Suisse estimates.
Fortinet (FTNT)
Balance Sheet$ in Millions except per share items
Fiscal year end: December 31
2015 (A) Mar '16 Jun '16 Sep '16 Dec '16 2016 (A) Mar '17 Jun '17 Sep '17 Dec '17 2017 (E) Mar '18 Jun '18 Sep '18 Dec '18 2018 (E)
Full Year 1Q16 2Q16 3Q16 4Q16 Full Year 1Q17 2Q17 3Q17 4Q17 Full Year 1Q18 2Q18 3Q18 4Q18 Full Year
Current Assets
Cash and cash equivalents 543.3 568.0 596.4 647.5 709.0 709.0 823.2 853.1 863.5 903.0 903.0 1,005.9 1,104.6 1,176.3 1,190.5 1,190.5
Short-term investments 348.1 384.6 388.4 382.9 376.5 376.5 375.4 354.2 354.2 354.2 354.2 354.2 354.2 354.2 354.2 354.2
Accounts receivable, net 259.6 220.1 254.4 239.0 313.0 313.0 270.1 274.5 271.4 352.9 352.9 302.4 307.4 303.7 370.1 370.1
Inventory 83.9 78.2 81.2 93.7 106.9 106.9 105.0 86.4 92.8 125.3 125.3 119.9 105.6 122.9 159.1 159.1
Prepaid expenses and other current assets 35.8 34.7 33.5 31.7 33.3 33.3 42.3 36.4 44.7 46.3 46.3 55.7 47.6 46.1 54.5 54.5Deferred cost of revenuesTotal Current Assets 1,270.5 1,285.7 1,353.9 1,394.9 1,538.7 1,538.7 1,616.1 1,604.6 1,626.5 1,781.7 1,781.7 1,838.1 1,919.4 2,003.2 2,128.4 2,128.4
Non-Current Assets
Long-term investments 273.0 241.9 237.2 240.2 225.0 225.0 242.3 257.6 257.6 257.6 257.6 257.6 257.6 257.6 257.6 257.6
Property and equipment, net 91.1 115.8 125.6 126.1 137.2 137.2 155.5 238.5 253.8 250.5 250.5 256.7 259.2 257.6 265.1 265.1Deferred cost of revenuesDeferred tax assets 119.2 131.7 180.8 189.4 182.7 182.7 199.2 207.0 216.7 227.1 227.1 228.2 235.4 241.7 281.8 281.8
Goodwill 4.7 4.7 14.2 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6 14.6
Intangible assets, net 17.6 16.5 31.5 27.8 24.8 24.8 22.5 20.3 18.3 16.5 16.5 14.9 13.5 12.1 11.0 11.0
Other assets 14.4 15.3 16.9 17.1 16.9 16.9 17.2 18.0 20.1 20.8 20.8 20.2 21.1 21.9 22.7 22.7
Total Assets 1,790.5 1,811.5 1,960.2 2,010.2 2,139.9 2,139.9 2,267.4 2,360.7 2,407.7 2,568.9 2,568.9 2,630.3 2,720.8 2,808.6 2,981.1 2,981.1
Current Liabil ities
Accounts payable 61.5 48.0 56.9 57.5 56.7 56.7 48.7 42.2 43.4 62.4 62.4 55.8 47.3 48.3 68.0 68.0
Accrued liabilities 33.0 33.5 32.9 37.3 35.6 35.6 43.4 41.2 40.8 45.9 45.9 42.5 44.7 45.1 50.0 50.0
Accrued payroll and compensation 61.1 58.2 70.8 65.6 78.1 78.1 73.2 80.3 70.5 79.4 79.4 73.5 77.2 77.8 86.4 86.4
Income taxes payable 8.4 9.2 8.2 7.8 13.6 13.6 14.1 15.2 15.2 15.2 15.2 15.2 15.2 15.2 15.2 15.2
Deferred revenue 514.7 538.4 563.2 582.1 645.3 645.3 677.1 706.7 738.5 812.3 812.3 848.9 891.3 935.9 1,001.4 1,001.4
Total Current Liabil ities 678.7 687.3 732.0 750.4 829.4 829.4 856.6 885.5 908.4 1,015.2 1,015.2 1,035.9 1,075.6 1,122.3 1,220.9 1,220.9
Non-Current Liabil ities
Deferred revenue, net of current 276.7 298.7 340.8 352.6 390.0 390.0 420.9 454.8 473.0 510.8 510.8 538.9 568.6 585.6 620.8 620.8
Income taxes payable 60.6 65.2 66.3 68.0 68.6 68.6 73.0 81.7 81.7 81.7 81.7 81.7 81.7 81.7 81.7 81.7
Other long-term liabilities 19.2 17.9 16.5 16.1 14.3 14.3 18.6 16.5 16.5 16.5 16.5 16.5 16.5 16.5 16.5 16.5
Total Liabil ities 1,035.1 1,069.1 1,155.6 1,187.1 1,302.3 1,302.3 1,369.1 1,438.6 1,479.6 1,624.3 1,624.3 1,673.1 1,742.4 1,806.1 1,939.9 1,939.9
Total Stockholders' Equity 755.4 742.4 804.6 823.1 837.7 837.7 898.2 922.1 928.1 944.6 944.6 957.2 978.4 1,002.5 1,041.2 1,041.2
Total Liabil ities + Stockholders' Equity 1,790.5 1,811.5 1,960.2 2,010.2 2,139.9 2,139.9 2,267.4 2,360.7 2,407.7 2,568.9 2,568.9 2,630.3 2,720.8 2,808.6 2,981.1 2,981.1
Research AnalystsBrad Zelnick
(212) 325 [email protected]
Jobin Mathew(212) 325 9676
Syed Talha Saleem, CFA(212) 538 1428
5 S
epte
mb
er 2
017
Cy
be
rsec
urity
169
Figure 298: Fortinet Statement of Cash Flows
Source: Company data, Credit Suisse estimates.
Fortinet (FTNT)
Statement of Cash Flows$ in Millions except per share items
Fiscal year end: December 31
2015 (A) Mar '16 Jun '16 Sep '16 Dec '16 2016 (A) Mar '17 Jun '17 Sep '17 Dec '17 2017 (E) Mar '18 Jun '18 Sep '18 Dec '18 2018 (E)
Full Year 1Q16 2Q16 3Q16 4Q16 Full Year 1Q17 2Q17 3Q17 4Q17 Full Year 1Q18 2Q18 3Q18 4Q18 Full Year
Net Income 8.0 -3.4 -1.4 6.3 25.2 26.6 10.7 23.0 16.7 23.7 74.1 14.4 21.6 24.8 35.9 96.7
y/y change
Depreciation and amortization 31.6 10.6 11.3 13.1 13.6 48.5 13.5 14.0 20.1 21.8 69.4 20.6 21.3 21.3 20.9 84.2
Amortization of investment premiums 7.5 1.5 1.3 1.0 1.0 4.8 1.0 0.5 0.0 0.0 1.4 0.0 0.0 0.0 0.0 0.0
Stock based compensation expense 95.1 30.9 28.4 31.1 32.1 122.4 33.3 35.1 35.3 38.8 142.5 38.2 39.6 39.3 42.7 159.9
Other non-cash items, net 3.4 -0.4 1.6 3.7 -2.2 2.6 1.5 0.2 0.0 0.0 1.7 0.0 0.0 0.0 0.0 0.0
Changes in Assets and Liabil ities: 137.0 61.5 21.3 21.0 31.4 135.2 69.8 71.9 17.8 17.9 177.3 94.9 78.5 44.7 -18.1 199.9
Accounts receivable -66.5 38.9 -36.9 10.8 -70.7 -57.9 42.4 -4.5 3.1 -81.5 -40.5 50.5 -5.1 3.8 -66.4 -17.2
Inventory -19.1 -0.5 -7.5 -16.5 -18.5 -43.0 -3.5 13.3 -6.3 -32.5 -29.1 5.4 14.3 -17.3 -36.2 -33.8
Deferred cost of revenues 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
Deferred tax assets -29.9 -13.1 -14.0 -7.9 7.2 -27.8 -16.6 -7.8 -9.7 -10.4 -44.5 -1.1 -7.2 -6.2 -40.1 -54.7
Prepaid expenses and other current assets -2.6 1.0 1.4 1.9 -1.7 2.6 -8.3 5.0 -8.3 -1.6 -13.2 -9.4 8.1 1.5 -8.4 -8.2
Other assets 0.7 -0.9 -1.5 -0.2 0.2 -2.4 0.7 0.1 -2.1 -0.7 -2.0 0.6 -0.9 -0.8 -0.8 -1.9
Accounts payable -2.5 -11.4 11.3 -1.5 1.6 0.0 -8.3 -11.6 1.2 19.0 0.4 -6.6 -8.6 1.0 19.7 5.6
Accured liabilities 0.9 0.3 -6.7 7.0 -3.8 -3.2 2.9 -1.2 -0.4 5.1 6.5 -3.4 2.1 0.4 4.9 4.1
Accrued payroll and compensation 11.3 -2.9 11.6 -5.4 12.4 15.7 -5.3 6.8 -9.8 8.9 0.6 -5.9 3.7 0.7 8.5 7.0
Other liabilities 2.0 -1.3 -1.5 -0.3 -1.9 -5.0 -1.1 -1.6 0.0 0.0 -2.7 0.0 0.0 0.0 0.0 0.0
Deferred revenues 222.3 46.1 65.0 31.8 100.1 243.0 61.8 63.6 50.0 111.7 287.1 64.7 72.1 61.6 100.6 299.0
Income taxes payable 20.4 5.4 0.1 1.3 6.3 13.1 5.0 9.8 0.0 0.0 14.8 0.0 0.0 0.0 0.0 0.0
Cash Flow from Operations 282.5 100.6 62.4 76.1 101.0 340.2 129.7 144.8 89.8 102.2 466.4 168.1 161.0 130.1 81.4 540.7
Investments, net 74.4 -4.2 -0.1 0.5 19.0 15.1 -17.8 4.5 0.0 0.0 -13.3 0.0 0.0 0.0 0.0 0.0
Purchase of property and equipment -37.4 -30.0 -14.4 -5.9 -16.9 -67.2 -13.5 -86.4 -33.4 -16.7 -150.0 -25.1 -22.3 -18.4 -27.3 -93.2
Acquisitions, net of cash acquired -38.0 0.0 -20.7 -1.4 0.0 -22.1 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
Other 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
Cash Flow from Investing -1.0 -34.2 -35.2 -6.8 2.1 -74.1 -31.3 -81.8 -33.4 -16.7 -163.3 -25.1 -22.3 -18.4 -27.3 -93.2
Proceeds from issuance/(repurchase) of stock/options, net 67.3 17.8 5.2 19.3 2.6 44.9 29.5 12.3 0.0 0.0 41.8 0.0 0.0 0.0 0.0 0.0Proceeds from exercise of stock options 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0Taxes paid related to net share settlement of equity awards -28.9 -9.4 -7.9 -12.5 -8.4 -38.3 -13.7 -12.2 0.0 0.0 -25.9 0.0 0.0 0.0 0.0 0.0
Excess tax benefit from stock-based compensation 0.0 0.0 -1.6 0.0 0.0 -1.6 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0Repurchase of preferred stock 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0Repurchase of common stock -60.0 -50.0 0.0 -25.0 -35.8 -110.8 -25.0 -33.2 -46.0 -46.0 -150.2 -40.0 -40.0 -40.0 -40.0 -160.0
Cash Flow from Financing -21.6 -41.6 -4.4 -18.2 -41.6 -105.9 -9.2 -33.0 -46.0 -46.0 -134.2 -40.0 -40.0 -40.0 -40.0 -160.0
Cash and cash equivalents, beginning of period 286.2 546.2 571.0 593.8 644.9 546.2 706.4 795.6 825.5 835.9 706.4 875.4 978.3 1,077.0 1,148.7 875.4
Foreign exchange translation impact on cash 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
Net increase (decrease) in cash 260.0 24.8 22.8 51.1 61.5 160.2 89.2 29.9 10.4 39.5 169.0 103.0 98.7 71.7 14.1 287.5
Cash and cash equivalents, end of period 546.2 571.0 593.8 644.9 706.4 706.4 795.6 825.5 835.9 875.4 875.4 978.3 1,077.0 1,148.7 1,162.8 1,162.8
Research AnalystsBrad Zelnick
(212) 325 [email protected]
Jobin Mathew(212) 325 9676
Syed Talha Saleem, CFA(212) 538 1428
5 September 2017
Cybersecurity 170
Credit Suisse PEERs PEERs is a global database that captures unique information about companies within the
Credit Suisse coverage universe based on their relationships with other companies – their
customers, suppliers and competitors. The database is built from our research analysts’
insight regarding these relationships. Credit Suisse covers over 3,000 companies globally.
These companies form the core of the PEERs database, but it also includes relationships
on stocks that are not under coverage.
Figure 299: Fortinet PEERs
Source: Company data, Credit Suisse estimates
5 September 2017
Cybersecurity 171
Check Point Software Technologies: Without a Box… Check!
Americas/United States Software
Check Point Software Technologies Ltd. (CHKP)
Rating NEUTRAL Price (01-Sep-17, US$) 110.89 Target price (US$) 110.00 52-week price range (US$) 115.72 - 74.81 Market cap(US$ m) 19,395 Target price is for 12 months.
Research Analysts
Brad A Zelnick
212 325-6118
Jobin Mathew
212 325 9676
Syed Talha Saleem, CFA
212 538 1428
Best of the Rest We initiate coverage of Check Point with a Neutral rating and a $110 target price,
reflecting 1% downside potential and 19.5x our 2018 earnings estimate. While
we are negative on the category as a whole, Check Point is our preferred firewall
play on a relative basis.
■ Best Placed to Weather Category Risks: Our analysis of category risks
suggests CHKP is substantially better placed to weather sector headwinds
compared with PANW and FTNT. We do not believe CHKP is the most at risk
on any single headwind we have identified.
■ Maturity & Discipline an Advantage: Ultimately, we expect the future
firewall market to be one in which the wisdom of age will trump the
exuberance of youth. CHKP is a highly disciplined wealth creator focused on
the long term. It is one of only 6% of >20k companies in Credit Suisse HOLT
to achieve an eCAP quality award. In addition, it benefits from abnormal
levels of incentive alignment and has exceptional price discipline.
■ Not Its First Rodeo: We take confidence in the fact CHKP has once already
traversed the transition from software to hardware in the mid-2000s. As the
hardware box & software attach trend reverses direction and this model
disaggregates, we expect the experience of a long-tenured management
team to be a distinct, albeit unquantifiable, advantage.
■ Firepower for Transformative M&A: We estimate Check Point could deploy
$10bn for transformative M&A. This is 80% more than PANW, and 130%
more than FTNT. In a market where we believe CHKP's core product to be
declining in relevance, the firepower to make strategically significant and
transformative acquisitions is a distinct competitive advantage.
■ Valuation: Our relative valuation shows CHKP to be substantially more
attractive than FTNT and CHKP on both cash flow and income statement
multiples. Value is most clearly discerned when adjusting uFCF for SBC (16x
vs PANW at 30x and FTNT at 18x CY18 EV/uFCF).
Share price performance
On 01-Sep-2017 the S&P 500 INDEX closed at 2476.55
Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$77.98
Quarterly EPS Q1 Q2 Q3 Q4 2016A 1.06 1.09 1.13 1.46 2017E 1.20 1.26 1.24 1.48 2018E 1.31 1.37 1.38 1.60
Financial and valuation metrics
Year 12/15A 12/16A 12/17E 12/18E NON-GAAP EPS (CS adj., ) 4.18 4.72 5.18 5.66 Prev. EPS (CS adj., US$) P/E (CS adj.) (x) 26.5 23.5 21.4 19.6 P/E rel. (CS adj., %) - 111 112 114 Revenue (US$ m) 1,630 1,741 1,871 2,004 Non-GAAP Operating Income (US$ m)
927 948 1,003 1,069 Net Debt (US$ m) -3,615 -3,669 -3,731 -3,784 Unlevered Free Cash Flow (US$)
873 865 958 1,020 P/uFCF (x) 12.7 12.8 11.6 10.9
Number of shares (m) 174.90 Price/Sales (x) 10.22 Net debt (Next Qtr., US$ m) -3,774.8 Dividend (current, US$) - Dividend yield (%) - Source: Company data, Thomson Reuters, Credit Suisse estimates
5 September 2017
Cybersecurity 172
Check Point Software Technologies Ltd. (CHKP)
Price (01 Sep 2017): US$110.89; Rating: NEUTRAL; Target Price: US$110.00; Analyst: Brad Zelnick
Income Statement 12/15A 12/16A 12/17E 12/18E
Revenue (US$ m) 1,629.9 1,741.3 1,870.5 2,003.8 EBITDA 937.6 959.0 1,015.1 1,080.4 Operating profit 927.3 948.1 1,002.9 1,068.8 Recurring profit 961.4 992.5 1,045.1 1,110.0
Cash Flow 12/15A 12/16A 12/17E 12/18E
Cash flow from operations 917 925 1,022 1,085 CAPEX (17) (24) (30) (32) Free cashflow to the firm 900 901 992 1,053 Cash flow from investments (114) (24) (30) (32) Net share issue(/repurchase) (883) (859) (932) (1,000) Dividends paid 0 0 0 0 Issuance (retirement) of debt - - - - Other 24 15 (4) 0 Cashflow from financing activities (859) (844) (936) (1,000) Effect of exchange rates (11) (4) 6 0 Changes in Net Cash/Debt (68) 54 62 53 Net debt at end (3,615) (3,669) (3,731) (3,784)
Balance Sheet ($US) 12/15A 12/16A 12/17E 12/18E
Assets Other current assets 86 41 92 97 Total current assets 1,781 1,892 2,188 2,264 Total assets 5,070 5,218 5,506 5,638 Liabilities Short-term debt 0 0 0 0 Total current liabilities 1,057 1,166 1,297 1,432 Long-term debt 0 0 0 0 Total liabilities 1,538 1,727 1,990 2,205 Shareholder equity 3,532 3,491 3,516 3,434 Total liabilities and equity 5,070 5,218 5,506 5,638 Net debt (3,615) (3,669) (3,731) (3,784)
Per share 12/15A 12/16A 12/17E 12/18E
No. of shares (wtd avg) 183 173 167 162 CS adj. EPS 4.18 4.72 5.18 5.66 Prev. EPS (US$) Dividend (US$) 0.00 0.00 0.00 0.00 Free cash flow per share 4.91 5.20 5.96 6.50
Earnings 12/15A 12/16A 12/17E 12/18E
Sales growth (%) 9.0 6.8 7.4 7.1 EBIT growth (%) 7.0 2.2 5.8 6.6 Net profit growth (%) 7.1 6.8 5.4 6.2 EPS growth (%) 12.3 13.0 9.7 9.2 EBIT margin (%) 56.9 54.4 53.6 53.3
Valuation 12/15A 12/16A 12/17E 12/18E
EV/Sales (x) 9.68 9.03 8.37 7.79 EV/EBIT (x) 17.0 16.6 15.6 14.6 P/E (x) 26.5 23.5 21.4 19.6
Quarterly EPS Q1 Q2 Q3 Q4 2016A 1.06 1.09 1.13 1.46 2017E 1.20 1.26 1.24 1.48 2018E 1.31 1.37 1.38 1.60
Company Background
Check Point is a leading security software company. The first company to commercialize stateful firewall and VPN, Check Point now provides a wide range of security products across the Network, Endpoint, and Cloud security markets.
Blue/Grey Sky Scenario
Our Blue Sky Scenario (US$) 126.00
In our Blue Sky Scenario, Check Point unleashs balance sheet for transformative strategic M&A, which successfully enhances its ability to compete in a cloud-first world. Our blue sky scenario implies CHKP would trade on 16.8x 2018 UFCF.
Our Grey Sky Scenario (US$) 96.00
Check Point is unable to adapt in a world where enterprises transition to the cloud faster than we expect, and traditional network security is less relevant in cloud-first security architectures than we anticipate.
Share price performance
On 01-Sep-2017 the S&P 500 INDEX closed at 2476.55
Daily Sep02, 2016 - Sep01, 2017, 09/02/16 = US$77.98
Source: Company data, Thomson Reuters, Credit Suisse estimates
5 September 2017
Cybersecurity 173
CHKP: Our Take on the Key Debates Initiating Coverage with a Neutral rating and an $110 Target Price
While we view transitionary challenges as a negative influence on the category as a whole,
Check Point excels over peers in nearly every major identifiable headwind and is thus our
preferred firewall play.
Key Debates:
■ Is the Product Line-up Competitive? How does Check Point's solution stand up to those
of PANW, which has aggressively grown share?
