Skip to content

Cybersecurity Series: Lesson One

Best Practices for the Cybersecurity Provider

May 14, 2019
By Tim Nixon & Jenny Brand

Rapid Growth, But Where is the Profit?

The global cybersecurity market is growing rapidly as companies battle to get ahead of emerging threats. Estimates typically put market growth between 10 and 15% per annum and in 2018, the World Economic Forum found that company executives now rank cyber attacks as the greatest risk to their  businesses. This ought to be an extremely attractive climate for cybersecurity providers.

However, the profitability of companies offering cybersecurity software and services is surprisingly low. EBIT margins of below 5% are currently commonplace, with smaller operators typically lossmaking (among those we analysed, the average operating loss in 2018 was 9%*). Moreover, margins continue to fall; our analysis suggests that companies have lost an average of 100 basis points from EBITDA margins (200 bps from EBIT margins), over the last 3 years (fig. 1).

The single biggest reason for this decline in profitability is rising staff costs. As a proportion of revenue, staff costs have risen dramatically – at an average of over 100 bps every year since 2014 (fig. 2). Staff cost per employee has also risen, reflecting rising salaries – a symptom of severe talent shortage in the cybersecurity market. Static pricing exacerbates this issue; revenue per employee (a proxy) having only just begun to recover from a fall which started in 2014.

Companies do sometimes hold prices low as a strategy to acquire customers and grow share in a rapidly expanding market (Uber is a prime example), but if that is the case here, it is certainly not having the desired effect. Revenue growth is slowing for most providers, particularly larger businesses who we would expect to see accelerating growth with this tactic (fig. 3).

What is happening here, and where are the profits that the industry should be generating? In a high-growth market, underpinned by constant headlines and significant executive concern, why are cybersecurity providers unable to monetize value?

In our next article we’ll discuss one way in which value is being destroyed in the cybersecurity industry.

*A Note on Methodology

We analysed a sample of 47 leading cybersecurity companies, operating across a wide range of products, services and geographies. Our sample included only companies whose primary activity is cybersecurity (we excluded large systems integrators, management consultancies, etc.). Financial data was taken from local filings from the last 5 years.

The views and opinions in these articles are solely of the authors and do not necessarily reflect those of Teneo. They are offered to stimulate thought and discussion and not as legal, financial, accounting, tax or other professional advice or counsel.

To read more of our insights or for more information

Subscribe to Teneo's Global Newsletter & Insights Series

Please fill in your contact details below to subscribe to Teneo’s weekly Global Newsletter and Insights Series.

Please select region.
Please enter your first name.
Please enter your last name.
Please enter your company name.
Please enter a valid e-mail.
There was an error with your subscription. Please try again.

Thank you!