by Brenon Daly
Over the past two years, no single IT sector has put forward more highly valued IPOs than information security (infosec). Spurred by ever-increasing spending by CISOs, startups across the cybersecurity landscape are either big or getting big fast. As they graduate up to Wall Street, growth-hungry investors have lavished rich, double-digit valuations on infosec startups.
So what, then, to make of the recent IPO filing by Tufin Software Technologies? The security policy management vendor is heading to the NYSE on the back of a year where it did less than $100m in sales. And its growth rate, while a solid 30% in 2018, barely matches the pace of some of the recent infosec debutants, even as they put up more than three times more sales.
And then, there’s the crucial consideration of how – and when – Tufin generates those sales. In the current era of cloud-delivered software, Tufin sells its product in the conventional model of software licenses, plus maintenance and professional services. Further, those sales are heavily back-end-loaded, with a make-or-break Q4 providing about 34% of total revenue for the company.
It’s worth noting that all five of the other infosec providers to come public since the start of 2017 derive at least a portion of their sales from subscriptions, with the two richest valuations being given to the full cloud-based vendors. (Zscaler trades at an astronomical 34x trailing sales, while Okta garners 23x trailing sales.) Subscription revenue tends to be more predictable than lumpy sales of licenses, particularly when the average price tag of just the software – as it is in some cases at Tufin – climbs above $200,000.
That’s not to say that Tufin doesn’t have the opportunity for growth in front of it. In its prospectus, the company cites a 451 Research Voice of the Enterprise survey of 550 IT buyers and users in 2018 that shows that 83% of the respondents do not currently run any security automation and orchestration technologies at their company. Yet, encouragingly for Tufin and other vendors, more than half of the respondents (54%) plan to have it in place by 2020.
In addition to Tufin, we suspect that at least one other company will likely be paying very close attention to the upcoming IPO. Rival Skybox Security, which we understand is roughly the same size as Tufin, is thought to be tracking to an offering of its own. The difference being, as we heard it, that Skybox is targeting a debut in 2020, when it will be north of $100m in sales.