■ Where Are Margins Heading? While Gross Margins have held up, operating margins
have been trending downward since 2012, with sales & marketing spend rising.
■ How Prepared Is CHKP for the Architectural Shift? As security shifts from physical
appliances to virtual ones, uncertainty surrounds the scalability and performance of legacy
security companies and their products in cloud architecture.
■ What’s the Value of CHKP’s Substantial Idle Cash Balance? CHKP’s total cash &
equivalents are 20% of its market cap, which, undistributed or reinvested, may appear to
be lost opportunity for greater returns.
Our Take:
■ Recognized Offerings, with a Fully Integrated Management Console: We believe
Check Point's solutions in the Enterprise Network Firewall and UTM space are among the
best, while CHKP management console's ability to implement a unified policy across the
entire infrastructure provides a point of differentiation against rivals.
■ Margins Are Optimized: While we recognize management's long-term value creation and
superlative discipline against competitive pricing pressures, we see Check Point's margin
structure at peak and see limited opportunities to expand it further.
■ Management Has Adapted Successfully in the Past: We take confidence in the fact that
CHKP already transitioned from software to hardware in the mid-2000s, and we believe
that the experience will prove advantageous in the reverse as the industry moves away
from hardware and toward cloud-based solutions.
■ Large Acquisition Capacity Will Be Major Strategic Advantage: We estimate CHKP
has $9.7 billion of total firepower (2.3x FTNT’s capacity and 1.8x PANW’s), which we
believe is strategically significant.
Risks:
■ Successful Transition Not Guaranteed: Strong management notwithstanding, CHKP
has ceded 337bps of market share since its peak in 2012 of ~12%.
■ Management May Be Conservative with Cash: We note that management has
amassed a cash pile and not yet unleashed it for transformative acquisitions, which might
indicate conservativeness and unwillingness for relatively large deals.
Estimates:
■ Revenue: We forecast FY17E/FY18E revenue growth at 7.5%/7.5% vs the consensus at
7.5 %/7.0%, respectively.
■ EPS: We forecast FY17E/18E EPS of $5.18/$5.66 in-line with Street estimates at
$5.18/$5.67, respectively.
Valuation: ■ DCF: Our discounted cash flow analysis suggests a target price of $110, implying 1%
downside potential and 14.5x EV/uFCF (2018).
5 September 2017
Cybersecurity 174
Key Charts
Figure 300: CHKP Has Lost Share Since 2012… Figure 301: ...but Margins Have Remained High
4Q rolling sum as share of total UTM and Firewall market Reported Adjusted Operating margin
Source: IDC, Credit Suisse Research. Source: HOLT, Credit Suisse Research.
Figure 302: Better Placed for Sector Risks Figure 303:Significant Cash Balance
Exposure to Sector Headwinds Cash (onshore and offshore) as a % of market capitalization
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
Figure 304: Balance Sheet Can Be Unleashed.. Figure 305: …Valuation Cheapest vs Peers
Assuming 3x leverage, Balance Sheet capacity vs Peers Valuation Analysis on EV/FCF basis
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
0%
10%
20%
30%
40%
50%
60%
70%
80%
2002 2004 2006 2008 2010 2012 2014 2016
Others
Fortinet
Check Point
Palo Alto
Cisco
Juniper
45%
50%
55%
60%
65%
2003 2009 2015
Adjusted operating margin
Check Point Palo Alto Networks Fortinet
CHKP PANW FTNT
Architectural Shift to Cloud ◔ ◑ ◕
Cisco increasingly competitive ○ ◕ ◑
Juniper has little share left to give ○ ● ◔
Cloud transitionary headwinds ◔ ◑ ◑
TAM expansion ◑ ◑ ●
Competition in the mid market ◑ ○ ●
Carrier Exposure ◔ ◑ ●
Total ◔ ◑ ◕
Who is best equipped to deal with…
4%
14%
18%
20%
23%
27%
29%
44%
0% 10% 20% 30% 40% 50%
Qualcomm Inc
Alphabet Inc
Intel Corp
Microsoft Corp
Check Point
Oracle Corp
Apple Inc
Cisco Systems Inc
$9.9bn
$5.4bn
$4.0bn
$0bn
$2bn
$4bn
$6bn
$8bn
$10bn
$12bn
CHKP PANW FTNT
14.9x12.2x
13.8x16.4x
19.2x
37.8x
0x
10x
20x
30x
40x
CHKP FTNT PANW
EV/UFCF, NTM
EV/UFCF Adjusted for SBC, NTM
5 September 2017
Cybersecurity 175
Company Positives
■ Check Point Has the Most Significant Fire Power
Our analysis of potential debt capacity shows that CHKP has substantial firepower. With
the highest EBITDA margin, liquid cash balance, and highest total cash & investments,
CHKP enjoys (by our estimation) 2.3x greater firepower than FTNT and 1.8x that of
PANW.
In a market where we believe CHKP's core product to be declining in relevance (see
Security as the mainframe), we view the firepower to make strategically significant and
transformative acquisitions as a distinct competitive advantage
Figure 306: We Estimate CHKP Has ~$10bn in
Aggregate Firepower…
Figure 307: … 2.3x the Capacity of FTNT, and More
than 1.8x Palo Alto Networks
US$ in millions, unless otherwise stated US$ in millions, unless otherwise stated
capc
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
Figure 308: Check Point Has a Large Cash Balance
and No Debt…
Figure 309: … as a Percent of Market Cap This Is
Greater than Microsoft
in USD millions, unless otherwise stated Cash (onshore and offshore) as a % of market capitalization
Source: Company data, Credit Suisse estimates. Source: Credit Suisse HOLT, Credit Suisse Research.
Firepower analysis CHKP PANW FTNT
Earnings, NTM basis
EBITDA 1,083 394 279
Δ Deferred Revenue 178 412 250
Cash EBITDA 1,261 806 529
Deal related accretion (15% return) 774 460 383
Theoretical lending EBITDA 2,035 1,266 912
Cash, Next quarter
Liquid cash & investments* 1,380 1,170 964
Cash & investments 3,588 1,889 1,222
Theoretical debt capacity (3x)** 6,106 3,281 2,735
Liquid firepower 7,486 4,450 3,699
Total firepower 9,694 5,170 3,957
*Cash and ST investments adjusted for offshore cash (20% repatriation assumption)
and 10% of NTM revenue
** 3x theoretical lending EBITDA excluding outstanding debt
2.3x
1.4x
1x
$0bn
$2bn
$4bn
$6bn
$8bn
$10bn
$12bn
CHKP PANW FTNT
0
500
1,000
1,500
2,000
2,500
3,000
3,500
4,000
2003 2005 2007 2009 2011 2013 2015 2017
ST Marketable securities
LT Marketable securities
Cash & cash equivalents
4%
14%
18%
20%
23%
27%
29%
44%
0% 10% 20% 30% 40% 50%
Qualcomm Inc
Alphabet Inc
Intel Corp
Microsoft Corp
Check Point
Oracle Corp
Apple Inc
Cisco Systems Inc
5 September 2017
Cybersecurity 176
■ Best Positioned to Face Category Risks
In our ranking of relative exposure to category risks, Check Point appears the least
exposed. In fact, in no single measure have we ranked CHKP the most exposed on a
relative basis.
Figure 310: Relative Exposure to Sector Risks
Source: Credit Suisse Research.
■ Valuation
On valuation, we see Check Point as relatively better priced compared to firewall peers,
which currently trade at 14.5x CY18 EV/uFCF. We note that it looks even cheaper than
rivals, when adjusting for SBC & LT Deferred and similarly on a P/E basis (GAAP and
Non-GAAP).
Figure 311: Relative Valuation, Absolute Multiples
Source: Company data, Credit Suisse estimates.
Check Point Palo Alto Networks Fortinet
CHKP PANW FTNT
Architectural Shift to Cloud ◔ ◑ ◕Cisco increasingly competitive ○ ◕ ◑Juniper has little share left to give ○ ● ◔Cloud transitionary headwinds ◔ ◑ ◑TAM expansion ◑ ◑ ●Competition in the mid market ◑ ○ ●Carrier Exposure ◔ ◑ ●Total ◔ ◑ ◕
Who is best equipped to deal with…
Absolute Valuation Analysis
NTM CY18 NTM CY18 NTM CY18
Cash Flow Statement Multiples
EV/UFCF 14.9x 14.5x 13.8x 12.0x 12.2x 11.5x
EV/UFCF Adjusted for SBC 16.4x 15.9x 37.8x 30.1x 19.2x 18.1x
EV/UFCF Adjusted for LT Deferred 15.7x 15.4x 21.3x 17.0x 16.8x 15.4x
EV/UFCF Adjusted for SBC & LT Deferred 17.4x 17.1x n/a n/a 33.8x 29.9x
Income Statement Multiples
EV/Sales 7.6x 7.4x 5.4x 5.0x 3.2x 3.1x
EV/Non-GAAP Operating Income 14.3x 13.8x 25.5x 22.6x 19.8x 17.4x
Non-GAAP P/E 20.5x 19.6x 44.2x 39.6x 38.8x 34.8x
GAAP P/E 23.2x 22.1x n/a n/a 92.7x 74.4x
EV/Recurring Revenue 10.9x 10.5x 8.3x 7.5x 5.1x 4.8x
CHKP PANW FTNT
5 September 2017
Cybersecurity 177
Figure 312: Valuation Matrix Revenue Growth Adjusted
Source: Company data, Credit Suisse estimates.
■ Check Point Is a Firm of Exceptional Quality
Highly Disciplined Capital Allocators
Check Point is both highly optimized and runs with superlative discipline. We think Credit
Suisse HOLT8 particularly well illustrates the quality of the business; having achieved over
ten years of ~20% CFROI returns, CHKP attains an eCAP award.
Only 6% of the ~20,000 companies tracked by HOLT achieve the conditions necessary to
be awarded an eCAP. It is awarded to those companies that have high economic return
(>8% CFROI), low volatility in returns (<30% CFROI variation), a favorable trend (>-0.10),
and sustainable levels of growth (<30%).
Figure 313: Quality Is Reflected in High and
Sustained CFROI®, and eCAP Qualification
Figure 314: Only 6% of Companies in HOLTs
Database of 20,000 Companies Achieve an eCAP
Check Point CFROI How many companies attain HOLT value awards
Source: HOLT, Credit Suisse Research. Source: HOLT, Credit Suisse Research.
Philosophy of Long-Term Value Creation
We think Check Point exhibits characteristics of a firm run for long-term shareholder value
creation. This discipline is evident in many metrics, not least operating margins, which are
both high and have remained remarkably stable despite tumultuous market forces.
8 Credit Suisse HOLT is a proprietary valuation tool that aims to convert income statement and balance sheet information into a Cash Flow Return on Investment (CFROI®). The goal is to help assess a company's underlying economics. A firm's CFROI can be compared directly with its real cost of capital (the investors' real discount rate) to see if the firm is creating economic wealth. By removing accounting and inflation distortions, the CFROI allows for global comparability across sectors, regions and time.
Growth adjusted (revenue growth)
NTM CY18 NTM CY18 NTM CY18
Cash Flow Statement Multiples
EV/UFCF 2.05 1.99 0.65 0.57 0.87 0.82
EV/UFCF Adjusted for SBC 2.25 2.19 1.79 1.42 1.38 1.30
EV/UFCF Adjusted for LT Deferred 2.16 2.12 1.01 0.80 1.20 1.10
EV/UFCF Adjusted for SBC & LT Deferred 2.39 2.35 n/a n/a 2.42 2.14
Income Statement Multiples
EV/Sales 1.05 1.01 0.26 0.24 0.23 0.22
EV/Non-GAAP Operating Income 1.97 1.90 1.21 1.07 1.42 1.24
Non-GAAP P/E 2.82 2.69 2.09 1.87 2.78 2.49
GAAP P/E 3.19 3.04 n/a n/a 6.63 5.32
EV/Recurring Revenue 1.50 1.44 0.40 0.36 0.37 0.34
CHKP PANW FTNT
0
5
10
15
20
25
30
35
40
1996 2000 2004 2008 2012 2016 2020 2024
Historical CFROI Forecast Discount Rate
Investible Universe
Super
eCAPs
2%
Wonderful Companies
Top 25% Sector-relative CFROI for 3
consecutive years
eCAPs
CFROI > 8% for at least 5 years
Low CFROI variation (<30%)
Favourable CFROI trend (>-0.10)
Sustainable levels of growth (<30%)
Super-eCAPs
CFROI > 8% for at least 10 years
Low CFROI variation (<15%)
Favourable CFROI trend (>-0.02)
Sustainable levels of growth (<40%)
5 September 2017
Cybersecurity 178
A cornerstone of this margin stability has been exceptional levels of price discipline. This is
particularly evident when we use IDC data to proxy ASP for CHKP through the period
(2009-2015) in which Palo Alto entered the market and proceeded to aggressively
compete for share. While a shorter-term, less disciplined operator may have responded to
this aggression by competing on price, CHKP instead appears to have increased its ASP
in the mid- and high-end (where PANW competes) from 2012 to present.
Figure 315: In Addition to High and Sustained
HOLT-Adjusted Operating Margin
Figure 316: Even in the Period Which Saw
Aggressive Competition from PANW, CHKP Did Not
Appear to Have Offered Substantial Discounts
HOLT-adjusted operating margin Check Point ASP (revenue/units)
Source: HOLT, Credit Suisse Research. Source: IDC, Credit Suisse Research.
True Shareholder Alignment with Management
We believe Check Point to benefit from an abnormal level of incentive alignment. CEO and
co-founder Gil Shwed is the largest shareholder, with ~25 million shares (15.4% of the firm)
as of the end of 2016. Marius Nacht, another co-founder, is the third largest shareholder,
with ~11 million shares (6.7% of the firm), and has been Check Point's
non-executive chairman since September 2015 after serving as its vice chairman from
2001.
In general, we believe the ~20% ownership by founders to be an almost undisputable
positive. As we note elsewhere, founder-led companies enjoy well-documented
advantages; they tend to outperform, deploy more cash toward R&D and capex, and enjoy
more efficient R&D.
We accept there remains a residual question mark over Marius Nacht's 40% reduction in
his CHKP stake through 2016.
Less Volatile than Peers…
CHKP shares have traded with lower volatility than both PANW and FTNT since both were
first publically traded, in 2012 and 2010, respectively.
0
20
40
60
1996 2000 2004 2008 2012 2016 2020 2024
Historical margins Forecast Margins w/o SBC
16,000
17,000
18,000
19,000
20,000
21,000
22,000
23,000
60,000
70,000
80,000
90,000
100,000
110,000
120,000
2009 2010 2011 2012 2013 2014 2015 2016
High-end ASP Mid-range ASP
5 September 2017
Cybersecurity 179
Figure 317: CHKP Has Experienced the Lowest Volatility
100 day rolling volatility of daily returns
Source: Thomson Reuters Datastream, Credit Suisse estimates.
■ Track Record of Innovation
Check Point practically created the firewall category in 1993 with the introduction of
FireWall-1. This was the first commercialized 'stateful' firewall, and Check Point is credited
with coining the term 'stateful'.
By 1996, IDC had named Check Point the leader in firewall market share with over 40% of
the market. Indeed FireWall-1 debuted just as the Internet was truly taking off, and 'that
and subsequent Check Point offerings are credited with helping define the nascent
markets for network security and virtual private networks.' (CIO, October 1st 2002, see
here)
In 2006, Check Point created an innovative unified management console, and in 2009, it
completed the acquisition of Nokia's security appliance business as well as FaceTime
communications and launched its extensible Software Blade architecture.
Not Its First Rodeo…
Originally a software only vendor, Check Point's move to sell integrated appliances
represented one of the original security software aggregation plays. Combining the
hardware and software adjacencies enabled (at the time) Check Point to substantially
expand its TAM, increase its average price point (appliance price points were 1.5-2.0x that
of the underlying software). As we have discussed, we now believe the opposite to be
occurring; hardware and software adjacencies are disaggregated as enterprises shift to
the cloud. Given CHKP is in some ways returning to its roots, this gives us some comfort
that it may be more capable than peers of weathering this transition.
■ High, If Not Superior, Quality of Product Offerings
Check Point has been a leader of Gartner's Enterprise Network Firewall Magic Quadrant
from 1999 to 2002, and then from 2004 to present. In addition to strength in enterprise
offerings, Check Point has also been a leader in Gartner's Unified Threat Management
(UTM) Magic Quadrant (SMB focused) since 2010.
In addition to recognition from Gartner, Check Point has been a recipient of 'Recommend'
ratings from NSS Labs for Next Generation Firewall (2011-2016), Network Firewall
(2011-2013), IPS (2011-2013), and Breach Detection Systems (2015-2016).
0
0.01
0.02
0.03
0.04
0.05
2010 2011 2012 2013 2014 2015 2016 2017
CHKP PANW FTNT
5 September 2017
Cybersecurity 180
Figure 318: CHKP Has Maintained a Leadership
Position in Gartner's Magic Quadrant for Enterprise
Network Firewall's Since Before 2006
Figure 319: With the Exception of 2009, CHKP Has
Also Maintained a Leadership Position in the Magic
Quadrant for Unified Threat Management
Estimated based on 2006, 2007, 2008, 2010, 2011, 2013, 2014, 2015, 2016 and 2017 Enterprise Network Firewall Magic Quadrants
Estimated based on 2009, 2010, 2012, 2013, 2014, 2015, 2016 and 2017 UTM (SMB multifunction firewall) Magic Quadrants
Source: Gartner, Credit Suisse Research. Source: Gartner, Credit Suisse Research.
As a result of our field work and broader research, we are convinced the single
management console approach is a generator of competitive advantage. The consistency
inherent in the ability to implement unified policy across the entire infrastructure in a single
pane of glass, unified and fully integrated console appears preferred by customers.
Figure 320: Check Point Seems to Have a More
Thoughtful Pricing Strategy in the Cloud
Figure 321: …PANW VM Pricing Strategy in the
Cloud Takes a One Size Fits All Approach
Check Point AWS Pricing Palo Alto Networks AWS Pricing
Source: AWS, Company data, Credit Suisse estimates. Source: AWS, Company data, Credit Suisse estimates.
Check Point Check Point
5 September 2017
Cybersecurity 181
We also note that Check Point appears to have a much more thoughtful VM pricing
strategy for the cloud, with hourly software costs rising with more demanding workloads.
On the other hand, Palo has a one-size-fits all approach with the same hourly pricing
irrespective of workload or AWS instance. We see Check Point's approach as more
suitable and capturing greater value.
5 September 2017
Cybersecurity 182
Company Negatives
■ Empirically CHKP Have Lost Market Share
CHKP has empirically lost market share in the Palo Alto era; from a peak share of ~21% of
the combined firewall and UTM market in mid-2012, CHKP has ceded 337bps of share.
While not egregious share loss by any measure, we recognize this as a risk should
attrition sustain. Going forward, we note that competitive losses will pressure company's
ability to attach and cross-sell further services.
Figure 322: CHKP Has Lost Share Since 2012…
Figure 323: … When It Began to Under-Grow the
Market
4Q rolling sum as share of total UTM and Firewall market Total UTM and Firewall Market revenue growth, y/y %
Source: IDC, Credit Suisse Research. Source: IDC, Credit Suisse Research.
■ Is Conservatism a Risk?
Check Point has maintained a cash balance of around $3.5bn since 2013, in part due to
tax constraints that have since been lifted as of 2015. While we address this specifically as
a company positive, the fact it has amassed this cash pile and not yet unleashed it for
transformative acquisitions raises a question mark for us. Might Check Point be too
conservative to use its firepower to acquire its way out of a market position challenged by
architectural changes? We believe there are a number of assets for purchase that can
propel Check Point’s position in cloud and virtual security and diversify itself from declining
relevance of core firewall.
0%
10%
20%
30%
40%
50%
60%
70%
80%
2002 2004 2006 2008 2010 2012 2014 2016
Others
Fortinet
Check Point
Palo Alto
Cisco
Juniper
0%
10%
20%
30%
40%
50%
60%
70%
2010 2011 2012 2014 2015 2017
Market, y/y, % Check Point, y/y, %
5 September 2017
Cybersecurity 183
Figure 324: Check Point Has Maintained Substantially More Cash on Its Balance
Sheet as a % of Market Cap than the Average Across the S&P500
US$ in millions, unless otherwise stated
Source: Thomson Reuters Datastream, Credit Suisse Research.
■ Margin Erosion Remains a Risk
Check Point achieves excellent operating margins on an absolute basis and remarkable
margins on a relative basis. If we look at adjusted operating margin across the software
universe, Check Point has the highest margin of the 50 largest software companies by
market capitalization. We use HOLT-adjusted operating margin for our analysis. Unlike the
traditional operating margin metrics, HOLT's operating margins are not reduced by
expenses for stock options, R&D, or rent to better reflect the cash generation of the
operating entity.
