Rapid Growth, But Where is the Profit?
The global cybersecurity market is growing rapidly as companies battle to get ahead of emerging threats. Estimates typically put market growth between 10 and 15% per annum and in 2018, the World Economic Forum found that company executives now rank cyber attacks as the greatest risk to their businesses. This ought to be an extremely attractive climate for cybersecurity providers.
However, the profitability of companies offering cybersecurity software and services is surprisingly low. EBIT margins of below 5% are currently commonplace, with smaller operators typically lossmaking (among those we analysed, the average operating loss in 2018 was 9%*). Moreover, margins continue to fall; our analysis suggests that companies have lost an average of 100 basis points from EBITDA margins (200 bps from EBIT margins), over the last 3 years (fig. 1).
The single biggest reason for this decline in profitability is rising staff costs. As a proportion of revenue, staff costs have risen dramatically – at an average of over 100 bps every year since 2014 (fig. 2). Staff cost per employee has also risen, reflecting rising salaries – a symptom of severe talent shortage in the cybersecurity market. Static pricing exacerbates this issue; revenue per employee (a proxy) having only just begun to recover from a fall which started in 2014.
Companies do sometimes hold prices low as a strategy to acquire customers and grow share in a rapidly expanding market (Uber is a prime example), but if that is the case here, it is certainly not having the desired effect. Revenue growth is slowing for most providers, particularly larger businesses who we would expect to see accelerating growth with this tactic (fig. 3).
What is happening here, and where are the profits that the industry should be generating? In a high-growth market, underpinned by constant headlines and significant executive concern, why are cybersecurity providers unable to monetize value?
In our next article we’ll discuss one way in which value is being destroyed in the cybersecurity industry.
*A Note on Methodology
We analysed a sample of 47 leading cybersecurity companies, operating across a wide range of products, services and geographies. Our sample included only companies whose primary activity is cybersecurity (we excluded large systems integrators, management consultancies, etc.). Financial data was taken from local filings from the last 5 years.