Analysts revise security stocks outlook

Internet security stocks were supposed to be the last safe haven for technology investors. But now the group of companies that gives hackers nowhere to run to is giving investors nowhere to hide.

Internet Security Systems warned last Monday that it would miss estimates for its upcoming quarter by up to 17 cents per share. The following morning, Check Point Software Technologies said it would fall short of revenue estimates but hit earnings targets.

Now analysts have lost their earlier confidence and say most companies' security budgets can be trimmed after all. IT managers say that a large fraction of their security spending can be cut without any serious threat to safety.

YES

Recent profit and sales warnings won't be the last from security software vendors, because there is more whittling down of technology spending budgets to come, said Jordan Klein, analyst with UBS Warburg. "Up to 80 percent of security spending is nonessential," he said in a telephone interview.

That's a radical change from what he said a few months ago.

"We haven't seen any significant slowdown in the sector," Klein said in March, when companies like ISS were still reiterating their targets.

Two factors were supposed to protect this privileged group of companies from the encroaching economic plague, according to common belief in the industry:

• Security is essential. Almost every company needs some kind of security software--from brick-and-mortar companies that just need antivirus software to e-businesses that require VPNs (virtual private networks) and more complex internal safeguards.

• Security comes cheap. Companies won't leave themselves open to hackers or risk a media thrashing by leaking customer data for the sake of a few hundred thousand dollars, so security spending is often the last item cut from a technology budget. The low cost of contracts also works in the favor of security companies' financial results since it means that most security software vendors have many small deals rather than a few big ones; thus, losing a few contracts doesn't have a huge impact on numbers.

Warnings from ISS and Check Point don't completely invalidate those points. Industry observers now believe a large chunk of security spending is not essential. However, they said, contracts are only shrinking, not being eradicated.

Only firewalls and antivirus software are "must have" products, Klein said. "They're like security guards at a bank," he said. "But moving down into intrusion detection, access management, and public key infrastructure (PKI), there isn't as much priority."

Firewalls and antivirus software are also the cheapest security measures to take, so vendors such as firewall provider Check Point are holding up better than security vendors in other niches.

"Our revenue may have been a little less than expected, but it's up 55 percent year over year," said Check Point President Jerry Ungerman in a phone interview. "We're at the top of the ladder in terms of relative importance."

Ungerman said some firewalls can cost $5,000 to $20,000, which he said is a much lower unit price than other security products.

"The most a company could spend is less than 5 percent of its budget, probably in the 2 to 3 percent range," he said. "That's what's advantageous to us. We don't get cut as much as million dollar projects."

Although many analysts believe the relative importance of Check Point's products insulate the company from spending cutbacks, a few observers see the company as more vulnerable because of its customer base.

"The companies who will be facing the most challenging times in the near term would appear to be those with the exposure to large enterprise deals and foreign markets," said Tucker Anthony analyst Frederick Ziegel in a research note titled "Information Security Industry--Is ISS a Harbinger?"

Zeigel cited Check Point, Network Associates, RSA Security and Symantec as examples of companies with large enterprise exposure.

Companies with more expensive and complicated products could suffer the most from the technology spending slowdown, analysts said. Some of the most complex security software comes from ISS, RSA Security, Entrust and Baltimore Technologies.

That's why Entrust trades at around $5 a share, down from a 52-week high of $81.68, and Baltimore trades at around 50 cents, down from a 52-week high of $28.50. They have the most expensive software, and therefore they felt the cutbacks first, Klein said.

"Instead of spending north of $500,000, companies are buying a tenth of that," said Klein, who noted that most companies slowly whittle down their contracts rather than canceling them all together.

Take Metropolitan Life Insurance as an example. MetLife has cut back spending without making itself more vulnerable to security breaches, said Mike Stoico, the security specialist in the MetLife's Enterprise Security Unit.

"It's just that expansion isn't as fast as we want," Stoico said. Rather than canceling any projects that had been in the works, MetLife, which uses a combination of software from ISS, Check Point and others, has just slowed down the pace on new developments.

Security companies' average deal size is around $1 million, estimates Klein, who said that implementation costs drive up even the less expensive software purchases. Most companies spread out their purchase of software by implementing it over three phases, but now some companies just aren't going to go to phase two or three, Klein said.

Check Point, ISS, Symantec and BindView have already warned. Here's a summary of security companies analysts are keeping on eye on; some may be next in line for a warning, and some may be safe after all.

• Entrust, according to First Call, is expected to lose 25 cents a share on revenue of $32.5 million for its upcoming second quarter. Analysts expect that the company can make those numbers.

"The company's business has stabilized since its recent first-quarter shortfall," wrote Pacific Crest analyst Rob Owens, who added that the company's restructuring is beginning to take effect. Entrust could also get a boost from low expectations; analysts already slashed estimates for the company after it missed estimates for two straight quarters. "Numbers are so low it's bound to make them," Klein said.

• Netegrity also looks set to make its second-quarter numbers of 9 cents per share in earnings on $25.3 million in revenue. Because the company's quarterly report is scheduled for July 25, and it has not mentioned a pre-announcement, there probably won't be one, Klein predicted.

• Network Associates has already lowered its numbers for the upcoming third quarter, but there is some risk it could miss them considering competitor Symantec's recent shortfall, Owens said. First Call is expecting a break-even amount per share, but Owens predicts a loss of 4 cents per share.

• RSA Security is expected to report earnings of 18 cents a share on revenue of $83.9 million. Because the company will report its results relatively soon--July 12--there's little chance of a warning, analysts said.

• Watchguard. "After the company's first-quarter shortfall," Owens wrote, "estimates are at a more realistic level. He believes the company will make First Call's estimated loss of 10 cents a share on revenue of $16.7 million.

• Verisign is a favorite pick for analysts. According to First Call, the consensus is for 14 cents per share in earnings on $231 million in revenue.

"It's the only one I feel comfortable will make the quarter," Klein said.

Whatever these companies do in the near-term, they're still good bets in the long run, according to analysts. Though many changed their tune on whether these stocks are "safe havens," all said security is going to be among the first sectors to rebound when the economy heals.

"Investors should get their shopping lists together," Zeigel wrote. "In our opinion, information security stocks will be a major theme in the next bull cycle."