Figure 325: Check Point Has the Highest HOLT Operating Margins of the 50 Largest Software Companies
HOLT adjusted Operating Margin, LFY, %
Source: Credit Suisse HOLT®, Credit Suisse Research.
0%
10%
20%
30%
40%
2003 2005 2007 2009 2011 2013 2015 2017
Cash on balance sheet as a % of market cap, US Check Point cash as % of market cap
60.4
%56
.4%
53.9
%49
.4%
48.0
%47
.8%
46.9
%45
.7%
45.7
%44
.8%
44.5
%44
.3%
43.8
%43
.1%
42.7
%42
.4%
39.8
%39
.3%
38.8
%37
.0%
36.0
%35
.3%
35.2
%32
.2%
30.9
%30
.5%
30.3
%30
.1%
29.9
%29
.6%
25.4
%23
.5%
23.3
%21
.0%
20.0
%19
.3%
19.1
%16
.3%
16.2
%16
.0%
15.4
%13
.9%
13.5
%13
.4%
13.4
%10
.4%
7.0%
6.4%
5.5%
2.9%
2.3%
1.7%
-0.4
%-0
.9%
-2.8
%-2
.9%
-9%
-11%
CH
KP
OR
CL
CA
INT
UO
TE
XP
RG
SA
DB
EM
SF
TC
TX
SV
MW
NS
RT
DC
MA
NH
TE
AM
QLY
SM
ST
RS
YM
CN
ICE
VE
EV
RH
TS
NC
RC
YB
RN
UA
NV
RN
TLO
GM
GW
RE
RP
CU
DA
PE
GA
PA
YC
ULT
IA
DS
KC
RM
FT
NT
WD
AY
DA
TA
MIM
EP
CT
YS
AP
BN
FT
TW
LOR
NG
CA
LDE
GH
TN
OW
PF
PT
NE
WR
HU
BS
CS
OD
RP
DIM
PV
PA
NW
BO
XZ
EN
PR
OT
LND
FE
YE
SP
LK
5 September 2017
Cybersecurity 184
Adjusted operating margin has been in a band of 50-60% since 2003, although it has
come down slightly since 2012 (~60% to ~54%) before stabilizing in recent quarters.
Although we recognize CHKP has successfully weathered investor concern around the
margin for more than a decade, there remains risk should the margin erode. Quite frankly,
there is equal risk as well in CHKP’s willingness to invest and reduce margins; leading
industry margins, while a very enviable distinction, poses some risks. Given our arguments
around price pressures in a cloud transition, we think this risk may be somewhat increased
relative to history. At the same time, we appreciate Check Point has always solved for
profit and cash flow growth, not necessarily margin percentage, and has managed well.
Figure 326: CHKP Has Maintained Remarkably High Adjusted Operating
Margins of >50%...
Reported Adjusted Operating Margin, %
Source: Company data, Credit Suisse Research.
■ Limited Disclosure
Check Point as an Israeli-domiciled company is subject to less transparent disclosure
requirements relative to US-based companies. The foreign private issuer status enjoyed
by CHKP means, among other things, it is exempt from proxy rule and from filing
beneficial ownership reports and may use 'particular registration and reporting forms
designed specifically for them'. For full details regarding these disclosure rules, section III
of the SEC foreign issuers overview should be referenced. (See here.)
45%
50%
55%
60%
65%
2003 2005 2007 2009 2011 2013 2015 2017
Adjusted operating margin
5 September 2017
Cybersecurity 185
Management and Board Management
Check Point remains very much a founder-led organization, with Gil Shwed serving as
CEO since he founded the company in 1993. Dorit Dor, the vice president of products,
serves in the firm's highest level technical role. She holds a Ph.D. in computer science
from Tel Aviv University and was the 1995 recipient of the Israeli National Defense Prize.
Figure 327: Check Point Executive Management
Source: Company data, Credit Suisse Research.
Board of Directors
The influence of the founders is also very apparent on the board, with co-founder Marius
Nacht serving as chairman. The board also has its fair share of impressive industry
veterans, with ample Israeli and American venture capital and tech experience
represented.
Name Compensation Beneficial ownership of shares C-Suite Experience
Position Year Prior Experience
Age Joined Salary ($) Bonus ($) Stock($) Number of shares Value of shares
Gill Shwed 1993 $14,800 NA $35,531,800 30,823,912 $3,513,925,968 ■ Founder and Chief Executive Officer, Check Point
Founder and CEO ■ Considered the Inventor of the Modern Firewall
48 ■ Honorary Doctor of Science, Tel Aviv University
■ MS: Tel Aviv University, BS: Hebrew University of Jerusalem
Amnon Bar-Lev 2005 $393,200 $89,400 $4,786,100 NA NA ■ President, Checkpoint: 2005-2017
President ■ Chief Executive Officer, Xpert Integrated System
■ Distinguished service in Israeli Air Force
■ BA: Tel Aviv University
Dorit Dor 1995 $325,100 $76,200 $3,550,000 NA NA ■ Various Research and Development Roles, Check Point: 1995-2017
Vice President of Products ■ Published in several scientific journals
■ 1993 Recipient of the Israeli National Defense Prize
■ PhD, MS, BS: Tel Aviv University
Tal Payne 2008 $213,300 $90,500 $3,196,000 NA NA ■ Chief Financial Officer, Check Point: 2008-2017
CFO and COO ■ Chief Financial Officer and Vice President of Finance, Gilat Satellite Networks
45 ■ CPA, PricewaterhouseCoopers
■ MBA, BA: Tel Aviv University
Sources: Check Point 2017 Proxy Statement, Company Website, Bloomberg
5 S
epte
mb
er 2
017
Cy
be
rsec
urity
186
Figure 328: CHKP Board
Source: Company data, Credit Suisse estimates.
Name Beneficial ownership of shares Committee memberships C-Suite Experience
Position Director Independent Other Board Prior Experience and Principal occupation
Age Since? Director? Affiliations? Number of shares Value of shares Audit Compensation Governance
Marius Nacht 1993 No 1 11,214,986 $1,278,508,404 ■ Founder and Chairman, Check Point Technologies
Founder and Chairman ■ Senior Vice President, Check Point: 1999-2005
55 ■ Vice President of International Operations, Check Point: 1993-1999
■ MS: Tel Aviv University, BS: Hebrew University of Jerusalem
Gill Shwed 1993 No 1 30,823,912 $3,513,925,968 ■ Founder and Chief Executive Officer, Check Point
Founder and CEO ■ Considered the Inventor of the Modern Firewall
48 ■ Honorary Doctor of Science, Tel Aviv University
■ MS: Tel Aviv University, BS: Hebrew University of Jerusalem
Jerry Ungerman 2005 No 0 NA NA ■ Vice Chairman, Check Point
Vice Chairman ■ Various Executive Positions, including President and Executive Vice President, Check Point: 2001-2005
72 ■ Former Executive Vice President, Hitachi Data Systems
■ BS: University of Minnesota
Dan Propper 2006 Yes 2 NA NA ■ Chairman and CEO, Osem Group: 1981-2006
Director ■ President, Israeli Manufacturer's Association
76 ■ Honorary Doctorate: Technion - Israel Institute of Technology
■ BS: Technion - Israel Institute of Technology
Ray Rothrock 1995 Yes 2 NA NA a a a ■ Chairmand and CEO, RedSeal Networks: 2014-Present
Director ■ General Partner, Venrock: 1988-2013
60 ■ Participant in White House Cybersecurity Summit
■ MBA: Harvard Business School, MS: Massachusetts Institute of Technology, BS: Texas A&M University
David Rubner 1999 Yes 4 NA NA a a ■ Chairman and CEO, Rubner Technology Ventures
Director ■ General Partner, Hyperion Israel Advisors
77 ■ President and CEO: ECI Telecommunications: 1991-2000
■ BS: Quuen Mary College, University of London, MS: Carnegie Mellon University
Tal Shavit 2000 Yes 0 NA NA a ■ Organizational Consultant Specializing in Israeli-American Collaboration
Director ■ Consults with Companies Undergoing Structural Change
■ Work Emphasized Mergers and Acquisitions
Yoav Chelouche 2006 Yes 5 NA NA a a ■ Managing Partner, Aviv Venture Capital: 2000-Present
Director ■ President and CEO, Scitex: 1994-2000
62 ■ Various Managerial Positions, Scitex: 1979-1994
■ MBA: INSEAD, BA: Tel Aviv University
Irwin Federman 1995 Yes 3 NA NA a a a ■ General Partner, US Venture Partners: 1990-2017
Director ■ President and CEO, Monolithic Memories: 1981-1988
81 ■ Chairman, Mellanox Technologies
■ BA: Brooklyn College
Guy Gecht 2006 Yes 1 NA NA a a ■ Chief Executive Officer, Electronics for Imaging: 2000-2017
Director ■ Various Positions, including President, Electronics for Imaging: 1995-2000
52 ■ Director of Engineering, Interro Systems: 1993-1995
■ BS: Ben Gurion University
Sources: Check Point 2017 Proxy Statement, Company Website, Bloomberg
5 September 2017
Cybersecurity 187
Check Point has the most finance-oriented board in our coverage universe. Notably, all of
this finance experience comes from venture capital.
Figure 329: Check Point’s Board Has Disproportionate Venture Capital
Representation
Source: Company data, Credit Suisse estimates.
In contrast with the executive team, the board is actually the most experienced group of
directors for any company in our coverage universe besides Oracle. While the
management team is relatively young, the board is second oldest, also to Oracle.
Figure 330: CHKP’s Board Is Second Oldest and… Figure 331: Second Most Experience, Both to Oracle
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
0 2 4 6 8 10
CHKP
SYMC
SPLK
RHT
HDP
PANW
AKAM
NOW
VMW
ORCL
FTNTAverage Financial Experience
Per Board Member
VC
Banking
PE
-10 -8 -6 -4 -2 0 2 4 6 8 10
ORCL
CHKP
AKAM
RHT
FTNT
SPLK
VMW
NOW
SYMC
PANW
HDP
Board Age Deviation from Average
0 5 10 15 20 25 30 35 40
AKAM
CHKP
ORCL
SPLK
VMW
NOW
FTNT
RHT
PANW
HDP
SYMC
Board Experience Per Director
Relevant Industry
Other Executive
CEO/CFO
Other Industry
Finance
5 September 2017
Cybersecurity 188
Valuation
Discounted Cash Flows
We use Discounted Cash Flows to estimate the intrinsic value for CHKP at $110/share,
representing 1% downside. This informs our Neutral Rating, and is supported by our
multiples based relative valuation work. In addition, we have constructed blue-sky and
grey-sky scenarios. The Blue Sky assumes a 2.5% terminal growth rate, and the grey
assumes 0%, reflecting our view on the outlook for the space as a whole.
Figure 332: Blue-Sky/Grey-Sky Pricing Figure 333: Blue-Sky/Grey-Sky Schematic
Source: Check Point, Credit Suisse estimates. Source: Check Point, Credit Suisse estimates.
Target Scenario
Our base case assumes a five-year transition period with FCF growth declining smoothly
from an estimated 7.5% in 2020. This scenario assumes the firewall market decelerates
broadly in-line with our expectations and Check Point successfully weathers the transition,
but is then, more than ever, a lower growth, true legacy vendor. This scenario results in a
target price of $110, implying downside of 1%.
Blue-Sky Scenario
For our blue-sky scenario, we again model a five-year transition period but drive higher
free cash growth, assuming Check Point unleashes its balance sheet for transformative
strategic M&A, which is ultimately successful. Our blue-sky scenario yields a $126
warranted price, which represents 14% upside potential.
Grey-Sky Scenario
In the grey-sky scenario, we use a five-year transition period and lower free cash flow
growth assumption. The scenario results in a share price of $96, representing 13%
downside risk to the current share price.
In this scenario, Check Point is unable to adapt in a world where enterprises transition to
the cloud faster than we expect, and traditional network security is less relevant in
cloud-first security architectures.
Current Price $111 15.7x FY18UFCF (adj for SBC)
Target Price $110 15.5x FY18UFCF (adj for SBC) -1%
Blue Sky $126 18.4x FY18UFCF (adj for SBC) 14%
Grey sky $96 13.0x FY18UFCF (adj for SBC) -13%
The firewall market decelerates broadly in line with our expectations, and Check Point
successfully weathers the transition, but is then, more than ever, a lower growth, true
'legacy' vendor.
In our Blue Sky Scenario, Check Point unleashs balance sheet for transformative
strategic M&A, which successfully enhances its ability to compete in a cloud-first world.
Our blue sky scenario implies CHKP would trade on 16.7x 2018 UFCF.
Check Point is unable to adapt in a world where enterprises transition to the cloud
faster than we expect, and traditional network security is less relevant in cloud-first
security architectures than we anticipate.
Target Price
Current Price
Grey Sky
Blue Sky
$110$111
$96
$126
5 September 2017
Cybersecurity 189
Figure 334: Check Point Software Discounted Cash Flow (DCF) Analysis
Source: Company data, Credit Suisse estimates.
Target Price
HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL TP Value distribution
2013A 2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E Perpetuity
Period 1 2 3 4 5 6 7 8 9 10
Current risk-free rate of return 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0% 4.0%
Beta 0.72 0.72 0.72 0.72 0.72 0.72 0.72 0.72 0.77 0.81 0.86 0.91 0.95 1.00
Market rate of return 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2%
Cost of equity 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.8% 9.1% 9.4% 9.7% 9.9% 10.2%
FCF Growth Rate 11.1% 21.8% -0.9% 10.7% 6.5% 8.0% 7.5% 6.5% 5.5% 4.5% 3.5% 2.5% 1.5%
Discount Factor 1.04 1.11 1.20 1.30 1.42 1.55 1.69 1.85 2.04 2.25
Free cash flow ($M) 645.3 716.9 873.0 865.5 958 1,020 1,101 1,184 1,261 1,330 1,390 1,438 1,474 1,497 17,123
Stock Based Compensation Expense 41.3 50.5 60.8 68.2 72.0 76.2
SBC as % of FCF 6.4% 7.0% 7.0% 7.9% 7.5% 7.5% 7.5% 7.5% 7.3% 7.1% 7.0% 6.8% 6.7% 6.5%
FCF adjusted for SBC 604.1 666.4 812.2 797.3 885.6 943.4 1,018.9 1,095.3 1,168.5 1,234.9 1,292.8 1,340.3 1,376.2 1,399.3 17,123.2
NPV of Free cash flow ($M) 850.3 852.0 848.1 840.4 824.2 798.6 764.3 722.7 674.9 7,617.1
Cumulative NPV of FCF ($M) 850.3 1,702.3 2,550.4 3,390.8 4,215.0 5,013.5 5,777.9 6,500.6 7,175.4 14,793
Cumulative NPV of FCF ($M) 14,793$
Shares outstanding (M) 168
NPV/Share of FCF 88$
(Net Cash) / Share 21.62$
Total NPV/Share 110
Current price / Share $111
Upside / Downside Potential -1%
Blue Sky
HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL BS Value dist ribut ion
2013A 2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E Perpetuity
Cost of equity 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.8% 9.1% 9.4% 9.7% 9.9% 10.2%
FCF Growth Rate 11.1% 21.8% -0.9% 10.7% 6.5% 10.0% 10.0% 8.8% 7.5% 6.3% 5.0% 3.8% 2.5%
Discount Factor 1.04 1.11 1.20 1.30 1.42 1.55 1.69 1.85 2.04 2.25
Free cash flow ($M) 645.3 716.9 873.0 865.5 958 1,020 1,122 1,234 1,342 1,442 1,532 1,609 1,669 1,711 22,107
Stock Based Compensation Expense 41.3 50.5 60.8 68.2 72.0 76.2
SBC as % of FCF 6% 7% 7% 8% 8% 7% 7.5% 7.5% 7.3% 7.1% 7.0% 6.8% 6.7% 6.5% 0%
FCF adjusted for SBC 604.1 666.4 812.2 797.3 885.6 943.4 1,037.7 1,141.5 1,243.6 1,339.2 1,425.3 1,499.2 1,558.1 1,599.9 22,106.9
NPV of Free cash flow ($M) 850.3 852.0 863.8 875.8 877.1 865.9 842.7 808.3 764.1 9,834.0
Cumulative NPV of FCF ($M) 850.3 1,702.3 2,566.1 3,442.0 4,319.1 5,185.0 6,027.8 6,836.1 7,600.2 17,434
Cumulative NPV of FCF ($M) 17,434$
Shares outstanding (M) 168
NPV/Share of FCF 104
(Net Cash - 10% of Revenues) / Share 21.62$
Total NPV/Share 126.00
Current price / Share $111
Upside / Downside Potential 14%
Grey sky
HISTORIC FORECAST PERIOD TRANSITIONARY PERIOD TERMINAL GS Value dist ribut ion
2013A 2014A 2015A 2016A 2017E 2018E 2019E 2020E 2021E 2022E 2023E 2024E 2025E 2026E Perpetuity
Equity Risk Premium 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2% 6.2%
Cost of equity 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.5% 8.8% 9.1% 9.4% 9.7% 9.9% 10.2%
FCF Growth Rate 11.1% 21.8% -0.9% 10.7% 6.5% 7.0% 5.0% 4.2% 3.3% 2.5% 1.7% 0.8% 0.0%
Discount Factor 1.04 1.11 1.20 1.30 1.42 1.55 1.69 1.85 2.04 2.25
Free cash flow ($M) 645.3 716.9 873.0 865.5 958 1,020 1,091 1,145 1,193 1,233 1,264 1,285 1,296 1,296 12,652
Stock Based Compensation Expense 41.3 50.5 60.8 68.2 72.0 76.2 0.0 0 0 0 0 0 0 0 0
SBC as % of FCF 6% 7% 7% 8% 8% 7% 7.5% 7.5% 7.3% 7.1% 7.0% 6.8% 6.7% 6.5% 0%
FCF adjusted for SBC 604.1 666.4 812.2 797.3 885.6 943.4 1,009.4 1,059.9 1,106.0 1,144.9 1,175.5 1,197.2 1,209.3 1,211.4 12,652.1
NPV of Free cash flow ($M) 850 852 840 813 780 740 695 646 593 5,628
Cumulative NPV of FCF ($M) 850 1,702 2,543 3,356 4,136 4,876 5,571 6,217 6,810 12,438
Cumulative NPV of FCF ($M) 12,438$
Shares outstanding (M) 168
NPV/Share of FCF 74.2
(Net Cash - 10% of Revenues) / Share 21.62$
Total NPV/Share 96.00
Current price / Share $111
Upside / Downside Potential -13%
5 September 2017
Cybersecurity 190
HOLT
CHKP – HOLT Market-Implied Scenario and Sensitivity Analysis
Assuming stable margins at 50%, CHKP’s current price of $111 implies a sales CAGR of
5% over the next 10 years
Figure 335: CFROI® (%) Figure 336: Valuation Sensitivity Analysis
Source: HOLT, Credit Suisse Research. Source: HOLT, Credit Suisse Research.
Assumptions and Methodology
■ EBITDA Margins: FY1-FY3 based on IBES estimates; FY4-FY10 assumed at 50%
based on FY3 IBES estimates
■ Sales Growth: FY1 based on IBES estimates; for FY2-FY10, we solved for the implied
CAGR required to get to the respective values per share
■ Asset Efficiency: assumed constant from LFY levels
■ Fade Period: CHKP earns an eCAP (empirical competitive advantage), hence
extending explicit forecasts to ten years before the fade
■ Fade: After year ten, the HOLT methodology calculates the terminal value by fading
returns on capital and growth toward cost of capital and GDP growth respectively
Figure 337: Operating Projections Implied by Current Price: $108 per Share
Source: HOLT, Credit Suisse Research.
21.1 21.1
0
5
10
15
20
25
1996 2000 2004 2008 2012 2016 2020 2024
Historical CFROI Forecast Discount Rate
- 400 bps - 200 bps 0 bps +200 bps +400 bps +600 bps
- 400 bps - 200 bps 0 bps +200 bps +400 bps +600 bps
1.0% 3.0% 5.0% 7.0% 9.0% 11.0%
- 400 bps 45.9% $80 $91 $104 $121 $141 $168
- 200 bps 47.9% $82 $93 $107 $125 $146 $174
0% 49.9% $84 $96 $111 $129 $151 $180
+ 200 bps 51.9% $86 $99 $114 $133 $156 $186
+ 400 bps 53.9% $89 $102 $117 $137 $161 $192
Incre
men
tal ch
an
ges in
EB
ITD
A m
arg
ins
20E-26E EBITDA
Margins ˅
2018 - 2026 Sales CAGR
49.9 49.9
0
20
40
60
1996 2000 2004 2008 2012 2016 2020 2024Historical margins Forecast
Margins w/o SBC
7.75.0
(10)
0
10
20
30
1996 2000 2004 2008 2012 2016 2020 2024
Historical growth Forecast
Assumed long term margins of 50%1 Solved for the long term sales CAGR
required to get to current price of $111
2
Consensus
Consensus
5 S
epte
mb
er 2
017
Cy
be
rsec
urity
191
Figure 338: Check Point Income Statement
Source: Company data, Credit Suisse estimates.
