 From theCUBE Studios in Palo Alto in Boston, bringing you data-driven insights from theCUBE and ETR. This is Breaking Analysis with Dave Vellante. As we've reported extensively, the pandemic has affected cybersecurity markets perhaps more than any other. Remote work has caused CISOs, Chief Information Security Officers, to shift spending priorities toward identity access management endpoint and cloud security. COVID has been a benefactor for next-gen security companies that participate in these sectors. Notably, we believe tactical responses to the coronavirus have resulted in productivity improvements that will create permanent change in the way organizations defend themselves against cyber threats. Hello, everyone, and welcome to this week's Wikibon Cube Insights, powered by ETR. In this Breaking Analysis, we'll provide you with our quarterly update of the cybersecurity space and share fresh ETR data on the market. We also have some results from Eric Bradley's most recent Venn Roundtable conducted with three senior Chief Information Security Officers. Let's start by looking at this notion of a single pane of glass. Now, despite the aspiration, there is no silver bullet to protect organizations from cyber attacks. The complexities of security, they're enormous, and they required a layered defense approach. They range from securing internal networks to endpoints to DMZ subnets, external traffic security, data in motion, data at rest, protecting from ransomware, dealing with web traffic, emails, phishing, not to mention, threats from internal employees and contractors. As we mentioned at the open, there are three areas in particular that have seen significantly elevated spending momentum that is translated into the valuation increases for several companies, including CrowdStrike, Okta, Zscaler, and several others. Zero trust security has gone from buzzword to reality. And spending shifts to these technologies have siphoned off demand from traditional hardware-based firewalls. Although CISOs seem to be hedging their bets as some, at some point they realize that people are actually going to come back to the office so they have to remain agile. Lack of talent, well that remains one of the CISOs biggest challenges to securing applications and data. And automation, while sometimes viewed as risky, is becoming increasingly important. Several companies have hit our radar this quarter and were highlighted in the CISO panel, including Elastic, which has seen momentum as an open source alternative to Splunk. And notably, multiple CIOs in the panel, they cited concerns related to Splunk's pricing and their sales tactics. They actually compared those of Splunk to those of EMC in the past, if anybody remembers how aggressive EMC sales people could be. Cloudflare also broke into the top 10 in the ETR survey based on NetScore, which is a measure of spending momentum. And that was for those companies with more than 50 mentions in the survey. Cloudflare is a CDN and provides security for websites. Also, NetScope, a cloud security specialist cracked the top 10 in terms of NetScore and received high marks from the CISO panel, particularly with respect to its vision and roadmap. Microsoft, Palo Alto Networks, Octa, CrowdStrike, Cisco, CyberArk, SalesPoint, Zscaler, and ProofPoint remain focus vendors for us in the ETR survey, as measured by spending momentum and their presence in the dataset, what we call market share. And we'll talk more about those companies in a moment. Now, finally, even CISOs that were skeptical about the permanence of the effects of COVID, they're seeing business benefits that suggest many of these shifts are secular and not cyclical. Indeed, prior to the pandemic, ETR survey data showed that about 16% of organizations workers were primarily remote. See, I always expect that number to more than double post pandemic to 34%. Let's take a look at some of the cybersecurity vendors. We'll plot some, we don't have enough room to plot all of them, there are so many. This chart shows one of our favorite X, Y views. On the Y axis, we measure net score. That measures, again, spending velocity by looking at the net percentage of customers that are spending more versus those that are spending less within the ETR survey. The X axis measures market share or pervasiveness in the survey. Now we've included a select list of companies for this view and only include those with more than 50 responses or 50 ends, shared ends, if you will, in the data set. In the upper right, you can see a table that shows the data sorted by both net score and shared ends for each vendor. Now, as we indicated, Elastic has taken the top spot, just barely edging out Okta who took over from CrowdStrike in the last survey. And you can see the significant market presence of Palo Alto and Splunk and the most pervasive vendor here at Cisco. Note that Cisco also owns Umbrella and Duo, which both have meaningful ends in the survey. Now, if we were to combine these into one view, a single view of Cisco, all three of those, it would pull the company even further up and to the right. Security is one of the bright spots in Cisco's portfolio and shows consistent year-on-year growth each quarter. Now, having said that, some CISOs complain that Cisco's propensity to rely on acquisitions to fill gaps has caused them integration challenges in the past. Let's come back to Palo Alto for a moment. We'll make some comments later regarding their position relative to Fortinet, but we wanted to call them out here. Look, CISOs, they really like Palo Alto. They trust Palo Alto networks. They consider Palo Alto a trusted leader with a very strong portfolio and vision. Now, let's turn our attention to the pack here. As we mentioned, Okta's momentum is notably elevated and it's meaningfully higher than the others. Its presence continues to increase up to the right. As does CrowdStrike's to the right, not necessarily up to the right, but to the right. But CrowdStrike has come off its net score high, so it's coming down actually in the vertical axis. We're not super concerned about that because they're dramatically increasing their presence in the x-axis each survey, but so is Okta. So that's something to watch. In other words, CrowdStrike's coming down and net score while it's increasing its presence. Okta's holding its net score while at the same time increasing its