NEW YORK (The Deal) -- As corporations have spent hundreds of billions of dollars to move their information technology systems and applications to cloud architecture in recent years, they have found themselves with an immensely valuable portfolio of assets to protect from a new wave of cyber criminals, state operatives and hacktivists.
Philippe Courtot, chairman and CEO of cloud security outfit Qualys (QLYS) - Get Reportsaid in a recent interview that major advances in technology have typically spawned such challenges. "When the railroad came in," Courtot observed, "suddenly what we realized is that there were a lot of pickpockets in the train stations."
Qualys provides cloud security on a service billing model. It is among a group of companies that have seen spikes in their share price as high-profile hacking and M&A premiums have highlighted the value of security technology.
"Security comes always after," Courtot said. "The reason that security always comes after is because you cannot anticipate all of these security holes you will have as you are building this new infrastructure."
Shares of Qualys are up 16% in 2014, and have more than doubled since the stock priced at $12 per share for its September 2012 initial public offering. At its Feb. 11 high of $29.94, the stock was up nearly 30% for the year.
Several competitors have also shown recent gains in their stock prices this year. Imperva Inc. (IMPV) - Get Report has gained 28%. ProofPoint (PFPT) - Get Report shares have gained 26% and Palo Alto Networks (PANW) - Get Report is up close to 29%. FireEye (FEYE) - Get Report which is closing the nearly $1 billion purchase of Mandiant, has gained 66% in 2014.
While the stocks have soared, there have been patches of turbulence. Qualys had a nearly 20% intraday drop following its earnings report earlier this month, but closed up on the day. Similarly, FireEye fell 11 % when it reported a larger than expected first-quarter loss.
Pacific Crest Securities analyst Rob Owens wrote that Qualys has had "a fantastic run through 2013 and 2014," in a report following the company's fourth-quarter earnings report in February. Qualys remains "a quality story with reacceleration on the horizon," Owens stated, "but much of that is reflected in the current valuation, in our view."
Baird Equity Research analyst Steven Ashley wrote that much of the company's focus is on the next generation of products, which will drive future growth but will not likely boost 2014 results. Qualys said it plans to release two products at the RSA security conference in San Francisco in late February.
While security companies have grown swiftly, they have invested much of their cash in technology to stay ahead of their competitors and ahead of hackers. Margins will remain tight as companies fight to gain business.
"It is going to be a race of these new companies," Courtot said of the emerging generation of security providers.
Research and data company IHS projected recently that enterprises will spend $175 million in cloud infrastructure and services this year. The company said it expects the number to grow to $235 billion in 2017.
The increase in cloud computing and use of mobile devices presents a conundrum for security. "Where does my network start and finish?" Courtot asked.
"I have apps on Amazon. I have a lot of endpoints. I have mobile devices. I have to do business with a lot of people," he said. "I have to exchange data between partners."
News that hackers used credentials issued to a heating and air conditioning contractor to break into Target Inc.'s systems underscores the difficulty of plugging every gap in a network's defenses.
"Now you realize that my AC system is connected to my network because it was very convenient to de-provision or provision users and now the bad guys use that as an entry door and that's how it started at Target," Courtot said.
The Qualys chief acknowledged that there will be more consolidation, but declined to comment on the likelihood that Qualys would become a target.
The shift to the cloud and the narrow field of cloud security companies could make the company appealing to a larger security company such as Symantec Corp. (SYMC) - Get ReportCheckpoint Software Technologies or Fortinet (FTNT) - Get Report.
Nonetheless, Courtot said Qualys could be a buyer. The first criterion for a target, he said, would be the quality of the management team and the ability to keep talent at the company after an acquisition. Second, the target would have to have a cloud architecture, rather than a legacy enterprise network security model.
Courtot pointed to the winners and losers in social media to illustrate the importance of architecture. Friendster preceded Facebook (FB) - Get Report but it developed an architecture that did not scale well. MySpace.com took over, but kept its architecture closed. Facebook opened its infrastructure to developers, and supplanted MySpace.
The third criterion, Courtot said, is "of course you don't want to overpay."