Check Point Software (CHKP)
Income Statement
$ in Millions, except per share items
Fiscal Year End: December 31
2015 (A) Mar '16 Jun '16 Sep '16 Dec '16 2016 (A) Mar '17 Jun '17 Sep '17 Dec '17 2017 (E) Mar '18 Jun '18 Sep '18 Dec '18 2018 (E)
Full Year 1Q16 2Q16 3Q16 4Q16 Full Year 1Q17A 2Q17A 3Q17E 4Q17E Full Year 1Q18E 2Q18E 3Q18E 4Q18E Full Year
Income Statement (Pro Forma)
Products and licenses 555.8 122.7 136.2 136.9 177.1 573.0 126.3 138.3 129.4 185.4 579.4 130.1 141.8 137.2 183.5 592.6
y/y change 6.5% 7.4% 3.0% 1.3% 1.8% 3.1% 2.9% 1.5% -5.5% 4.7% 1.1% 3.0% 2.5% 6.0% -1.0% 2.3%
Software Blade subscriptions 318.6 88.1 92.7 98.6 110.5 389.9 112.1 117.9 123.2 137.0 490.2 137.8 140.4 145.4 158.9 582.5
y/y change 20.9% 18.5% 21.0% 23.8% 25.5% 22.4% 27.2% 27.2% 25.0% 24.0% 25.7% 23.0% 19.0% 18.0% 16.0% 18.8%
Software updates and maintenance 755.5 193.4 193.8 192.1 199.2 778.5 197.1 202.3 197.3 204.3 800.9 203.5 208.4 205.1 211.6 828.7
y/y change 6.3% 5.2% 4.0% 1.6% 1.6% 3.0% 1.9% 4.4% 2.7% 2.6% 2.9% 3.3% 3.0% 4.0% 3.6% 3.5%
Total revenue 1,629.9 404.3 422.7 427.6 486.7 1,741.3 435.5 458.6 449.9 526.6 1,870.5 471.5 490.6 487.7 554.0 2,003.8
y/y change 9.0% 8.5% 6.9% 5.9% 6.3% 6.8% 7.7% 8.5% 5.2% 8.2% 7.4% 8.3% 7.0% 8.4% 5.2% 7.1%
Cost of products and licenses 101.1 23.0 25.1 25.2 32.5 105.9 23.9 26.2 24.2 34.9 109.1 24.6 26.8 25.8 34.0 111.1
GM on product and license 81.8% 81.2% 81.6% 81.6% 81.6% 81.5% 81.1% 81.1% 81.3% 81.2% 81.2% 81.1% 81.1% 81.2% 81.5% 81.2%
Cost of software blade subscriptions 7.6 1.8 1.9 3.0 4.1 10.8 4.1 5.3 4.1 5.8 19.4 5.4 6.3 5.1 5.2 21.9
GM on software blade Subscriptions 97.6% 97.9% 98.0% 96.9% 96.2% 97.2% 96.4% 95.5% 96.6% 95.7% 96.0% 96.1% 95.5% 96.5% 96.7% 96.2%
Cost of software updates and maintenance 76.9 19.2 20.0 20.8 20.9 80.9 20.2 20.6 22.0 22.5 85.3 21.2 21.3 22.8 23.3 88.5
GM on updates and maintenance 89.8% 90.1% 89.7% 89.2% 89.5% 89.6% 89.7% 89.8% 88.9% 89.0% 89.4% 89.6% 89.8% 88.9% 89.0% 89.3%
Total cost of revenue 185.7 44.0 47.0 49.0 57.6 197.7 48.2 52.1 50.3 63.2 213.8 51.1 54.4 53.6 62.4 221.6
Gross profit 1,444.2 360.2 375.8 378.5 429.1 1,543.6 387.3 406.4 399.5 463.5 1,656.7 420.3 436.2 434.0 491.6 1,782.3
Gross margin 88.6% 89.1% 88.9% 88.5% 88.2% 88.6% 88.9% 88.6% 88.8% 88.0% 88.6% 89.2% 88.9% 89.0% 88.7% 88.9%
Sales and marketing 340.2 88.7 101.2 98.0 110.1 398.0 102.6 108.1 107.1 122.2 440.0 112.2 118.7 118.0 131.9 480.8
% of Revenue 20.9% 21.9% 23.9% 22.9% 22.6% 22.9% 23.6% 23.6% 23.8% 23.2% 23.5% 23.8% 24.2% 24.2% 23.8% 24.0%
Research and development 131.6 37.6 38.5 39.6 42.4 158.1 40.5 40.6 39.8 47.0 167.8 44.3 45.1 44.9 48.2 182.5
% of Revenue 8.1% 9.3% 9.1% 9.3% 8.7% 9.1% 9.3% 8.8% 8.8% 8.9% 9.0% 9.4% 9.2% 9.2% 8.7% 9.1%
General and administrative 45.2 10.3 8.7 10.3 10.2 39.4 11.0 9.5 13.5 12.0 46.0 11.8 12.3 12.2 13.9 50.1
% of Revenue 2.8% 2.5% 2.1% 2.4% 2.1% 2.3% 2.5% 2.1% 3.0% 2.3% 2.5% 2.5% 2.5% 2.5% 2.5% 2.5%
Total operating expenses 516.9 136.5 148.3 147.9 162.7 595.5 154.1 158.1 160.4 181.2 653.8 168.3 176.1 175.1 193.9 713.4
Operating income (loss) 927.3 223.7 227.4 230.6 266.4 948.1 233.2 248.3 239.2 282.3 1,002.9 252.0 260.1 259.0 297.7 1,068.8
Operating margin 56.9% 55.3% 53.8% 53.9% 54.7% 54.4% 53.5% 54.1% 53.2% 53.6% 53.6% 53.5% 53.0% 53.1% 53.7% 53.3%
Interest income (expense) 34.1 9.9 11.8 12.1 10.5 44.4 10.4 11.3 10.3 10.2 42.1 10.1 10.4 10.3 10.3 41.1
Pre-tax income 961.4 233.7 239.2 242.7 276.9 992.5 243.5 259.6 249.5 292.5 1,045.1 262.1 270.5 269.3 308.0 1,110.0
Income taxes 195.1 46.6 48.8 49.2 29.7 174.3 42.0 47.6 43.7 49.7 183.0 45.9 47.3 47.1 53.9 194.2
Effective tax rate 20.3% 19.9% 20.4% 20.3% 10.7% 17.6% 17.3% 18.3% 17.5% 17.0% 17.5% 17.5% 17.5% 17.5% 17.5% 17.5%
Net income (PF) 766.3 187.1 190.4 193.5 247.2 818.2 201.5 212.0 205.8 242.8 862.1 216.2 223.2 222.2 254.1 915.7
Net margin 47.0% 46.3% 45.0% 45.3% 50.8% 47.0% 46.3% 46.2% 45.7% 46.1% 46.1% 45.9% 45.5% 45.6% 45.9% 45.7%
PF EPS $4.18 $1.06 $1.09 $1.13 $1.46 $4.72 $1.20 $1.26 $1.24 $1.48 $5.18 $1.31 $1.37 $1.38 $1.60 $5.66
Fully diluted shares 183.4 177.0 174.8 171.9 169.6 173.3 168.5 167.7 165.8 164.0 166.5 164.7 162.8 161.0 159.2 161.9
Research AnalystsBrad Zelnick
(212) 325 [email protected]
Jobin Mathew(212) 325 9676
Syed Talha Saleem, CFA(212) 538 1428
5 S
epte
mb
er 2
017
Cy
be
rsec
urity
192
Figure 339: Check Point Balance Sheet
Source: Company data, Credit Suisse estimates.
Check Point Software (CHKP)
Balance Sheet
$ in Millions, except per share items
Fiscal Year End: December 31
2015 (A) Mar '16 Jun '16 Sep '16 Dec '16 2016 (A) Mar '17 Jun '17 Sep '17 Dec '17 2017 (E) Mar '18 Jun '18 Sep '18 Dec '18 2018 (E)
Full Year 1Q16 2Q16 3Q16 4Q16 Full Year 1Q17A 2Q17A 3Q17E 4Q17E Full Year 1Q18E 2Q18E 3Q18E 4Q18E Full Year
Current assets
Cash & cash equivalents 192.3 244.0 209.7 224.3 187.4 187.4 230.3 278.9 247.3 203.2 203.2 326.7 305.4 293.7 256.0 256.0
Marketable securities 1,091.9 1,127.0 1,117.1 1,005.9 1,185.5 1,185.5 1,237.6 1,320.0 1,320.0 1,320.0 1,320.0 1,320.0 1,320.0 1,320.0 1,320.0 1,320.0
Trade receivables 410.8 246.7 272.6 254.7 478.5 478.5 279.1 334.0 299.0 572.5 572.5 327.1 355.5 337.3 591.0 591.0
Other receivables and prepaid expenses 85.8 47.9 44.4 44.5 41.0 41.0 69.7 87.6 86.2 91.8 91.8 75.5 93.7 93.5 96.6 96.6
Total current assets 1,780.8 1,665.6 1,643.8 1,529.4 1,892.5 1,892.5 1,816.8 2,020.6 1,952.6 2,187.6 2,187.6 2,049.3 2,074.6 2,044.5 2,263.7 2,263.7
Marketable securities 2,331.2 2,358.2 2,381.2 2,477.6 2,296.1 2,296.1 2,328.9 2,207.5 2,207.5 2,207.5 2,207.5 2,207.5 2,207.5 2,207.5 2,207.5 2,207.5
Property & equipment, net 48.7 50.7 54.0 58.0 61.9 61.9 66.8 69.9 74.8 79.7 79.7 85.1 90.3 95.2 100.1 100.1
Goodwill & Intangible assets, net 838.0 837.0 836.1 835.1 834.2 834.2 833.2 832.3 832.3 832.3 832.3 832.3 832.3 832.3 832.3 832.3
Deferred income taxes, net 20.8 56.5 58.5 62.0 94.6 94.6 168.9 153.7 150.7 163.3 163.3 165.0 174.2 173.2 199.5 199.5
Severance pay fund 5.3 5.2 4.7 4.8 4.6 4.6 4.9 5.1 5.1 5.1 5.1 5.1 5.1 5.1 5.1 5.1
Other 45.2 40.3 37.8 36.3 33.8 33.8 31.4 30.4 30.4 30.4 30.4 30.4 30.4 30.4 30.4 30.4
Total assets 5,069.9 5,013.6 5,016.0 5,003.3 5,217.6 5,217.6 5,250.9 5,319.4 5,253.4 5,505.8 5,505.8 5,374.6 5,414.4 5,388.1 5,638.5 5,638.5
Liabilities & shareholders' equity
Trade payables and other accrued liabilities 339.3 310.8 334.3 323.6 351.4 351.4 300.7 334.8 334.9 368.7 368.7 309.1 343.4 352.2 384.8 384.8
Deferred revenue 717.5 695.2 687.9 677.8 814.4 814.4 802.4 792.8 777.0 928.5 928.5 909.9 914.5 898.9 1,047.2 1,047.2
Current liabilities 1,056.9 1,006.0 1,022.2 1,001.4 1,165.9 1,165.9 1,103.2 1,127.6 1,111.9 1,297.1 1,297.1 1,219.0 1,257.9 1,251.1 1,432.0 1,432.0
Long-Term Deferred Revenue 188.3 188.2 204.5 210.8 251.2 251.2 260.5 271.8 271.8 319.4 319.4 319.4 324.2 333.9 380.7 380.7
Income tax accrual 283.2 302.1 306.9 324.4 300.5 300.5 317.1 341.7 335.2 363.0 363.0 343.4 365.6 363.4 381.8 381.8
Accrued severance pay 9.5 9.8 9.1 9.2 9.0 9.0 9.7 10.0 9.7 10.0 10.0 10.0 10.0 10.0 10.0 10.0
Shareholders' equity 3,531.9 3,507.3 3,473.4 3,457.5 3,491.1 3,491.1 3,560.4 3,568.2 3,524.7 3,516.3 3,516.3 3,482.8 3,456.7 3,429.6 3,434.0 3,434.0
Total liabilities & shareholders' equity 5,069.9 5,013.6 5,016.0 5,003.3 5,217.6 5,217.6 5,250.9 5,319.4 5,253.4 5,505.8 5,505.8 5,374.6 5,414.4 5,388.1 5,638.5 5,638.5
Research AnalystsBrad Zelnick
(212) 325 [email protected]
Jobin Mathew(212) 325 9676
Syed Talha Saleem, CFA(212) 538 1428
5 S
epte
mb
er 2
017
Cy
be
rsec
urity
193
Figure 340: Check Point Statement of Cash Flows
Source: Company data, Credit Suisse estimates.
Check Point Software (CHKP)
Statement of Cash Flows
$ in Millions, except per share items
Fiscal Year End: December 31
2015 (A) Mar '16 Jun '16 Sep '16 Dec '16 2016 (A) Mar '17 Jun '17 Sep '17 Dec '17 2017 (E) Mar '18 Jun '18 Sep '18 Dec '18 2018 (E)
Full Year 1Q16 2Q16 3Q16 4Q16 Full Year 1Q17A 2Q17A 3Q17E 4Q17E Full Year 1Q18E 2Q18E 3Q18E 4Q18E Full Year
Net income 685.9 167.4 165.8 169.7 222.0 724.8 182.6 188.4 181.5 215.2 767.6 192.6 196.9 196.0 226.8 812.3
D&A of property, plant and equipment 10.4 2.7 2.7 3.1 2.4 10.9 3.0 3.0 3.1 3.1 12.2 2.7 2.7 3.1 3.1 11.6
Share-based compensation expense 76.3 18.2 22.0 20.8 21.7 82.7 19.1 23.4 21.8 23.1 87.3 20.7 23.8 23.6 24.3 92.3
Realized gain on marketable securities 0.0 0.3 -1.4 -1.7 -0.1 -3.0 0.1 0.1 0.0 0.0 0.1 0.0 0.0 0.0 0.0 0.0
Amortization of intangible assets 3.6 1.0 1.0 1.0 1.0 3.9 0.9 0.9 3.3 3.3 8.4 3.3 3.3 3.3 3.3 13.0
Deferred income taxes -15.8 1.3 -2.5 -0.7 -31.6 -33.5 11.4 15.6 2.9 -12.5 17.4 -1.8 -9.2 1.0 -26.3 -36.2
Excess tax benefit from stock-based compensation -19.4 -1.1 -3.7 -3.4 -9.2 -17.4 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
Decrease (increase) in trade and other receivables, net -64.8 162.9 -21.6 20.3 -218.0 -56.5 191.2 -49.2 36.4 -279.1 -100.8 261.8 -46.6 18.4 -256.8 -23.2
Increase in deferred revenues, trade payables, and other accrued expenses and liabilities241.0 -28.9 42.8 4.9 194.7 213.5 -52.8 44.1 -22.5 260.9 229.8 -97.7 65.9 0.8 246.0 215.0
Changes in operating assets & liabilities 176.2 134.0 21.2 25.2 -23.4 157.0 138.4 -5.1 13.9 -18.3 128.9 164.1 19.3 19.2 -10.8 191.8
Net cash provided by operating activities 917.1 323.7 205.0 213.9 182.7 925.4 355.4 226.3 226.4 213.9 1,022.0 381.5 236.7 246.3 220.4 1,084.8
Purchase of property, plant and equipment -17.3 -4.7 -5.9 -7.1 -6.3 -24.1 -8.0 -6.1 -8.0 -8.0 -30.1 -8.0 -8.0 -8.0 -8.0 -32.0
Net cash used by investing activities -113.9 -4.7 -5.9 -7.1 -6.3 -24.1 -8.0 -6.1 -8.0 -8.0 -30.1 -8.0 -8.0 -8.0 -8.0 -32.0
Proceeds from issuance of shares upon exercise of options 102.9 16.2 17.4 46.3 49.4 129.2 24.4 39.3 63.7 0.0
Purchase of treasury shares -985.7 -247.3 -245.7 -247.0 -248.0 -987.9 -247.9 -248.0 -250.0 -250.0 -995.8 -250.0 -250.0 -250.0 -250.0 -1,000.0
Excess tax benefit on stock options 19.4 1.1 3.7 3.4 9.2 17.4 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
Payments related to shares withheld for taxes -2.6 -0.2 -3.9
Net cash used by financing activities -863.5 -230.0 -227.2 -197.3 -189.4 -841.3 -223.7 -212.5 -250.0 -250.0 -932.1 -250.0 -250.0 -250.0 -250.0 -1,000.0
Unrealized gain on marketable securities, net -11.4 24.7 6.9 -9.6 -25.9 -3.9 4.0 2.0 0.0 0.0 6.0 0.0 0.0 0.0 0.0 0.0
Net increase/decrease in cash and cash equivalents -71.7 113.8 -21.2 -0.1 -38.8 56.2 127.7 9.6 -31.6 -44.1 65.7 123.5 -21.3 -11.7 -37.6 52.8
Ratios
Depreciation and amortization % of previous Q PPE on BS 5.3% 5.0% 5.3% 3.9% 4.5% 4.3% 4.3% 4.3% 4.3% 4.3% 4.3% 4.3%
Free Cash Flow
FCFE 899.7 319.0 199.1 206.8 176.5 901.4 347.5 220.2 218.4 205.9 991.9 373.5 228.7 238.3 212.4 1,052.8
Interest income (expense), net 34.1 9.9 11.8 12.1 10.5 44.4 10.4 11.3 10.3 10.2 42.1 10.1 10.4 10.3 10.3 41.1
Effective Tax rate 22% 21% 23% 22% 12% 19% 17% 19% 19% 19% 19% 19% 19% 19% 19% 19%
UFCF 873.0 311.2 189.9 197.4 167.2 865.5 338.9 211.0 210.1 197.6 957.7 365.3 220.3 229.9 204.1 1,019.6
Diluted shares outstanding 183.4 177.0 174.8 171.9 169.6 173.3 168.5 167.7 165.8 164.0 166.5 164.7 162.8 161.0 159.2 161.9
UFCF per share $4.76 $1.76 $1.09 $1.15 $0.99 $4.99 $2.01 $1.26 $1.27 $1.21 $5.75 $2.22 $1.35 $1.43 $1.28 $6.30
Research AnalystsBrad Zelnick
(212) 325 [email protected]
Jobin Mathew(212) 325 9676
Syed Talha Saleem, CFA(212) 538 1428
5 September 2017
Cybersecurity 194
Credit Suisse PEERs PEERs is a global database that captures unique information about companies within the
Credit Suisse coverage universe based on their relationships with other companies – their
customers, suppliers and competitors. The database is built from our research analysts’
insight regarding these relationships. Credit Suisse covers over 3,000 companies globally.
These companies form the core of the PEERs database, but it also includes relationships
on stocks that are not under coverage.
Figure 341: Check Point PEERs
Source: Company data, Credit Suisse estimates
5 September 2017
Cybersecurity 195
Appendices
Appendix I: The HOLT® Framework Overview
The HOLT Valuation Framework is based on two fundamental principles:
■ The market pays for economic (cash) performance and not accounting
performance.
■ The value of a company is determined by its discounted future cash flows over
its life cycle.
The HOLT methodology uses a proprietary performance measure known as Cash Flow
Return on Investment (CFROI®).
HOLT uses CFROI to estimate future cash flows and applies a unique notion of life cycle
fade to reflect the position of any individual company on its industrial life cycle.
Figure 342: HOLT metrics
Source: Credit Suisse HOLT.
Cash Flow Return on Investment (CFROI®)
Why use CFROI? Accounting statements often present a distorted view of underlying
economic performance. In order to better define a cash measure, HOLT's economic
CFROI corrects for the distortions found in traditional accounting-based measures of
performance by adjusting for inflation, off-balance sheet assets (e.g., leased property),
depreciation, LIFO & FIFO accounting, asset mix, asset holding gains or losses, asset life,
acquisition accounting, deferred taxes, pensions, investments, revaluations, special
reserves, research & development, and others.
As a result, CFROI provides comparability over time, among companies, and across
industries and national borders. This proprietary measure focuses on the cash economics
of businesses. Once the economics of the company are understood, we can more
accurately determine value by taking into account expected future cash flows, asset
growth rates, discount rates, and life cycles.