presence, which is really a strong sign. Now, they don't compete against each other directly, but they're still in the same sector. We've also included Carbon Black here because they're VMware acquisition and VMware CEO Pat Gelsinger. He's on a mission to fix security and the company has made a number of moves in cyber. VMware is a really good track record of execution and while fixing security is highly aspirational. With its install base and history of success, we wanted to include them here because they're getting more attention of the CISOs in the ETR panel. So we're keeping an eye on VMware and Carbon Black. It's going to take some time, but we'll keep watching that. Now let's take a look at how the players have moved this year over the quarters. We're going to show you four tables here. We're going to compare the net scores and market share of the cyber companies for January, April, July, and October surveys. So pre-COVID and throughout the year. So let's look first at the pre-COVID positions. The leftmost chart is sorted by net score or spending momentum. And the rightmost chart is the shared ends, which is the number of mentions in the survey, which is what drives the horizontal axis that I showed you earlier. Now, when you go back to the January survey, you see CrowdStrike was already doing very well with an elevated net score of 68.3% in 123 mentions. By the way, please ignore those companies with less than 50N, I didn't filter the data back then. I was kind of still learning how to use the ETR software platform. Okta was also elevated. And you can see the others there as well. Now last year, we came up with a method to assign stars to those companies that had both top net scores and large shared ends in the survey. So spending momentum and strong market share. And you can see Microsoft, Splunk, Palo Alto Networks, Proofpoint, CrowdStrike, Zscaler, and CyberArk made the cut. And we all received four stars. And we gave two stars to Cisco and Fortinet because they had strong net scores and very high presence in the survey. Now let's go forward and look at April when the lockdown was in full swing. OK, so we tightened things up in April and on the presentation of the survey data. And only included those companies with more than 50N. And we cut the top 10. That's the red line. And we then put in there Dell EMC, which is RSA, and IBM for context. And you can see CrowdStrike, they shot to the top with a 68% net score and increased its shared end. And you can see the stars on the right. Now let's just jump ahead to the July survey. So now we're well into the pandemic. Maybe things are calming down a little bit in the summer. People feeling a little bit more freedom. Maybe not as concerned about the work from home piece. That's sort of settling in. And CISOs, they had a little time to respond here. And that's kind of the picture in the summer. Okta jumped way up on the left, you see, in spending momentum. And CrowdStrike, they moderated a bit. Although they remained elevated. And again, they're not direct competitors, but it's instructive to compare these two firms, because they're both hot and growing. And you see the green lines. They show the direction of the momentum of the net score. CrowdStrike was a bit of a concern because its net score dropped and its presence in the data set kind of moderated. But the company continued to report strong revenue during its earnings calls. And the stock remained a darling. So some mixed signals in the data. One quarter doesn't necessarily make a trend. But Okta, Microsoft, Cisco, Palo Alto, Splunk, and several others, they remained very, very strong. Now let's go into the most recent October survey. So again, we continue to fine tune our presentation analysis here. And you can see there are two red lines. The top one is the top 10 cutoff and the second line is the top 20. As we said, Elastic hit the radar for net score, but still not pervasive enough in the data set on the right to earn some stars with the shared ends. So Okta, in our view, continues to hold that top spot for momentum and made the top 10 cut for shared end, two very positive signs. It's shared end, for example, jumped from 139 to 185. So more and more mentions. People are increasingly relying on Okta for identity access management. Now for the green arrows here, the momentum lines, we've tried to take into consideration the shared end. So even though, for example, CrowdStrike's net score dropped from 50 down to 43%, it's shared end, or again, the number of mentions, it jumped from 119 to 162. So that's a 36% increase. And you might be thinking, well, why is that significant? Well, CIOs and IT buyers in the ETR survey, they're asked to choose the areas with which they are most familiar, and then they answer questions on which vendors they use. So the fact that companies like Okta and Palo Alto and CrowdStrike and several others that we've highlighted are increasing their presence in the data set and still maintaining a very strong net score is a really good signal in our view. That's why, for example, take Zscaler, we still give them two stars, even though on a relative basis, it didn't make the top 10 cut. Its net score held relatively firm and its shared end jumped by 39%. So we continue to like names like Zscaler, Okta, CrowdStrike, Cyberock, Proofpoint, Fortinet, and of course, Microsoft, which consistently shines brightly. Let's look at a comment that underscores the CISO sentiment and I think the market overall. Here's a comment from a CISO of a global travel and hospitality company. It's a name you would recognize and obviously this individuals business was hit hard by the pandemic. So there's an inherent bias toward a hope anyway toward a return to the normal. But look at the comment, I'll read it. Quote, I was a skeptic on the permanence of the changes due to COVID, but I've seen firsthand, there are legitimate structural changes that are taking place and that's going to fundamentally shift where companies are investing in cyber. Building leases are expiring. People, they're productive working from home. Products that enable work from home and that are cloud first, that trend will continue and be permanent. And you know what? We agree. Okay, here's a chart that we've been updating right before, since right before the pandemic and it compares the performance of the S&P 500 and NASDAQ with specific security companies that are public. And we've been tracking the revenue multiples on a trailing 12 month revenue basis over time to get a sense of how these companies compare. And you know, we prefer to use forward looking revenue but find TTM to be more consistent and frankly easier to access quickly. So that's what we're using. Now note that Splunk, Octa, CrowdStrike and Zscaler, those are the guys I've highlighted in red, they have yet to report as of this publication. Couple of points here are worth noting. First, we've been talking a lot about the divergence in valuation between Palo Alto and Fortinet. And we'll show some more data on that in a moment but we want to share some CISO comments about Fortinet. People sometimes refer to Fortinet as Fortenife as in Swiss Army Knife. They're the Swiss Army Knife of cyber. Fort to everything is what one CISO called it. Fortinet is more price attractive, especially for mid-sized companies who don't have the resources of larger firms that might gravitate toward Palo Alto networks. And the company's been around for a while and has earned the trust of CISOs because of their portfolio and their track record. Now the other notable item in this data is the rise in value for Octa, CrowdStrike and Zscaler which have seen values increase 78%, 128%, 124% respectively in the time period we show here. You can see the very highly elevated revenue multiples compared to some of the more mature companies. Splunk, they're a bit of an outlier here because we're showing negative growth in that right hand column and that's because of its transition toward a subscription model. That really messes up the income statement and we just wanted to cite that. Splunk's been doing a good job communicating to the street. There are some concerns in the ETR dataset which we've talked about. They've sort of moderated lately. There's also concerns about pricing that CISOs have mentioned but generally there's a real bifurcation in the market in terms of valuations. And we think that while there's a lot of discussion about the so-called stay at home stocks and a shift back away from those when the pandemic subsides, we believe that the productivity benefits of remote work are becoming more clear and these next gen security companies are going to continue to thrive. Now let's take a moment to look at the relative performance of Palo Alto and Fortinet. Back in February this year, we noted that there was a valuation divergence occurring between these two companies and we cited three factors at the time for this gap. First, we said that Palo Alto was trying to cloud-proof its business and as such it was in transition. And second, it had some challenges with regard to the pace of that transition including sales incentives. Actually that's part of the first point. That was kind of 1A. Secondly, we said that the shift away from appliance-based firewalls was accelerating and that was pressuring Palo Alto's valuation. They were kind of underperforming in that segment. And finally we said that Palo Alto was facing some very tough compares in 2019 relative to 2018 and that was causing investors to pause as Palo Alto began shifting to an annual recurring revenue model. Now we said at the time that CISOs really, they really liked Palo Alto and we felt the company would deal with these issues in 2020 and this chart really shows that and they've begun to reverse this trend. The yellow line is Fortinet, the blue line is Palo Alto and it's showing this sort of relative performance here and you can see that gap coming into 2020 which extended into the meat of 2020. But now it's starting to compress thanks to a nice earnings report that beat EPS on revenue this month as we're talking about Palo Alto. So we continue to believe that Fortinet has done a good job and a better job of moving to the cloud model and Palo Alto has largely relied on acquisitions to accelerate this trend and we'll see if they can continue to thrive in during this transition to cloud. But there's little doubt that CISOs want to work with Palo Alto networks and they remain committed to having a strategic relationship with the company. All right, let's wrap. The shift to the subscription model is well underway in the cybersecurity space and it's buoyed by cloud and next generation SaaS based security players. Splunk is in transition. Cisco and Palo Alto emphasize the importance of this trend and virtually all historically on-prem players of being forced to respond. Survey data and anecdotal information from the CUBE community supports what the ETR Venn CISOs are saying that the internet is becoming the new private network and these trends toward cloud-based and remote worker support are delivering benefits that CEOs and CFOs are going to continue to push to operationalize. CISOs, they got to continue to take a multi-layered approach to defending their data, their applications and their users and as such a fragmented market with specialists is going to continue for quite some time. Now, despite these clear trends, CISOs face a real challenge. The timing of the return to semi-normal it's really uncertain and we still don't have a clear picture of what that future will look like. As such, incumbent firms with hardened networks are going to have to remain in a hybrid holding pattern to accommodate whatever happens. Why is that important? Well, this means that budgets are going to be stretched. Look, while security means it remains a top priority, you can't expect an open checkbook going to the SecOps team. Throwing money at the problem wouldn't really solve it anyway. Rather, CISOs have to take a balanced portfolio of investments continuing with automation and data analytics and of course, good security practices, that's going to be the pattern. All right, well, thanks everyone for watching this episode of theCUBE Insights powered by ETR. There are many ways to get in touch at D-Valente on Twitter, david.valente at siliconangle.com. You can comment on my LinkedIn post. I publish weekly on wikibon.com and siliconangle.com and always appreciate the feedback from our community. These episodes, by the way, are all available as podcasts so you can listen while you multitask and don't forget to check out ETR.plus for all the survey action. This is Dave Vellante. Have a great Thanksgiving, be smart, stay safe and we'll see you next time.