Security firm, FireEye, has been getting pummeled from all directions. In layman’s terms, the stock has tanked. The graph below from CNN says it all.
Some analysts claim that the stock was always overvalued and that this was a simple correction phase. Others thought it must have been caught up in a security industry bubble that may be close to bursting. It’s true that the stock experienced wild gains after its IPO in 2013 and reached a high of over $80 per share in early 2014. But last week, something pretty dramatic happened. The stock plunged to around $21 a share. Surely, this couldn’t have happened for no reason at all.
When asked for a reason for this fall, FireEye CEO, Dave DeWalt, blamed the new cyber security agreement between the US and China. The explanation for this answer is a bit convoluted. When FireEye bought security firm, Mandiant, for $1 billion in 2014, they basically bought access to its ability to analyze government-based cyber attacks. In fact, Mandiant was most famous for uncovering attacks on the US from China. At the time, adding Mandiant to FireEye’s portfolio was favorably received by investors. However, the perception of FireEye as being dependent on attacks from China left it vulnerable after the recent US-China cyber agreement. Yet, other security researchers have reported no significant decrease in China-based cyber attacks after this somewhat flimsy oral agreement. In other words, there must be more to the story of FireEye’s demise than just China.
Several other factors have been mentioned as contributing to FireEye’s problems. In June of this year, FireEye’s CFO, Michael Sheridan, left the company, causing a sharp fall in the company’s stock price. Others point out that FireEye spends too much on marketing and sales. This is said to be necessary because FireEye’s products rely on a non-traditional approach to security. To explain these differences, salespeople must rely on face-to-face meetings with potential customers. This, in turn, leaves an opening for security companies with more traditional and more understandable architecture to move in with somewhat similar but lower-priced products. Despite all the talk about getting good security, it seems, when push comes to shove, people still hope to get top-notch security at a bargain price.
If all of this wasn’t enough, FireEye received an unexpected attack from a security researcher who said he found several serious flaws in FireEye’s main product. FireEye eventually admitted to having patched at least one of these flaws but has been reticent to talk about the others. The exposure of these flaws had the effect of calling all of FireEye’s security products, and the company’s reputation, into question. This might be a bit overdone. FireEye may not offer more secure hardware-based security architecture, but it still offers a respectable software solution. Nonetheless, when a security firm has flaws in its products exposed, it is bad publicity no matter how you look at it.
Despite what critics may say, FireEye has been a leader in the security industry for years. It was the first company to be certified by the Department of Homeland Security. It was involved in the investigation of the cyber attacks on Sony, JP Morgan, and Target. They identified the Chinese group behind the Office of Personnel Management attack and uncovered other attacks on the US government. FireEye also helped victims of the dreaded ransomware, Cryptolocker, get their files back for free. They have also discovered numerous zero-day exploits. In short, they have been at the cutting edge of security for a number of years.
These positive aspects of FireEye seem to have been ignored after last week’s fall in the price of its stock. Many analysts, including Merrill Lynch, have lowered their expectations for the company’s future, even though they expect demand for security products to increase overall. The security landscape is becoming more competitive and firms that may be little known today may become the big players tomorrow. Keep in mind that FireEye launched its first product only 9 years ago. In fact, increased competition is the most cited reason as to why FireEye’s future may be questionable. Others point to recent changes in executive personnel. Such changes can give the appearance of instability which can spook investors.
All this aside, I wouldn’t be so quick to write off FireEye just yet. There is simply no way to predict which kind of cyber attacks loom ahead, but you can be sure that they are out there. When these attacks occur, most victims will look towards time-tested companies to help them out. This, plus their ability to identify zero-day exploits, will continue to keep FireEye in the news and keep its profile high. Nonetheless, the fall of FireEye from market darling to market pariah in so short a time highlights the current volatility of the security landscape. Any cyber security firm that offers a legitimate product can suddenly be launched into the limelight. Others will pass away unnoticed and others, still, will be acquired by larger companies which will scramble to broaden their bases in an attempt to get some of that money-making limelight for themselves. Actually, gaining some of the limelight may not be the biggest problem. The problem will be staying in it.