HOLT's CFROI is calculated in two steps. First, compare the inflation-adjusted (current
dollar) cash flows available to all capital owners in the company to the inflation-adjusted
(current dollar) gross investment made by those capital owners.
Next, translate the ratio of gross cash flow to gross investment to an internal rate of return
(IRR) by recognizing the finite economic life of depreciating assets and the residual value
of non-depreciating assets such as land and working capital. The process is identical to
calculating the yield to maturity for a bond. As a percent per year IRR, CFROI is directly
comparable to the return investors expect to receive (i.e., the cost of capital or discount
rate).
Accounting Cash Value
Income Statement
Balance Sheet
EPS, ROE, ROCE
Cash Flow Return on
Investment (CFROI)
Economic Performance
CFROI
Asset Growth
Life Cycle Fade
Discount Rate
5 September 2017
Cybersecurity 196
Figure 343: CFROI® Captures Economic Performance
Source: Credit Suisse HOLT.
Figure 344: CFROI® Formula in Detail
Source: Credit Suisse HOLT.
5 September 2017
Cybersecurity 197
Value Creation
Companies can create wealth for shareholders by making the right decisions with respect
to CFROI and asset growth.
Wealth is created when companies:
■ Improve CFROI
■ Grow assets when CFROI is above the discount rate (positive spread)
Shrink assets when CFROI is below the discount rate (negative spread)
Figure 345: Managing for Shareholder Value
Source: Credit Suisse HOLT.
Economic Profit
The economic profit formula underpins the value creation principle.
Economic profit (EP) is the amount of value a firm creates over a specified period, typically
annual. It is proportional to the spread between a company’s return on capital and cost of
capital.
If a firm is meeting its cost of capital, its EP is zero. Growth into projects that earn below
the cost of capital destroys shareholder value, and these projects should be rejected.
Growth at the cost of capital is value neutral. The HOLT EP is simply the economic spread
multiplied by assets if CFROI is specified as the return on capital.
Economic Profit = (return on capital – cost of capital) x invested capital
HOLT Economic Profit is calculated as =
(CFROI® – HOLT discount rate) x inflation adjusted gross investment
HOLT Valuation
The HOLT valuation model, at its foundation, is a type of DCF (discounted cash flow)
model. Among the model’s distinguishing features, along with the CFROI metric, is the
way by which the forecast stream of net cash receipts (NCRs) is generated and the
method by which the firm’s discount rate (DR) is estimated.
From a beginning asset base, key variables that drive the forecast NCR stream are
variables that actually generate cash flows namely, economic returns (CFROIs),
reinvestment rates (growth), and their expected patterns of change over time due to
competition (fade). The competitive life cycle is covered below.
5 September 2017
Cybersecurity 198
The discount rate is the rate of return investors demand for making their funds available to
the firm. DRs used in our model are real rates, not nominal rates, so they are consistent
with CFROIs. The DRs are also consistent with other aspects of our model, since base
DRs are mathematically derived from known market values and from NCR streams
consistent within our model. Adjustments (positive or negative) to the base rate are made
for company-specific financial and liquidity risk characteristics.
The result of discounting the NCRs at the market-derived DR is what is referred to as a
warranted value or warranted price. Essentially, this is the valuation that results (or is
"warranted"), given the default (or users’ own) assumptions built into the forecast and the
resulting present value of the NCRs plus the value of any non-operating investments.
Figure 346: Major Components of the HOLT Valuation Model
Source: Credit Suisse HOLT.
Warranted
Price
creates
+
+
–
–
÷
NPV of Existing Assets
NPV of Future Invests
NPV of Net Cash Receipts
MV of Non-Op. Assets
Total Enterprise Value
MV of Debt
Total Equity Value
Minority Interest
Common Equity Value
Adjusted Shares
Com Equity / Share
n
t=1
= Σ
Revenue Growth
Operating Margins
Asset Turns
Net Cash Receipts
(1+Disc. Rate) t
Country Base Rate
Size Differential
Leverage Differential
Growth
CFROI
Fade
Asset Base
5 September 2017
Cybersecurity 199
Figure 347: How to Read a HOLT CFROI Chart
Source: Credit Suisse HOLT.
Long-term level of returns
on capital required to
validate today’s
market value
Country market implied
discount rate adjusted for
company’s leverage and size
T+1 and T+2 returns on
capital forecasts based on
IBES consensus estimates
Adjusted historical returns on
capital based on HOLTs
proprietary framework
Market implied CFROI
CFROI Forecast
Historical CFROI
Market derived
discount rate
1994 1996 1998 2000 2002 2004 2006 2008 2010 2012 2014 2016 2018
Superior performance metric Market-calibrated valuationMarket Derived Discount Rate
CFROICash flows
Capital investment
Future value
Total Market
Value
=
(1 + DR)
Solve
Forecast
FCF
Forecast
CFROI is a cash-based return on capital metric that improves comparability of corporate performance across companies, geographies and time
Forecasted FCF calibrated to current
market values through observed, market implied discount rate
Calibrate future CFROI and growth rates embedded in the current stock price
The HOLT discount rate is forward-looking, derived from observed market valuation, and accurately reflects current investors’ risk appetite
Discount
rateFuture performance implied by
today’s stock price
Historical
returns
Competitive Lifecycle & fade
Empirically derived terminal value recognises competitive life-cycle of returns and growth (mean reverting fade concept)
Cumulative probability approximates
the likelihood of achieving future returns given the past return profile
Fading Turnaround?Mature
CFROI
Reinvestment
Growth
Discount
rate
5 September 2017
Cybersecurity 200
Appendix II: Additional Drivers of Security Spending Regulation Is Catalyzing Action
GDPR, and Its Ramifications, Is Top of Mind
A firm's security postures are increasingly in the regulatory spotlight. From existing and
well understood federal regulations such as HIPPA and FISMA, to the New York
Cybersecurity Regulations for Financial Institutions that recently entered into effect and the
General Data Protection Regulation that will enter into law in Europe next year, regulators
are focused on cyber safety.
At the top of many investors' minds is GDPR, which has been billed as the biggest change
to data privacy laws in 20 years. We think GDPR is worthy of specific examination, as its
attempts to enforce data privacy and empower citizens as custodians of their own data are
considered by some commentators (LA Times) as leading and, therefore, may act as a
guide toward potential future regulation more broadly. Professor Daniel Solove, for
example, has written 'the EU has been leading the debate on data protection. Nobody
ignores the EU … [which] has established itself as a formidable thought leader in this area,
and its regulation really does have a significant impact … Global companies follow EU
privacy law, using EU definitions of personal data more than US definitions. Other
countries pattern their laws much more on the EU than on the US.'
GDPR comes into law on the 28th of May 2018 – note that the text was actually first
proposed in 2012, and the regulation has been 'in force' since 25th May 2016. This is
customary with EU legislation, where there is a two-year period between when the
regulation is agreed and published in full, and when it becomes binding for member states.
Figure 348: GDPR Implementation Timeline
Source: Credit Suisse Research.
While this does mean that the full details of GDPR have been available to organizations
and the market for some time, it does not mean that enterprises are ready for the
regulation to become binding. Transitionary periods often result in lack of action.
Examples of this historically include PSD2 – The European Payments Directive – which
our European counterpart Charlie Brennan notes is still surrounded by great uncertainty,
20152012Spring
2014Spring
20162016
20172018
European Commission
publishes the
legislative proposal
Separate negotiations
within Parliament and
European Council
EP reaches
agreement
Negotiations and
approval among
the 3 institutions
Council
Agreement
Adoption of
regulation
Two-year
implementationRegulation in
effect
5 September 2017
Cybersecurity 201
despite the fact that it entered into force more than six months prior to GDPR (on the 12th
January 2016). Another example, even closer to home for the global investment
community, is MIFID2 – The Markets in Financial Instruments Directives – which will
mandate the unbundling of research and commission spending. Both the buy- and
sell-side continue to be engaged in unresolved pricing discussions despite the fact MIFID2
will enter into force in early January next year.
Figure 349: Google Trends Interest in PSD2 May Indicate Lack of Preparedness
Source: Company data, Credit Suisse estimates.
In the context of these comparisons its actually important to note that that a regulation (like
GDPR) is actually more severe than a directive (MIFID and PSD2). This is because a
regulation becomes immediately applicable to all EU member states without the need for a
nationally implemented legislation
GDPR Preparedness Remains Low
NetApp's survey of 750 CIOs, IT managers, and C-suite executives in April 2017 gives
some indication as to the level of preparedness for GDPR. The findings suggest that
preparedness for GDPR remains relatively low. Only 34% of respondents believed
themselves to have a good, or full, understanding of GDPR – this was reflected in the 35%
of respondents who considered themselves to be fully complaint; interestingly, this implies
that some senior decision makers in complaint organizations lacked a full understanding of
GDPR. Perhaps most extraordinary, 10% of respondents were fully unaware of GDPR.
5 September 2017
Cybersecurity 202
Figure 350: Understanding of GDPR Among
Respondents Was Surprisingly Low
Figure 351: Only 35% of Respondents Believed
Themselves to Be Fully Complaint
Source: Company data, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
Key Aims of GDPR
The key aims of GDPR focus around creating a unified regulatory approach to data
security and consent. The ultimate aim of returning control of their personal data to the
citizens of the EU is to be achieved by both procedural standards for activities such as
breach reporting, increasing oversight by mandating the appointment of data protection
officers, as well as empowering the individual by enforcing a right to erasure.
The scope of the regulation is 'all EU citizens', this means there is no territorial scope, all
organizations resident in the EU are subject to these regulations, as are any organizations
outside of the EU that are in possession of the data of EU subjects. Thus, this captures
non-EU businesses with websites directed toward EU (advertisers, ecommerce, social
networks etc.). Anyone offering goods or services, even for free, will be subject to GDPR.
The key changes that will be enforced are as follows:
■ Increase Security Breach Reporting: Any security breach must be flagged to the
supervisory body within 72hrs.
■ Mandatory Data Protection Officer: All public bodies and businesses that meet some
criteria (handle lots of personal data) must appoint a data protection officer (chief
privacy officer).
■ Data Processors & Vendor Management: There are increased obligations for
processors that makes them more liable for breaches, including more detailed records
of processing activities.
■ Elevate the Threshold for Consent: THIS will make it harder to collect data from
individuals, as it requires consent to be more explicit – ‘specific, informed, freely given,
unambiguous’.
■ Enhanced Individual Rights: Individuals have a right to be forgotten; it also allows for
data portability and restriction of processing.
Those in breach of these new rules following the regulations entry into force will be subject
to material penalties. For serious breaches, firms will be liable for €10 million, or 2% of
total worldwide annual turnover (whichever is greater), and for very serious breaches €20
million, or 4% of total worldwide annual turnover (again, whichever is greater). The only
bodies exempt are law enforcement and intelligent agencies.
9%
47%
29%
15%
I do not know what GDPR is
I have some understanding of GDPR
I have a good understanding of GDPR
I fully understand GDPR
66% of respondents do not have a good
understanding of GDPR
35%
49%
14%
2%
We have made preparations and arecompliant
We have made preparations but arenot compliant
We have not made any preparations
I don't know what preparations weneed to make
65% of respondents are not compliant withGDPR
5 September 2017
Cybersecurity 203
Data from the Ponemon Institute's 2016 cost of data breach study show how much
progress needs to be made before firm's are capable of complying with GDPR's security
breach reporting standards. On average, their sample took an average of c200 days to
identify a data breach, with a range of between 20 and 569 days.
Figure 352: The Mean Time to Identity
a Breach Is over Six Months…
Figure 353: A Breach Costs More If It
Takes Longer to Identify
Time, days Cost given mean time to identify, $
Source: Ponemon institute, Credit Suisse estimates. Source: Company data, Credit Suisse estimates.
The Key Impacts of GDPR
GDPR is likely to catalyze a review of firm's security posture across the spectrum – we
imagine this review will span governance, control, organization, processes, sourcing, and
technology. As has been demonstrated, preparedness and the level of understanding and
knowledge around GDPR is mediocre at best, but we expect the key impacts to be:
■ A Mindset Shift in Data Compliance/Security Budgets
Will this change budgetary thinking in enterprises both large and small? It would seem
logical there may be more resources to chief data officers, chief privacy officers, etc. The
large penalties for data breaches may enhance the fear of breach at the firm level and
change perspectives around security budgets; the potential for higher investment in
security across the network would seem a logical conclusion.
■ Onus on the Processors – Impact on Cloud?
While data creators used to carry burden of legal compliance, GDPR expands the scope
to processors as well. Until now, some cloud deals have been characterized by the data
creator/controller failing to exert controls over how the data is processed by the processor.
GDPR shares responsibility equally with the processor, making them more accountable;
this may raise the cost of compliance for processors, and may change some firm’s cloud
strategy:
70
201
Mean time to containMean time to identify
$3.23
$4.38
<100 days>100
5 September 2017
Cybersecurity 204
Figure 354: The Impact of GDPR on Public Cloud Investment
Source: Company data, Credit Suisse estimates.
■ SME Impact, Likely to Catalyze Spend
Larger organizations tend to have grappled with issues around data privacy and security
more than smaller firms simply by virtue of having been targeted more by malicious actors.
This seems to be changing. Recent attacks such as Wannacry hit SMEs too and are
reflective of the rise of ransomware attacks – which really scare the average SME. This
pressure together with GDPR may be a catalyst to fundamentally change the SME mind-
set toward data privacy and security.
Safe Harbor Invalidation – What Does This Mean for US/EU Data Sharing? More
Strict Safe Harbor 2.0 Likely – This Will Impact US Firms
Both the GDPR and the regulation it supersedes have stipulations around the level of
protection countries must mandate for data to be transferred out of the EU. Neither
legislation deemed the US to provide an adequate level of protection under EU law. (The
US was considered too focused on self-regulation and too fragmented in approach to
privacy law by EU regulators.) The solution historically was the Safe Harbor Arrangement
that was negotiated to continue to allow personal data flows between the EU and US, but
that was invalidated earlier this year.
The bottom line here is that a Safe Harbor 2.0 must be negotiated at some point. Experts
seem to think this is likely to involve concessions on the US side (the EU is considered
thought leader in data privacy/protection), and therefore, Safe Harbor 2.0 is likely to be
stricter, involving higher costs for firm’s to comply.
Attacks Move Down Market
Driving Mid-Market Spend, Increasing Competition and Pricing Pressure
While breaches of global banks, government entities, and other high-profile institutions
receive the most media attention, smaller businesses and individuals are increasingly
being targeted. According to Microsoft, more than 20% of small to mid-sized businesses
have been targets of cybercrime, and Barclaycard research suggested that 48% of SMBs
fell victim to at least one cyber-attack in 2015, and 10% were targeted more than once.
We think this phenomenon is here to stay and will have a significant impact on the shape
of a market that has historically been underpenetrated at the small and mid-sized
enterprise level.
50%
37%
25%21%
18%
6%
We will continue to investinto public cloud servicesand ensure compliance
with data regulationrequirements like GDPR
We are investing moreresources into data
regulation compliance
We are considering scalingback our public cloudservices investment
We have hired specificpersonnel with expertise in
data protection
We have already startedlowering our public cloud
services investment
We do not think GDPR hasbeen or will be a majorinfluence on our cloud
strategy
43% of respondents suggested that GDPR would result in a scale back of Public Cloud investment
5 September 2017
Cybersecurity 205
In an analysis of the UK cyber security market, a UK government paper written by Pierre
Audoin Consultants identified SMEs as a market with low IT security penetration but with
significant barriers to entry. Without sufficient security adoption, preventative internal
procedures, or experience to provide in-depth understanding of online threats, smaller
businesses must often rely on relatively simplistic but notably low- or no-cost bundled soft
These weaknesses are increasingly exploited by targeted ransomware: in a 2016 report by
PhishMe analyzing over 2,500 phishing attacks, ransomware composed 90% of all
identified malware payload URLs, costing victims more than $1 billion. Moreover, the
average ransom demanded in 2016 grew to $1,077, up from just under $300 only a year
before. The number of new ransomware families tripled to 101, while SYMC logged a 36%
increase in ransomware infections.
Figure 355: The Number of Ransomware Variants—
Historically Fairly Stable—Increased 30-Fold in 2016
Figure 356: Average Ransom Paid Has Spiked as
Variants, Volumes and Victims of Ransomware Rise
Average Ransom Paid Per Victim ($)
Cumulative Ransomware Variants
Source: Proofpoint 2016 Q4 Threat Summary, Credit Suisse estimates. Source: Symantec, Credit Suisse.
This increase in average ransoms may be due to the increasing sophistication of malware
delivery. Notably, a significant portion of phishing attacks in 2016 still used longstanding,
time-tested tactics such as remote-access Trojans and keyloggers—methods that are not
difficulty to eliminate, per se. What has changed, however, is that ransomware approaches
have increasingly adopted a quiet malware strategy, which involves infiltrating the victim to
assess their behavior for a period of time and subsequently tailoring ransoms based on
their individual abilities to pay for re-access to critical data.
Given the above-mentioned behaviors and growth trends of ransomware, we believe that
small and medium businesses are especially susceptible and will be an area of relative
growth for security spending. A June 2017 survey conducted by Osterman Research and
sponsored by Malwarebytes found that, among more than 1,000 SMB respondents, 35%
were victims of ransomware. More importantly, more SMBs stated that ransomware
prevention should rely on technology than those who prefer personnel training. Yet, as
previously mentioned, the popularity of bundled security software as the primary defense
for SMB users may explain the preference for technology over education and protocols.
This further suggests, however, that a growing need for more sophisticated security
technology is forthcoming.
While about 33% of SMBs in the Malwarebytes survey claimed to have been using
anti-ransomware technologies, roughly 33% have also experienced a ransomware attack
in the past year—of which 27% did not know the endpoint source of the ransomware at the
time of attacks, but results of later investigations often turn out to be malicious emails.
According to Proofpoint’s 2016 Threat Report, 15% of documented business email
2016 2017
$373
$294
$1,077
0
200
400
600
800
1,000
1,200
2014 2015 2016
5 September 2017
Cybersecurity 206
compromises (BECs) occur businesses employing less than 5,000 people, due to fewer
resources to mitigate such threats.
Although a need for greater security technology and procedures may be apparent among
SMBs, what suggests that they will actually spend more? Of ransomware infections, 90%
resulted in more than one hour of downtime, while 16% caused 25 hours or more of
downtime—a result of either an understandable stubbornness to pay ransoms, an inability
to identify and contain breaches, or both.
Results from a 2017 Imperva survey indicate that downtime from ransomware can cost
anywhere from $5,000 to $20,000 in lost business and damages, with 27% believing that
the amount could be over $20,000 a day.
Figure 357: Increase Costs of Ransomware May Drive Significant Increase in
Security Needs for SMBs
Estimated Aggregate Annual Costs to SMBs of Ransomware-Induced Downtime, Varied by Daily Cost of Downtime ($billions)
Source: Gartner, Imperva Rise of Ransomware Survey, Malwarebytes State of Ransomware Among SMBs Survey, U.S. Census Bureau, Credit Suisse estimates.
A Growing Need for Security Among SMBs Brings Heightened Competition…
Using IDC revenue data to estimate the Herfindahl-Hirschman Index (an indicator of
competition) for each segment (defined by price band) that IDC tracks reveal substantially
more competition in the mid-range and volume segments of the market. Not only are there
more players, but we have been hearing of more competitiveness as players such as
WatchGuard and SonicWALL have made significant strides more recently.
0.0
2.0
4.0
6.0
8.0
10.0
12.0
14.0
16.0
2016 2017 2018 2019
$20,000/day
$12,500/day
$5,000/day
5 September 2017
Cybersecurity 207
Figure 358: The Midrange and Volume Segment of the Market Are Substantially
Less Consolidated (and Therefore Competitive) than the High End
Herfindahl-Hirschman Index, 4Q moving average
Source: IDC, Credit Suisse Research.
…and Competition Brings Pricing Pressure
We believe consolidation translates to pricing power, and vice-versa. Therefore, we expect
higher levels of competition in the mid-end and volume markets to translate into higher
price competitiveness. Looking at the Volume market ASP relative to the five largest
market players suggests that while there hasn’t been broad based pressure, pricing has
come down for the five largest in aggregate.
Figure 359: Pricing for the Five Largest Players Appears to Have Been Slightly
More Pressured Relative to the Market as a Whole
ASP (Vendor revenue/Units), Firewall and UTM, 4Q rolling average, inflation adjusted (US PPI)
Source: iDC, Credit Suisse Research.
If we look at pricing across the product spectrum for the five largest vendors since 2010, a
weakness in volume is apparent relative to the high end. While the mid-range hasn’t been
weak, per se, it has been weaker than the high end since 2014.
0.00
0.05
0.10
0.15
0.20
0.25
2002 2004 2006 2008 2010 2012 2014 2016
High end, 4Qma Midrange, 4Qma Volume, 4Qma
1,000
1,300
1,600
1,900
2,200
2,500
2,800
1,000
1,200
1,400
1,600
1,800
2,000
2,200
2003 2005 2007 2009 2011 2013 2015 2017
Volume ASP Volume ASP (CHKP, PANW, FTNT, JNPR, CSCO)
5 September 2017
Cybersecurity 208
Figure 360: Pricing Has Been Strongest in the High End, Slightly Weaker in the
Mid-Range, and Weakest in Volume
CHKP, PANW, FTNT, JNPR, CSCO ASP (Vendor revenue/Units), Firewall and UTM, 4Q rolling average, inflation adjusted (US PPI)
Source: iDC, Credit Suisse Research.
Cybersecurity threats are especially of concern for small and mid-size businesses, with
insufficient endpoint security and preventive personnel training. Although smaller business
are relatively—albeit only slightly—less concerned about such threats, the rapid increase
in sophistication and sheer volume of malware will likely create greater urgency for
security spending among SMBs.
0.6
0.7
0.8
0.9
1.0
1.1
1.2
2010 2011 2012 2013 2014 2015 2016 2017
Top-5 High-End ASP Top-5 Mid-range ASP Top-5 Volume ASP
5 September 2017
Cybersecurity 209
Figure 361: Software SoundBytes on Attacks Moving Down Market
Source: Credit Suisse Research.
Software SoundBytesSMB security
Brad Zelnick
(212) 325 6118
“The cheaper lines (850s and 220s) are selling very well into mainly net new customers, but
also branches… The 220 is 1700 USD, and only costs 46USD after year one.”
“Hackers are getting more strategic, initially they spent the most of their time in large institutions,
now they are industrializing themselves and automating themselves into smaller businesses and
we are seeing lots of ransomware at SMBs.”
“Ransomware is agnostic and blind, and therefore attacks SMEs with impunity”
“The mid-market in Asia is largely not migrated from FW to NGFW (outside of
Tokyo the majority of Asia is MM) in his view 70-80% are on firewall not NGFW”
“The key is you need to know what is on the network to protect the network. Tanium’s hygiene checks found
the average environment had 12-20% more endpoints than previously known; 5-20% of these had failing or
non-existent endpoint agents, 60% were missing critical patches, and 90% missing at least one patch.”
“2-years ago we saw 90-95% physical appliances, today adoption of virtual
appliances in small and medium sized enterprises is as much as 30-35%”
5 September 2017
Cybersecurity 210
Connected Security
Continued Increases in Connectivity to Drive Threats
During the initial stages of data networking, organizations adopted data networks to
connect a limited number of computers within close proximity, allowing users to share
simple, common services (e.g., file servers and printers). In these local area networks
(LANs), the majority of traffic resided within the network and remain local to a specific part
of the organization. However, with widespread Internet usage, the proliferation of
client-server, Web-tier, and SaaS applications; distributed architectures; and the adoption
of new bandwidth-intensive applications, the majority of traffic traverses the boundaries of
the LAN to networks outside of the LAN, thereby increasing the risk exposure of enterprise
networks.
The pervasiveness of computing by businesses, organizations, and individuals, as well as
the Internet’s ability to interconnect computing devices to enable widespread
communication, has given rise to immense growth in data communications. For example,
Cisco Systems estimates that the number of connected devices worldwide will rise from 15
billion today to 50 billion by 2020. Intel is even more aggressive, claiming that over 200
billion devices will be connected by 2020. Although smartphones are the most visible
connected device, the number of cars connected to the Internet worldwide is expected to
grow more than six fold to 152 million in 2020, smart thermostats are expected to have
43% adoption in the next five years, and nearly half of U.S. consumers plan to buy
wearable technology by 2019.
Each application, operating system, and device introduced to a network contains
additional vulnerabilities that may be exploited by an unauthorized user. To adequately
secure a network, IT managers must have the resources to not only correctly configure the
security measures in each system but also to understand the risks created by any change
to existing systems on the network. Exacerbating this situation is the limited supply of
personnel knowledgeable in information security issues. These factors create a need for
enterprises to protect the information stored in their open computing environment and also
to protect the information when transmitted via the Internet. A failure to protect such
information could result in business disruption and significant financial loss. Adding to the
challenge of the sheer volume of Internet-connected devices, the majority of the new
technological devices operate across shared platforms and systems—meaning a single
security flaw can affect a wider range of technologies than ever before.
In addition to providing network connectivity through a corporate campus LAN, remote
network connectivity is increasingly viewed as a mission-critical function for enterprises,
and we believe that corporations will increasingly look toward technologies that enable
mobile workers to securely gain access to a full array of corporate resources. In fact, the
remote worker population has been increasing dramatically. For example, IDC estimates
the US mobile worker population will continue to grow over the next five years, increasing
from 96.2 million in 2015 to 105.4 million mobile workers in 2020, which would account for
three quarters (72.3%) of the total US workforce.
In the end, increased connectivity creates added risk exposure for corporations,
governments, and individuals. As a result, enterprise will need to invest in IT security
technologies to mitigate the potential cost of IT security incidents due to this increased
connectivity. We therefore believe that IT security companies that can successfully
mitigate risks to enterprise, government, and home systems are poised to benefit, as
attention to IT security driven by the exponential growth in connectivity increases.
5 September 2017
Cybersecurity 211
Figure 362: Software SoundBytes Regarding Connected Devices
Source: Credit Suisse Research.
Software SoundBytesConnected Devices
Brad Zelnick
(212) 325 6118
“How often are connected devices inspected? Not often. What function do they perform?
Limited. So the fact half their processing power is taken over isn’t important or noticeable.”
“Connected refrigerator manufacturers know all there is to know about the science of cooling, but
what do they know about security – why should they?”
“In this battlefield there is a deadly and ignorant opponent – these IOT devices, and
no way to make the owners even interested in discovery.”
“The key difference between a connected device and a computer is that if your computer becomes
infected you are motivated to do something, if your connected refrigerator gets infected, but it still
keeps food cool, do you care about your refrigerator being part of a DDOS attack?”
“Connected device manufacturers buy off the shelf hardware and off the shelf software; and they
cobble it together fast, because they want to be first out the door with the product. So we have all
these companies putting unprotected computers out into the wild.”
“I had a security team come to inspect my home, and it had been totally breached…
my Wi-Fi enabled wine cooler was breached… When you come home you have
nobody watching your walls… When I was compromised cost me 37,000 dollars to
re-secure”
5 September 2017
Cybersecurity 212
Appendix III: Who Are Those Guys? Hackers play a central role in the IT security landscape, are a diverse population, and
engage in hacking for a variety of reasons. Some hack out of criminal motives; some hack
to satisfy their egos or gain peer recognition; and others hack out of curiosity and for
intellectual stimulation.
Some hack alone, and some hack in groups, and they do so from all over the world.
Interestingly, there appears to be some regional roots in hacking preferences—with
Vietnamese often targeting ecommerce, Eastern Europeans predominantly attacking
financial institutions, and Chinese focusing on intellectual Property. (A Look Into the
Hacker Landscape, Debraj Ghosh, PhD, MBA, Senior Product Marketing Manager, Threat
Protection, Office 365 at Microsoft.) Regardless of motives or characteristics, hackers tend
to be classified into two groups: (1) black hats (malicious hackers) and (2) white hats
(ethical hackers).
Black Hats: Know Thy Enemy
In The Art of War, Sun Tzu, the renowned Chinese military strategist, opined, “If you know
the enemy and know yourself, you need not fear the result of a hundred battles. If you
know yourself but not the enemy, for every victory gained you will also suffer a defeat. If
you know neither the enemy nor yourself, you will succumb in every battle.” While the
underlying intention of this quote is likely to remind the reader that knowing one’s own
strengths and weaknesses is of critical import, cognizance of one’s enemy is also vital.
Within the context of cybersecurity, not only are number, sophistication, and cost of
breaches increasing, but the threat to critical IT systems is emanating from an increasing
number of “enemies,” including hostile governments, terrorist groups, disgruntled
employees, and malicious intruders. The following table is an excerpt from NIST 800-82,
Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control System
Security provides a description of various threats to control system networks:
Figure 363: United States Government Accountability Office (GAO) Threat Table
Source: Government Accountability Office (GAO), “Department of Homeland Security’s (DHS’s) Role in Critical Infrastructure Protection (CIP) Cybersecurity, GAO-05-434.”
Threat Description
Bot-network operators Bot-network operators are hackers; however, instead of breaking into systems for the challenge or bragging rights, they take over multiple systems
in order to coordinate attacks and to distribute phishing schemes, spam, and malware attacks. The services of these networks are sometimes made
available in underground markets (e.g., purchasing a denial-of-service attack, servers to relay spam, or phishing attacks, etc.).
Criminal groups Criminal groups seek to attack systems for monetary gain. Specifically, organized crime groups are using spam, phishing, and spyware/malware to
commit identity theft and online fraud. International corporate spies and organized crime organizations also pose a threat to the United States
through their ability to conduct industrial espionage and large-scale monetary theft and to hire or develop hacker talent.
Foreign intelligence services Foreign intelligence services use cyber tools as part of their information-gathering and espionage activities. In addition, several nations are
aggressively working to develop information warfare doctrine, programs, and capabilities. Such capabilities enable a single entity to have a
significant and serious impact by disrupting the supply, communications, and economic infrastructures that support military power - impacts that
could affect the daily lives of U.S. citizens across the country.
Hackers Hackers break into networks for the thrill of the challenge or for bragging rights in the hacker community. While remote cracking once required a
fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim
sites. Thus while attack tools have become more sophisticated, they have also become easier to use. According to the Central Intelligence Agency,
the large majority of hackers do not have the requisite expertise to threaten difficult targets such as critical U.S. networks. Nevertheless, the
worldwide population of hackers poses a relatively high threat of an isolated or brief disruption causing serious damage.
5 September 2017
Cybersecurity 213
Figure 364: United States Government Accountability Office (GAO) Threat Table continued
Source: Government Accountability Office (GAO), “Department of Homeland Security’s (DHS’s) Role in Critical Infrastructure Protection (CIP) Cybersecurity, GAO-05-434.”
Regardless of threat classification, the black hat hacker is the most fundamental element
in any IT security breach. Therefore, in order to better understand the nature of cyber
threats, we believe hackers’ motives and phycology profiles must be better understood.
Expert SoundBytes
Interview with Dr. Gráinne Kirwan
Q: Could you walk through how criminological and forensic psychological theories have
evolved to explain what motivates and characterizes offenders?
A: We are fortunate to have a wide range of existing theories in both criminology and
forensic psychology which can help us to understand cybercriminal offenders. As many of
these theories were developed with a wide range of criminal activities in mind, some are
easily adapted to cybercrime. For example, while the specific traits of cybercriminals can
vary, the broad facets of trait theories are still applicable to online crime.
Social learning theory is also still expected to have a significant role in explaining the
motivations of offenders, although it must be considered that the others who the potential
offender is learning from may not be part of their offline lives, and the potential offender
may not even know their true identities.
Other types of criminological theories, such as geographical theories, have needed
greater adaptation to online crime, due to the lack of physical borders and geographical
constructs online. Nevertheless, we can still see how related theories, such as Routine
Activity Theory, may have applicability to cybercrime based on the types of online
activities and ‘locations’ which offenders may regularly engage in or attend.
Finally, it is also possible to draw on many other theories from psychology, such as
cognitive theories, which can provide insights into many aspects of human behavior,
including cybercrime.
Q: According to your research, there are multiple factors influencing offenders.
Could you highlight the most important factors and
why these variables have the most influence?
Threat Description
Insiders The disgruntled organization insider is a principal source of computer crime. Insiders may not need a great deal of knowledge about computer
intrusions because their knowledge of a target system often allows them to gain unrestricted access to cause damage to the system or to steal
system data. The insider threat also includes outsourcing vendors as well as employees who accidentally introduce malware into systems.
Phishers Individuals, or small groups, who execute phishing schemes in an attempt to steal identities or information for monetary gain. Phishers may also
use spam and spyware/malware to accomplish their objectives.
Spammers Individuals or organizations who distribute unsolicited e-mail with hidden or false information in order to sell products, conduct phishing schemes,
distribute spyware/malware, or attack organizations (i.e., denial of service).
Spyware/malware authors Individuals or organizations with malicious intent carry out attacks against users by producing and distributing spyware and malware. Several
destructive computer viruses and worms have harmed files and hard drives, including the Melissa Macro Virus, the Explore.Zip worm, the CIH
(Chernobyl) Virus, Nimda, Code Red, Slammer, and Blaster.
Terrorists Terrorists seek to destroy, incapacitate, or exploit critical infrastructures in order to threaten national security, cause mass casualties, weaken the
U.S. economy, and damage public morale and confidence. Terrorists may use phishing schemes or spyware/malware in order to generate funds
or gather sensitive information.
5 September 2017
Cybersecurity 214
A: The factors influencing offenders can vary according to the type of offender. For
example, peer influence in the form of social learning is thought to have an important
influence on some types of offending, such as copyright infringement. However, this may
have less influence on other types of offences.
It is possible that offenders may feel less inhibited online than offline, and may not
identify the boundary between criminal and non-criminal behavior as clearly when using
Internet technologies as when they are offline.
It can be easy for an individual to employ cognitive distortions to persuade themselves
that what they are doing is not really criminal in nature, or to consider a criminal action to
be acceptable when they cannot identify their victim or see their victim’s reaction. While
popular television programs often portray psychodynamic or personality traits as being
key to influencing offenders, in reality it can be difficult to determine a close relationship
between these factors and offending behaviors – many who exhibit these factors do not
offend, while many who offend do not exhibit these factors.
In practice, it can be more useful to consider the cognitive reasoning of offenders – how
do they make decisions; what influences them when deciding to commit a crime or not;
what factors do they consider; what errors do they make in perception/decision
making/problem solving. Not only are these more reliable indicators of potential offending
behavior, but they also permit an organization to design systems which are less
appealing targets, or which are more difficult to infiltrate.
Q: How should other factors, such as the socio-economic status, family status, peer
relationships, and biology, be considered?
A: There are many factors which have broadly been identified with higher risk of
criminality – these include family composition, socio-economic status, peers, and
biological factors, including neural structures, neurotransmitters, genetics, and hormones.
At the moment, it is unclear how much many of these factors contribute toward
cybercriminal activity. Nevertheless, peer factors, particularly in relation to social learning,
has been identified as important in activities such as copyright infringement and
hacktivism.
At a very high level, relative deprivation on a global scale has been linked to online fraud,
particularly advance fee fraud. As so many of these factors have been closely linked to
criminality generally, it would be prudent to consider them as potentially important factors
in cybercriminality, even if exact links have not been consistently identified or examined
for all types of cybercrime.
Q: In the late 1990s, the activities of hackers were often characterized as the digital
version of spray-painting (“tagging”) a wall or teenage rebelliousness. Since
this time, how has the emergence of even more-malicious bad actors,
such as criminal organizations, hacktivists, and nation-states,
altered the psychology and motives of offenders?
A: It is often tempting to reminisce about earlier times as being less dangerous than
contemporary life. Across many aspects of criminology, it has been noted that people
perceive the world of approximately 20 years ago to be considerably safer than today’s
world, while for most types of crime, the available data contradicts this perception.
Nevertheless, technology of the 1990s was less advanced, and less widely used than
technology today, and the potential impact of cybercrime is considerably higher today.
However, it should be remembered that even in the relatively early days of the Internet,
malicious behavior occurred.
"Criminals have been required to evolve and
change in order to survive, in the same
way that those in many other careers have been
required to adapt to emerging technologies."
5 September 2017
Cybersecurity 215
As Internet technologies have become part of daily society, organized crime has naturally
gravitated to it as a way of achieving goals. To not do so would be to ignore how banking,
commerce, and communication has changed, and while the Internet provides additional
methods of attack, any organization that maintained offline only approaches would likely
find their targets diminishing in number.
Criminals have been required to evolve and change in order to survive, in the same way
that those in many other careers have been required to adapt to emerging technologies.
Similarly, we can consider the motives and actions of nation-states to be an adaptation to
changing society. So it may not be that the psychology and motivations underlying these
actions have changed – these are likely to be the constant. Instead, it is the method of
achieving the goal which might have changed.
Finally, when considering hacktivists, it must be remembered that not all of these
individuals conduct criminal acts. But the actions of these individuals may be more
interesting from a psychological perspective – here the availability and affordances of the
Internet have allowed individuals with a strong opinion on a topic to have a voice and
engage in action which they may not have previously been able to do, either because of
geographical distance, social or cultural repercussions, or risk to personal safety. The
inhibition mentioned earlier may also be a factor here, as well as a reduced perception of
risk of apprehension or punishment. Moral reasoning, neutralization of offending
behavior, cognitive distortions and empathy may all be factors in the rise of hacktivism in
recent years.
Q: How can we to counter the motivations of both professional and “recreational”
offenders?
A: When looking to counter the motivations of offenders, it is very important to realize
that these can be very disparate. In the same way that any group of individuals might
engage in the same activity for very different reasons, a selection of cybercriminals may
have varying motivations for their actions.
If their motivations relate to potential financial benefit, an appropriate approach would
consider increasing the potential offender’s perceptions regarding the certainty of
punishment (severity of punishment has relatively little impact, but if an offender believes
that it is highly likely that they will be apprehended and punished, even if that punishment
is mild, this can be an effective deterrent). To reduce future offending, celerity is also
important – the punishment should follow swiftly after the offence. Rational Choice
Theory suggests that if a potential offender can identify high risk or low reward when
engaging in an activity, then they will likely avoid it.
Similarly, reducing the attractiveness of a target can also help to reduce motivation to
offend. While this is less straightforward to achieve in cybercriminal cases than in offline
cases, target-hardening can dissuade less-experienced offenders from attacks. More
experienced and skilled offenders may actually find such targets to be more attractive,
and so other techniques should be employed to counter their motivations. For example,
offering ‘bug for bounty’ programs may dissuade those who are motivated to test their
abilities from criminality. Increasing the public perception of the organization as being
generally benevolent can counter neutralizations and cognitive distortions employed by
offenders, resulting in an inefficacy of such approaches in justifying the criminal behavior.
5 September 2017
Cybersecurity 216
White Hats
Is the Enemy of My Enemy My Friend?
Not all hackers have malicious intentions. Ethical hacking is a term coined by IBM meant
to refer to a broad category of actions taken by computer security experts to ensure the
security of information systems. Contrasted with a black hat, the term white hat comes
from Western films, where heroic and antagonistic cowboys traditionally wore white and
black hats, respectively.
Some of the earliest white hat hackers were three Polish cryptologists (Marian Rejewski,
Henryk Zygalski, and Jerzy Różycki) who helped defeat Nazi Germany during World War
II by cracking the Enigma code. In 1932. In 1939, mathematicians Alan Turing and Gordan
Welchman, along with engineer Harold Keen, leveraged the work of the Poles and
designed the Bombe, an electromechanical device used to decipher Enigma’s
transmissions. By 1981, The New York Times described white hat activities as part of a
“mischievous but perversely positive ‘hacker’ tradition.”
Today, while hackers are too often stereotyped as destructive cyber villains, many devote
their skills to security research and fighting cybercrime. In fact, many IT security experts
argue that the vulnerabilities of systems will be corporations’ or government’s key
concerns and, therefore, suggest that addressing the constant tide of security flaws will
require these organizations to embrace the hacker culture in collectively seeking out and
fixing these vulnerabilities.
A prime example of this unique dynamics, Google has long enjoyed a close relationship
with the security research community and has maintained a Vulnerability Reward Program
(VRP) for Google-owned Web properties, which has run continuously since November
2010.
In January 2015, Google also launched the Vulnerability Research Grants (VRG) initiative
to complement the company’s long-running Vulnerability Reward Program, with the goal of
rewarding security researchers that look into the security of Google products and services
even in the case when no vulnerabilities are found.
In 2014 alone, Google paid more than $1.5 million to white hat hackers who reported
vulnerabilities in Google’s Web properties and software. The largest single reward Google
paid out was $150,000 to a “researcher” who then joined the company for an internship.
Rewards for qualifying bugs range from $100 to $20,000.
5 September 2017
Cybersecurity 217
Figure 365: Rewards for Qualifying Bugs Range from $100 to $31,337. The
Following Table Outlines the Usual Rewards Chosen for the Most Common
Classes of Bugs:
Source: Google Vulnerability Reward Program (VRP) Rules.
Google isn’t the only major organization that participates in the burgeoning gray market
where hackers and security researchers sell tools for breaking into computers and
unknown vulnerabilities.
In fact, according to a special report by Reuters, the largest buyer of zero-day exploits—
vulnerabilities that are taken advantage of a on the same day that they become generally
known—is the U.S. government, which used knowledge of some of these vulnerabilities as
part of America’s offensive cyber-warfare strategy to create the Stuxnet virus in 2010,
which disrupted Iran’s nuclear-research program. The buying and selling of exploits is a
complicated matter, however, given most of the organizations and people paying sellers
are on the offensive side of cybercrime, cyber-spying, and cyber-weapons.12
We interviewed Dr. Gráinne Kirwan, Chartered Psychologist and Lecturer in
Cyberpsychology and Forensic Psychology at Dun Laoghaire Institute of Art, Design, and
Technology, to better understand the psychological aspects of cybercrime and how
criminological and forensic psychological theories explain what motivates and
characterizes offenders. Dr. Kirwan has co-authored/co-edited four books in this area: (1)
Cybercrime: The Psychology of Online Offenders, (2) Cyberpsychology and New Media: A
Thematic Reader, (3) The Psychology of Cyber Crime: Concepts and Principles, and (4)
An Introduction to Cyberpsychology. She is the Managing Editor of the International
Journal of Cyber Criminology.
5 September 2017
Cybersecurity 218
Interview with Keren Elazari
Q: Do you classify yourself as a hacker?
A: Yes, I am proud to call myself a hacker and I’ve always felt this was my calling. Ever
since I was 14 years' old and saw the film “Hackers” with Angelina Jolie.
My idea of a hacker is somewhat romantic, but I consider the friendly and ethical hackers
out there in the world as a vital part of culture, society, and the economy, pushing forward
the evolution of technology and acting as a much needed “immune system” for the
information age.
I wear many professional hats: strategic advisor, business analyst, academic researcher
and author. I’ve worked as a security architect, risk management consultant and product
manager, yet throughout any role and in any organization, I’ve always held that hacker –
hero ethos at heart.
Q: How has the threat landscape changed in terms of the emergence of even more-
malicious bad actors, such as criminal organizations,
hacktivists, and nation-states?
A: In my opinion, the most important element of today’s threat landscape is not who. It’s
when. The question of when an organization knows that a breach has taken place, and
how it happened, is the most critical thing, and we see that many incidents go by un-
noticed until an outside party like a law enforcement agency, a media outlet, or a data
leak (sometimes also called “dump”) makes everyone realize what happened – that’s
much too late for any organization to prevent the damages and revert back to normal
operations.
That’s why I think today’s businesses must develop both adaptability and resilience – that
comes from investing in security know how, training, human resources and not just from
the latest technologies on the market. Threat intelligence is one element that could help
prepare an organization of a coming attack, but it’s far from a cure to all the problems.
Another important aspect is to remember that no organization stands alone.
Cybercriminals know exactly how to find the low-hanging fruits, the weaknesses, and
opportunities represented by a third-party supplier, a partner, a customer, or even an
unhappy, or simply naïve, employee within the enterprises so called “secured” perimeter.
Prevention is better than any cure, and to achieve security resilience organizations must
wake up and smell the coffee to understand cyber security affects every aspect of the
business, in every industry, and security is a constant journey – not a destination you can
reach and then forget about.
Q: In your speaking tours, you have argued that hackers offer an opportunity to boost
cybersecurity and have advocated for greater collaboration between
security professionals and hackers. Please explain your
position and thought process, especially in the
context of your response to our
first two questions.
A: It’s my personal belief that the global hacker community has many friendly and ethical
hackers within it, and I see this in person every year when I attend the annual “hackers
convention”, DEFCON, where 20 thousand people converge in Las Vegas for a weekend
of hacking and learning – are they call criminals? I don’t think so.
"The question of when an organization knows
that a breach has taken place, and how it
happened, is the most critical thing and we see that many incidents go by
un-noticed until an outside party like makes
everyone realize what happened."
"Today’s businesses must develop both
adaptability and resilience – that comes
from investing in security know how, training,
human resources and not just from the latest
technologies on the market."
5 September 2017
Cybersecurity 219
One simple way for any organization to become safer is to actively encourage your
security teams to go forth and participate in the events run by the global hacker
community. You would be surprised, how many local hacking events happen everywhere
– maybe even in your neighborhood! By going to such an event, you can meet hackers in
person and hear their valuable security research insights in real time – there’s a global
network of such events called Security Bsides, for example – even in Zurich (see here) or
Tel Aviv (see here) where I host it.
An even more important aspect is to participate in the conversations that take place online
– all the time, in chat rooms, twitter, and mailing lists. You’ll find thousands of passionate
contributors each seeking advice, sharing knowledge, and sometimes even “dropping a
zero day”, which means releasing details of a never-before-seen software vulnerability. I
think it’s vital to be a part of that conversation, and if you can’t find your way, you should
trust a friendly hacker to lead the way, as we are the digital natives of the online
underground.
Q: Google has been a long-standing, vocal advocate of the white hat community? Have
other companies and industries started to take note of collaboration with white hats,
and could you walk through some examples of the benefits captured?
A: The topic of fruitful collaboration between established companies and institutions and
global hacker & individual security research community is the focus of my academic
research in the past two years. I’ve looked at the data behind some of the biggest “bug
bounty” programs out there – these are the business frameworks that allow companies like
Google, Facebook, and even Tesla or Western Union to actively engage and encourage
the vital security research work done by hackers, rewarding reports of important bugs and
vulnerabilities found by individual hackers. These programs have already created
incredible value to the companies that operate them: Facebook has paid out more than
$4.3 million to 800+ researchers in the five years of operating their program.
They received details about thousands of bugs affecting more than 1 billion users
worldwide. For reference, consider that the budget to recruit, hire, and employ a single
security engineer for a full time position at Facebook HQ in Menlo Park, California would
probably be around $200,000 for one year.
So for the average cost of hiring five more engineers per year, this global giant of social
media and messaging was able to support and harness the work of hundreds of ethical
hackers, all over the world, and make the FB platform that much safer. That’s the primary
benefit of these programs, but it doesn’t stop there. Data from the Google VRP program
shows that in the year 2014 many of the important bugs discovered were reported by
hackers in the Africa and Asia regions.
Looking at other programs, I’ve learned that ethical hackers in certain countries are getting
the first-ever opportunity to be legitimately paid for security research work. To me, this
presents a potential force of disruption and an alternative to the underground, criminal
pathways of hacker life. That’s why I’m hopeful and excited about more such programs,
and you can see why traditional companies like Mastercard and Fiat Chrysler USA are
adopting these models too.
5 September 2017
Cybersecurity 220
Companies Mentioned (Price as of 01-Sep-2017) 3M (MMM.N, $203.56) 8x8 (EGHT.OQ, $13.95) AOL, Inc. (AOL.N^F15) AOL, Inc. (AOL.N^F15) AOL, Inc. (AOL.N^F15) Airbnb (Unlisted) Akamai Technologies, Inc. (AKAM.OQ, $47.08) Alphabet (GOOGL.OQ, $951.99) Altaba Inc. (AABA.OQ, $64.05) Amazon com Inc. (AMZN.OQ, $978.25) Anthem, Inc. (ANTM.N, $197.43) Apple Inc (AAPL.OQ, $164.05) Arista Networks (ANET.N, $177.49) Autodesk Inc. (ADSK.OQ, $113.71) Benefitfocus (BNFT.OQ, $30.8) Betfair Group PLC (BETF.L^B16) Betfair Group PLC (BETF.L^B16) Betfair Group PLC (BETF.L^B16) CA Inc. (CA.OQ, $33.26) Callidus (CBL.TO, C$11.08) Callidus Software Inc. (CALD.OQ, $25.0) Champion Tech (0092.HK, HK$0.089) Check Point Software Technologies Ltd. (CHKP.OQ, $110.89, NEUTRAL, TP $110.0) Cisco Systems Inc. (CSCO.OQ, $32.3) Citigroup Inc. (C.N, $68.58) Citrix Systems Inc. (CTXS.OQ, $78.52) Compaq Computer (CPQ.N^E02) Compaq Computer (CPQ.N^E02) Compaq Computer (CPQ.N^E02) Cornerstone OnDemand, Inc. (CSOD.OQ, $35.86) Cyberark Softwr (CYBR.OQ, $41.45) Dell Inc. (DELL.OQ^J13) Dell Inc. (DELL.OQ^J13) Dell Inc. (DELL.OQ^J13) Equinix, Inc. (EQIX.OQ, $465.96) Experian (EXPN.L, 1550.0p) F5 Networks (FFIV.OQ, $118.57) Facebook Inc. (FB.OQ, $172.02) Fiat Chrysler Automobile (FCHA.MI, €13.34) FireEye (FEYE.OQ, $14.89) Fortinet, Inc. (FTNT.OQ, $38.3, UNDERPERFORM, TP $33.0) Foundry Networks (FDRY.OQ^L08) Foundry Networks (FDRY.OQ^L08) Foundry Networks (FDRY.OQ^L08) Gateway (GTW.N^J07) Gateway (GTW.N^J07) Gateway (GTW.N^J07) Gigamon (GIMO.N, $43.65) Guidewire (GWRE.N, $75.8) Home Depot (HD.N, $150.78) Honeywell International Inc. (HON.N, $137.63) Hortonworks, Inc. (HDP.OQ, $17.28) HubSpot (HUBS.N, $73.15) Imperva (IMPV.OQ, $44.9) Intel Corp. (INTC.OQ, $35.09) Intercontinental Hotels (IHG.L, 3867.0p) International Business Machines Corp. (IBM.N, $144.08) Intuit Inc. (INTU.OQ, $141.9) JPMorgan Chase & Co. (JPM.N, $91.7) KalugaPutMash (KPMGI.RTS^C16) KalugaPutMash (KPMGI.RTS^C16) KalugaPutMash (KPMGI.RTS^C16) LogMeIn (LOGM.OQ, $116.5) Manhattan Assoc (MANH.OQ, $42.85) MasterCard Inc. (MA.N, $133.24) McAfee Inc. (MFE.N^C11) McAfee Inc. (MFE.N^C11) McAfee Inc. (MFE.N^C11) MicroStrategy (MSTR.OQ, $128.5) Microsoft (MSFT.OQ, $73.94) Mimecast (MIME.OQ, $26.31) Netflix, Inc. (NFLX.OQ, $174.74) NeuStar Inc. (NSR.N^H17) NeuStar Inc. (NSR.N^H17) NeuStar Inc. (NSR.N^H17) New Relic (NEWR.N, $47.98) Nice (NICE.OQ, $78.57) Nintendo (7974.T, ¥36,800) Nokia (NOK.N, $6.22) Nokia (NOKIA.HE, €5.24) Okta (OKTA.OQ, $26.59) Open Text Corporation (OTEX.OQ, $32.36) Palo Alto Networks, Inc. (PANW.N, $146.67, UNDERPERFORM, TP $125.0) Paylocity Hldg (PCTY.OQ, $48.49) Pegasystems (PEGA.OQ, $57.65) Progress Sftw (PRGS.OQ, $33.46)
5 September 2017
Cybersecurity 221
Proofpoint (PFPT.OQ, $91.7) QUALCOMM Inc. (QCOM.OQ, $52.05) Qualys (QLYS.OQ, $48.25) Rapid7 (RPD.OQ, $17.24) RealPage, Inc. (RP.OQ, $43.3) Red Hat, Inc. (RHT.N, $107.46) Right Management (RHT.N^A04) Right Management (RHT.N^A04) Right Management (RHT.N^A04) RingCentral, Inc. (RNG.N, $42.35) Royal Bank of Scotland (RBS.L, 252.8p) SAP (SAPG.F, €88.549) Salesforce.com (CRM.N, $96.01) Sony (6758.T, ¥4,376) Sophos Group (SOPH.L, 532.5p) Splunk, Inc. (SPLK.OQ, $67.4) Symantec Corporation (SYMC.OQ, $29.86) TDC (TDC.CO, Dkr37.17) Tableau Software, Inc. (DATA.N, $72.66) Talend (TLND.OQ, $39.71) TalkTalk (TALK.L, 200.7p) Team (TISI.N, $12.6) Teradata Corp (TDC.N, $32.19) Tesla Motors Inc. (TSLA.OQ, $355.4) The TJX Companies, Inc. (TJX.N, $72.38) Thomson Reuters Corporation (TRI.N, $45.47) Trend Micro (TMIC.OQ^E07) Trend Micro (TMIC.OQ^E07) Trend Micro (TMIC.OQ^E07) Trend Micro (TMIC.OQ^E07) Twilio (TWLO.N, $28.96) Ultimate Software (ULTI.OQ, $199.81) VMware Inc. (VMW.N, $107.48) Veeva Systems (VEEV.N, $59.72) VeriSign Inc. (VRSN.OQ, $103.94) Watchguard Tech (WGRD.OQ^J06) Watchguard Tech (WGRD.OQ^J06) Watchguard Tech (WGRD.OQ^J06) Western Union (WU.N, $18.79) Workday Inc (WDAY.N, $108.84) Zendesk (ZEN.N, $27.48) eBay Inc. (EBAY.OQ, $36.35)
Disclosure Appendix
Analyst Certification I, Brad Zelnick, certify that (1) the views expressed in this report accurately reflect my personal views about all of the subject companies and securities and (2) no part of my compensation was, is or will be directly or indirectly related to the specific recommendations or views expressed in this report.
3-Year Price and Rating History for Check Point Software Technologies Ltd. (CHKP.OQ)
CHKP.OQ Closing Price Target Price
Date (US$) (US$) Rating
23-Oct-14 71.00 77.50 O
29-Jan-15 78.50 85.00
20-Apr-15 85.88 95.00
07-Jul-16 81.86 NC
* Asterisk signifies initiation or assumption of coverage.
Effective July 3, 2016, NC denotes termination of coverage.
O U T PERFO RM
N O T CO V ERED
5 September 2017
Cybersecurity 222
3-Year Price and Rating History for Nokia (NOKIA.HE)
NOKIA.HE Closing Price Target Price
Date (€) (€) Rating
24-Oct-14 6.63 7.75 O
30-Jan-15 6.84 8.00
16-Apr-15 7.27 8.10 N
01-May-15 6.04 6.80
31-Jul-15 6.43 7.00
01-Dec-15 6.96 9.00 O
12-Feb-16 5.22 8.20
11-May-16 4.64 7.30
13-Jul-16 5.31 7.25
05-Aug-16 4.92 6.75
01-Nov-16 3.97 5.50
16-Nov-16 3.84 5.35
28-Apr-17 5.25 5.75
28-Jul-17 5.39 6.00
* Asterisk signifies initiation or assumption of coverage.
3-Year Price and Rating History for Palo Alto Networks, Inc. (PANW.N)
PANW.N Closing Price Target Price
Date (US$) (US$) Rating
09-Sep-14 89.28 110.00 O
24-Nov-14 113.26 135.00
02-Mar-15 145.98 165.00
27-May-15 160.65 190.00
09-Sep-15 165.17 215.00
23-Nov-15 172.02 225.00
07-Jul-16 121.63 NC
* Asterisk signifies initiation or assumption of coverage.
Effective July 3, 2016, NC denotes termination of coverage.
The analyst(s) responsible for preparing this research report received Compensation that is based upon various factors including Credit Suisse's total revenues, a portion of which are generated by Credit Suisse's investment banking activities
As of December 10, 2012 Analysts’ stock rating are defined as follows: Outperform (O) : The stock’s total return is expected to outperform the relevant benchmark* over the next 12 months. Neutral (N) : The stock’s total return is expected to be in line with the relevant benchmark* over the next 12 months. Underperform (U) : The stock’s total return is expected to underperform the relevant benchmark* over the next 12 months. *Relevant benchmark by region: As of 10th December 2012, Japanese ratings are based on a stock’s total return relative to the analyst's coverage universe which consists of all companies covered by the analyst within the relevant sector, with Outperforms representing the most attractiv e, Neutrals the less attractive, and Underperforms the least attractive investment opportunities. As of 2nd October 2012, U.S. and Canadian as well as European ratings are based on a stock’s total return relative to the analyst's coverage universe which consists of all companies covered by the analyst withi n the relevant sector, with Outperforms representing the most attractive, Neutrals the less attractive, and Underperforms the least attractive investment opportunities. For Latin Ame rican and non-Japan Asia stocks, ratings are based on a stock’s total return relative to the average total return of the relevant country or regional benchmark; prior to 2nd October 2012 U.S. and Can adian ratings were based on (1) a stock’s absolute total return potential to its current share price and (2) the relative attractiv eness of a stock’s total return potential within an analyst’s coverage universe. For Australian and New Zealand stocks, the expected total return (ETR) calculation includes 1 2-month rolling dividend yield. An Outperform rating is assigned where an ETR is greater than or equal to 7.5%; Underperform where an ETR less than or equal to 5%. A Neutral may be assigned where the ETR is between -5% and 15%. The overlapping rating range allows analysts to assign a rating that puts ETR in the context of associated ris ks. Prior to 18 May 2015, ETR ranges for Outperform and Underperform ratings did not overlap with Neutral thresholds between 15% and 7.5%, wh ich was in operation from 7 July 2011. Restricted (R) : In certain circumstances, Credit Suisse policy and/or applicable law and regulations preclude certain types of communications, including an investment recommendation, during the course of Credit Suisse's engagement in an investment banking transaction and in certain other circumstances. Not Rated (NR) : Credit Suisse Equity Research does not have an investment rating or view on the stock or any other securities related to the company at this time. Not Covered (NC) : Credit Suisse Equity Research does not provide ongoing coverage of the company or offer an investment rating or investment view on the equity security of the company or related products.
O U T PERFO RM
N EU T RA L
O U T PERFO RM
N O T CO V ERED
5 September 2017
Cybersecurity 223
Volatility Indicator [V] : A stock is defined as volatile if the stock price has moved up or down by 20% or more in a month in at least 8 of the past 24 months or the analyst expects significant volatility going forward.
Analysts’ sector weightings are distinct from analysts’ stock ratings and are based on the analyst’s expectations for the fundamentals and/or valuation of the sector* relative to the group’s historic fundamentals and/or valuation: Overweight : The analyst’s expectation for the sector’s fundamentals and/or valuation is favorable over the next 12 months. Market Weight : The analyst’s expectation for the sector’s fundamentals and/or valuation is neutral over the next 12 months. Underweight : The analyst’s expectation for the sector’s fundamentals and/or valuation is cautious over the next 12 months. *An analyst’s coverage sector consists of all companies covered by the analyst within the relevant sector. An analyst may cover multiple sectors.
Credit Suisse's distribution of stock ratings (and banking clients) is:
Global Ratings Distribution
Rating Versus universe (%) Of which banking clients (%) Outperform/Buy* 44% (64% banking clients) Neutral/Hold* 40% (60% banking clients) Underperform/Sell* 14% (52% banking clients) Restricted 2% *For purposes of the NYSE and FINRA ratings distribution disclosure requirements, our stock ratings of Outperform, Neutral, a nd Underperform most closely correspond to Buy, Hold, and Sell, respectively; however, the meanings are not the same, as our stock ratings are determined on a relative bas is. (Please refer to definitions above.) An investor's decision to buy or sell a security should be based on investment objectives, current holdings, and other individual factors.
Important Global Disclosures Credit Suisse’s research reports are made available to clients through our proprietary research portal on CS PLUS. Credit Suisse research products may also be made available through third-party vendors or alternate electronic means as a convenience. Certain research products are only made available through CS PLUS. The services provided by Credit Suisse’s analysts to clients may depend on a specific client’s preferences regarding the frequency and manner of receiving communications, the client’s risk profile and investment, the size and scope of the overall client relationship with the Firm, as well as legal and regulatory constraints. To access all of Credit Suisse’s research that you are entitled to receive in the most timely manner, please contact your sales representative or go to https://plus.credit-suisse.com . Credit Suisse’s policy is to update research reports as it deems appropriate, based on developments with the subject company, the sector or the market that may have a material impact on the research views or opinions stated herein. Credit Suisse's policy is only to publish investment research that is impartial, independent, clear, fair and not misleading. For more detail please refer to Credit Suisse's Policies for Managing Conflicts of Interest in connection with Investment Research: https://www.credit-suisse.com/sites/disclaimers-ib/en/managing-conflicts.html . Credit Suisse does not provide any tax advice. Any statement herein regarding any US federal tax is not intended or written to be used, and cannot be used, by any taxpayer for the purposes of avoiding any penalties. Credit Suisse has decided not to enter into business relationships with companies that Credit Suisse has determined to be involved in the development, manufacture, or acquisition of anti-personnel mines and cluster munitions. For Credit Suisse's position on the issue, please see https://www.credit-suisse.com/media/assets/corporate/docs/about-us/responsibility/banking/policy-summaries-en.pdf .
Target Price and Rating Valuation Methodology and Risks: (12 months) for Check Point Software Technologies Ltd. (CHKP.OQ)
Method: Our base case assumes a 5 year transition period with FCF growth declining smoothly from an estimated 6% in 2020. This scenario assumes the firewall market decelerates broadly in line with our expectations, and Check Point successfully weathers the transition, but is then, more than ever, a lower growth, true 'legacy' vendor. This scenario results in a target price of $110 and a Neutral rating.
Risk: If market conditions deteriorate, competition in the firewall/VPN market increases, and pricing pressure increases, the assumptions for achieving our $110 target price, and thus our Neutral rating, for CHKP may be affected. We are also cautious on its long-term ability to sustain strong year-over-year growth rates while maintaining, and possibly improving, margins, given the long-term slower growth profile of the firewall/VPN market and an increasing competitive environment.
Target Price and Rating Valuation Methodology and Risks: (12 months) for Fortinet, Inc. (FTNT.OQ)
Method: In addition to substantive relative valuation work, which informs our Underperform rating, we estimate the intrinsic value for Fortinet at $33/share. Our base case assumes a 5 year transition period with FCF growth declining smoothly from an estimated 6% in 2020. This scenario assumes the firewall market decelerates broadly in line with our expectations (we model a 1.0% terminal growth rate from 2026E).
Risk: The key risk to our $33/share price target and Underperform rating are that FTNT transitions organically via innovation, or inorganically via acquisition, into a successful cloud first vendor. Another risk is its becoming a strategic target, FTNT is smaller in terms of EV than CHKP or PANW therefore this risk is more pronounced, but beware a Netscreen repeat.
Target Price and Rating Valuation Methodology and Risks: (12 months) for Palo Alto Networks, Inc. (PANW.N)
Method: Our $125 target price and Underperform rating are based on our DCF analysis, which assumes an 8% FCF CAGR over the next 10 years. This assumes a five-year transition period with FCF growth declining smoothly from an estimated 11% in 2021. This scenario assumes the
5 September 2017
Cybersecurity 224
firewall market decelerates broadly in line with our expectations (we model a 1% terminal growth rate from 2027E), and PANW experiences enhanced competition from peers through its refresh cycle.
Risk: There are three key risks to our $125 target price and underperform rating. (1) Substantial Balance Sheet Capacity: PANW has substantial balance sheet capacity and has showed willingness to deploy it in a transformational manner when reportedly bidding upward of $3 billion for Tanium in fall 2015. (2) Strength and Resilience of Financial Model: The overall execution of the transition to a subscription-based model may prove more successful than anticipated and could provide access to the >$8 billion CLTV expansion opportunity that management estimates. (3) Becomes a Strategic Acquisition Target: Particularly at lower valuations, PANW could become a potential target for a strategic buyer seeking to consolidate the market.
Please refer to the firm's disclosure website at https://rave.credit-suisse.com/disclosures/view/selectArchive for the definitions of abbreviations typically used in the target price method and risk sections.
See the Companies Mentioned section for full company names Credit Suisse currently has, or had within the past 12 months, the following as investment banking client(s): PANW.N, FTNT.OQ, NOKIA.HE Credit Suisse currently has, or had within the past 12 months, the following issuer(s) as client(s), and the services provided were non-investment-banking, securities-related: NOKIA.HE Credit Suisse expects to receive or intends to seek investment banking related compensation from the subject company (PANW.N, FTNT.OQ, NOKIA.HE) within the next 3 months. Within the last 12 months, Credit Suisse has received compensation for non-investment banking services or products from the following issuer(s): NOKIA.HE A member of the Credit Suisse Group is party to an agreement with, or may have provided services set out in sections A and B of Annex I of Directive 2014/65/EU of the European Parliament and Council ("MiFID Services") to, the subject issuer (PANW.N, FTNT.OQ, NOKIA.HE) within the past 12 months.
For date and time of production, dissemination and history of recommendation for the subject company(ies) featured in this report, disseminated within the past 12 months, please refer to the link: https://rave.credit-suisse.com/disclosures/view/report?i=319017&v=-43wat4pxqbc0fkklbuyxqsywc .
Important Regional Disclosures Singapore recipients should contact Credit Suisse AG, Singapore Branch for any matters arising from this research report. The analyst(s) involved in the preparation of this report may participate in events hosted by the subject company, including site visits. Credit Suisse does not accept or permit analysts to accept payment or reimbursement for travel expenses associated with these events. Restrictions on certain Canadian securities are indicated by the following abbreviations: NVS--Non-Voting shares; RVS--Restricted Voting Shares; SVS--Subordinate Voting Shares. Individuals receiving this report from a Canadian investment dealer that is not affiliated with Credit Suisse should be advised that this report may not contain regulatory disclosures the non-affiliated Canadian investment dealer would be required to make if this were its own report. For Credit Suisse Securities (Canada), Inc.'s policies and procedures regarding the dissemination of equity research, please visit https://www.credit-suisse.com/sites/disclaimers-ib/en/canada-research-policy.html. Principal is not guaranteed in the case of equities because equity prices are variable. Commission is the commission rate or the amount agreed with a customer when setting up an account or at any time after that. This research report is authored by: Credit Suisse Securities (USA) LLC ................................................................................... Brad Zelnick ; Jobin Mathew ; Syed Talha Saleem, CFA
Important Credit Suisse HOLT Disclosures With respect to the analysis in this report based on the Credit Suisse HOLT methodology, Credit Suisse certifies that (1) the views expressed in this report accurately reflect the Credit Suisse HOLT methodology and (2) no part of the Firm’s compensation was, is, or will be directly related to the specific views disclosed in this report. The Credit Suisse HOLT methodology does not assign ratings to a security. It is an analytical tool that involves use of a set of proprietary quantitative algorithms and warranted value calculations, collectively called the Credit Suisse HOLT valuation model, that are consistently applied to all the companies included in its database. Third-party data (including consensus earnings estimates) are systematically translated into a number of default algorithms available in the Credit Suisse HOLT valuation model. The source financial statement, pricing, and earnings data provided by outside data vendors are subject to quality control and may also be adjusted to more closely measure the underlying economics of firm performance. The adjustments provide consistency when analyzing a single company across time, or analyzing multiple companies across industries or national borders. The default scenario that is produced by the Credit Suisse HOLT valuation model establishes the baseline valuation for a security, and a user then may adjust the default variables to produce alternative scenarios, any of which could occur. Additional information about the Credit Suisse HOLT methodology is available on request. The Credit Suisse HOLT methodology does not assign a price target to a security. The default scenario that is produced by the Credit Suisse HOLT valuation model establishes a warranted price for a security, and as the third-party data are updated, the warranted price may also change. The default variable may also be adjusted to produce alternative warranted prices, any of which could occur. CFROI®, HOLT, HOLTfolio, ValueSearch, AggreGator, Signal Flag and “Powered by HOLT” are trademarks or service marks or registered trademarks or registered service marks of Credit Suisse or its affiliates in the United States and other countries. HOLT is a corporate performance and valuation advisory service of Credit Suisse.
Important disclosures regarding companies or other issuers that are the subject of this report are available on Credit Suisse ’s disclosure website at https://rave.credit-suisse.com/disclosures or by calling +1 (877) 291-2683.
5 September 2017
Cybersecurity 225
This report is produced by subsidiaries and affiliates of Credit Suisse operating under its Global Markets Division. For more information on our structure, please use the following link: https://www.credit-suisse.com/who-we-are This report may contain material that is not directed to, or intended for distribution to or use by, any person or entity who is a citizen or resident of or located in any locality, state, country or other jurisdiction where such distribution, publication, availability or use would be contrary to law or regulation or which would subject Credit Suisse or its affiliates ("CS") to any registration or licensing requirement within such jurisdiction. All material presented in this report, unless specifically indicated otherwise, is under copyright to CS. None of the material, nor its content, nor any copy of it, may be altered in any way, transmitted to, copied or distributed to any other party, without the prior express written permission of CS. All trademarks, service marks and logos used in this report are trademarks or service marks or registered trademarks or service marks of CS or its affiliates.The information, tools and material presented in this report are provided to you for information purposes only and are not to be used or considered as an offer or the solicitation of an offer to sell or to buy or subscribe for securities or other financial instruments. CS may not have taken any steps to ensure that the securities referred to in this report are suitable for any particular investor. CS will not treat recipients of this report as its customers by virtue of their receiving this report. The investments and services contained or referred to in this report may not be suitable for you and it is recommended that you consult an independent investment advisor if you are in doubt about such investments or investment services. Nothing in this report constitutes investment, legal, accounting or tax advice, or a representation that any investment or strategy is suitable or appropriate to your individual circumstances, or otherwise constitutes a personal recommendation to you. CS does not advise on the tax consequences of investments and you are advised to contact an independent tax adviser. Please note in particular that the bases and levels of taxation may change. Information and opinions presented in this report have been obtained or derived from sources believed by CS to be reliable, but CS makes no representation as to their accuracy or completeness. CS accepts no liability for loss arising from the use of the material presented in this report, except that this exclusion of liability does not apply to the extent that such liability arises under specific statutes or regulations applicable to CS. This report is not to be relied upon in substitution for the exercise of independent judgment. CS may have issued, and may in the future issue, other communications that are inconsistent with, and reach different conclusions from, the information presented in this report. Those communications reflect the different assumptions, views and analytical methods of the analysts who prepared them and CS is under no obligation to ensure that such other communications are brought to the attention of any recipient of this report. Some investments referred to in this report will be offered solely by a single entity and in the case of some investments solely by CS, or an associate of CS or CS may be the only market maker in such investments. Past performance should not be taken as an indication or guarantee of future performance, and no representation or warranty, express or implied, is made regarding future performance. Information, opinions and estimates contained in this report reflect a judgment at its original date of publication by CS and are subject to change without notice. The price, value of and income from any of the securities or financial instruments mentioned in this report can fall as well as rise. The value of securities and financial instruments is subject to exchange rate fluctuation that may have a positive or adverse effect on the price or income of such securities or financial instruments. Investors in securities such as ADR's, the values of which are influenced by currency volatility, effectively assume this risk. Structured securities are complex instruments, typically involve a high degree of risk and are intended for sale only to sophisticated investors who are capable of understanding and assuming the risks involved. The market value of any structured security may be affected by changes in economic, financial and political factors (including, but not limited to, spot and forward interest and exchange rates), time to maturity, market conditions and volatility, and the credit quality of any issuer or reference issuer. Any investor interested in purchasing a structured product should conduct their own investigation and analysis of the product and consult with their own professional advisers as to the risks involved in making such a purchase. Some investments discussed in this report may have a high level of volatility. High volatility investments may experience sudden and large falls in their value causing losses when that investment is realised. Those losses may equal your original investment. Indeed, in the case of some investments the potential losses may exceed the amount of initial investment and, in such circumstances, you may be required to pay more money to support those losses. Income yields from investments may fluctuate and, in consequence, initial capital paid to make the investment may be used as part of that income yield. Some investments may not be readily realisable and it may be difficult to sell or realise those investments, similarly it may prove difficult for you to obtain reliable information about the value, or risks, to which such an investment is exposed. This report may provide the addresses of, or contain hyperlinks to, websites. Except to the extent to which the report refers to website material of CS, CS has not reviewed any such site and takes no responsibility for the content contained therein. Such address or hyperlink (including addresses or hyperlinks to CS's own website material) is provided solely for your convenience and information and the content of any such website does not in any way form part of this document. Accessing such website or following such link through this report or CS's website shall be at your own risk.
This report is issued and distributed in European Union (except Switzerland): by Credit Suisse Securities (Europe) Limited, One Cabot Square, London E14 4QJ, England, which is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Germany: Credit Suisse Securities (Europe) Limited Niederlassung Frankfurt am Main regulated by the Bundesanstalt fuer Finanzdienstleistungsaufsicht ("BaFin"). United States and Canada: Credit Suisse Securities (USA) LLC; Switzerland: Credit Suisse AG; Brazil: Banco de Investimentos Credit Suisse (Brasil) S.A or its affiliates; Mexico: Banco Credit Suisse (México), S.A. (transactions related to the securities mentioned in this report will only be effected in compliance with applicable regulation); Japan: by Credit Suisse Securities (Japan) Limited, Financial Instruments Firm, Director-General of Kanto Local Finance Bureau ( Kinsho) No. 66, a member of Japan Securities Dealers Association, The Financial Futures Association of Japan, Japan Investment Advisers Association, Type II Financial Instruments Firms Association; Hong Kong: Credit Suisse (Hong Kong) Limited; Australia: Credit Suisse Equities (Australia) Limited; Thailand: Credit Suisse Securities (Thailand) Limited, regulated by the Office of the Securities and Exchange Commission, Thailand, having registered address at 990 Abdulrahim Place, 27th Floor, Unit 2701, Rama IV Road, Silom, Bangrak, Bangkok10500, Thailand, Tel. +66 2614 6000; Malaysia: Credit Suisse Securities (Malaysia) Sdn Bhd; Singapore: Credit Suisse AG, Singapore Branch; India: Credit Suisse Securities (India) Private Limited (CIN no.U67120MH1996PTC104392) regulated by the Securities and Exchange Board of India as Research Analyst (registration no. INH 000001030) and as Stock Broker (registration no. INB230970637; INF230970637; INB010970631; INF010970631), having registered address at 9th Floor, Ceejay House, Dr.A.B. Road, Worli, Mumbai - 18, India, T- +91-22 6777 3777; South Korea: Credit Suisse Securities (Europe) Limited, Seoul Branch; Taiwan: Credit Suisse AG Taipei Securities Branch; Indonesia: PT Credit Suisse Sekuritas Indonesia; Philippines:Credit Suisse Securities (Philippines ) Inc., and elsewhere in the world by the relevant authorised affiliate of the above. Additional Regional Disclaimers Hong Kong: Credit Suisse (Hong Kong) Limited ("CSHK") is licensed and regulated by the Securities and Futures Commission of Hong Kong under the laws of Hong Kong, which differ from Australian laws. CSHKL does not hold an Australian financial services licence (AFSL) and is exempt from the requirement to hold an AFSL under the Corporations Act 2001 (the Act) under Class Order 03/1103 published by the ASIC in respect of financial services provided to Australian wholesale clients (within the meaning of section 761G of the Act). Research on Taiwanese securities produced by Credit Suisse AG, Taipei Securities Branch has been prepared by a registered Senior Business Person. Australia (to the extent services are offered in Australia): Credit Suisse Securities (Europe) Limited (“CSSEL”) and Credit Suisse International (“CSI”) are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority (“FCA”) and the Prudential Regulation Authority under UK laws, which differ from Australian Laws. CSSEL and CSI do not hold an Australian Financial Services Licence (“AFSL”) and are exempt from the requirement to hold an AFSL under the Corporations Act (Cth) 2001 (“Corporations Act”) under Class Order 03/1099 published by the Australian Securities and Investments Commission (“ASIC”), in respect of the financial services provided to Australian wholesale clients (within the meaning of section 761G of the Corporations Act). This material is not for distribution to retail clients and is directed exclusively at Credit Suisse's professional clients and eligible counterparties as defined by the FCA, and wholesale clients as defined under section 761G of the Corporations Act. Credit Suisse (Hong Kong) Limited (“CSHK”) is licensed and regulated by the Securities and Futures Commission of Hong Kong under the laws of Hong Kong, which differ from Australian laws. CSHKL does not hold an AFSL and is exempt from the requirement to hold an AFSL under the Corporations Act under Class Order 03/1103 published by the ASIC in respect of financial services provided to Australian wholesale clients (within the meaning of section 761G of the Corporations Act). Credit Suisse Securities (USA) LLC (CSSU) and Credit Suisse Asset Management LLC (CSAM LLC) are licensed and regulated by the Securities Exchange Commission of the United States under the laws of the United States, which differ from Australian laws. CSSU and CSAM LLC do not hold an AFSL and is exempt from the requirement to hold an AFSL under the Corporations Act under Class Order 03/1100 published by the ASIC in respect of financial services provided to Australian wholesale clients (within the meaning of section 761G of the Corporations Act). Malaysia: Research provided to residents of Malaysia is authorised by the Head of Research for Credit Suisse Securities (Malaysia) Sdn Bhd, to whom they should direct any queries on +603 2723 2020. Singapore: This report has been prepared and issued for distribution in Singapore to institutional investors, accredited investors and expert investors (each as defined under the Financial Advisers Regulations) only, and is also distributed by Credit Suisse AG, Singapore Branch to overseas investors (as defined under the Financial Advisers Regulations). Credit Suisse AG, Singapore Branch may distribute reports produced by its foreign entities or affiliates pursuant to an arrangement under Regulation 32C of the Financial Advisers Regulations. Singapore recipients should contact Credit Suisse AG, Singapore Branch at +65-6212-2000 for matters arising from, or in connection with, this report. By virtue of your status as an institutional investor, accredited investor, expert investor or overseas investor, Credit Suisse AG, Singapore Branch is exempted from complying with certain compliance requirements under the Financial Advisers Act, Chapter 110 of Singapore (the “FAA”), the Financial Advisers Regulations and the relevant Notices and Guidelines issued thereunder, in respect of any financial advisory service which Credit Suisse AG, Singapore Branch may provide to you. UAE: This information is being distributed by Credit Suisse AG (DIFC Branch), duly licensed and regulated by the Dubai Financial Services Authority (“DFSA”). Related financial services or products are only made available to Professional Clients or Market Counterparties, as defined by the DFSA, and are not intended for any other persons. Credit Suisse AG (DIFC Branch) is located on Level 9 East, The Gate Building, DIFC, Dubai, United Arab Emirates. EU: This report has been produced by subsidiaries and affiliates of Credit Suisse operating under its Global Markets Division In jurisdictions where CS is not already registered or licensed to trade in securities, transactions will only be effected in accordance with applicable securities legislation, which will vary from jurisdiction to jurisdiction and may require that the trade be made in accordance with applicable exemptions from registration or licensing requirements. Non-US customers wishing to effect a transaction should contact a CS entity in their local jurisdiction unless governing law permits otherwise. US customers wishing to effect a transaction should do so only by contacting a representative at Credit Suisse Securities (USA) LLC in the US. Please note that this research was originally prepared and issued by CS for distribution to their market professional and institutional investor customers. Recipients who are not market professional or institutional investor customers of CS should seek the advice of their independent financial advisor prior to taking any investment decision based on this report or for any necessary explanation of its contents. This research may relate to investments or services of a person outside of the UK or to other matters which are not authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority or in respect of which the protections of the Prudential Regulation Authority and Financial Conduct Authority for private customers and/or the UK compensation scheme may not be available, and further details as to where this may be the case are available upon request in respect of this report. CS may provide various services to US municipal entities or obligated persons ("municipalities"), including suggesting individual transactions or trades and entering into such transactions. Any services CS provides to municipalities are not viewed as "advice" within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. CS is providing any such services and related information solely on an arm's length basis and not as an advisor or fiduciary to the municipality. In connection with the provision of the any such services, there is no agreement, direct or indirect, between any municipality (including the officials,management, employees or agents thereof) and CS for CS to provide advice to the municipality. Municipalities should consult with their financial, accounting and legal advisors regarding any such services provided by CS. In addition, CS is not acting for direct or indirect compensation to solicit the municipality on behalf of an unaffiliated broker, dealer, municipal securities dealer, municipal advisor, or investment adviser for the purpose of obtaining or retaining an engagement by the municipality for or in connection with Municipal Financial Products, the issuance of municipal securities, or of an investment adviser to provide investment advisory services to or on behalf of the municipality. If this report is being distributed by a financial institution other than Credit Suisse AG, or its affiliates, that financial institution is solely responsible for distribution. Clients of that institution should contact that institution to effect a transaction in the securities mentioned in this report or require further information. This report does not constitute investment advice by Credit Suisse to the clients of the distributing financial institution, and neither Credit Suisse AG, its affiliates, and their respective officers, directors and employees accept any liability whatsoever for any direct or consequential loss arising from their use of this report or its content. Principal is not guaranteed. Commission is the commission rate or the amount agreed with a customer when setting up an account or at any time after that. Copyright © 2017 CREDIT SUISSE AG and/or its affiliates. All rights reserved.
Investment principal on bonds can be eroded depending on sale price or market price. In addition, there are bonds on which investment principal can be eroded due to changes in redemption amounts. Care is required when investing in such instruments. When you purchase non-listed Japanese fixed income securities (Japanese government bonds, Japanese municipal bonds, Japanese government guaranteed bonds, Japanese corporate bonds) from CS as a seller, you will be requested to pay the purchase price only.
Top Related