Snapshot
Many say that an organization’s greatest asset is its people. However, conversely, they can also be a company’s greatest security risk. As investments in security products grow significantly, attackers are increasingly leveraging social engineering to circumvent the traditional layers of cybersecurity defense. Social engineering relies on the manipulation of human behavior and can range from enlisting unsuspecting employees in schemes to defraud their employers, to preparing for broader, multi-stage cyberattacks that can result in devastating breaches. Because these attacks are low-cost and high-volume and have a high probability of success, they enable attackers to achieve a significant return on investment. Social engineering represents a universal cybersecurity risk, as it specifically targets the employees rather than the infrastructure of an organization. As such, social engineering risks affect every organization, regardless of the sophistication of their security infrastructure.
KnowBe4 Inc. has developed a leading security awareness platform enabling organizations to assess, monitor, and minimize the ongoing threat of social engineering attacks. They are pioneering an integrated approach to security awareness that incorporates cloud-based software, machine learning, artificial intelligence, advanced analytics, and insights with engaging content.
The company’s platform is built to drive awareness, change human behavior, and enable a security-minded culture that aims to mitigate risks. It has also been designed to meet the needs of IT administrators, ensuring it is effective, scalable, quick to deploy, and easy to use for organizations of all sizes. As a result, KnowBe4 has developed a go-to-market strategy that reaches small and midsized businesses, by employing an efficient sales model that translates across all customer segments. This is complemented by channel partnerships that have enabled the company to also penetrate the larger enterprise market.
With businesses of all sizes exposed to the risks of social engineering, KnowBe4 is currently focused on exploiting the large opportunity available. This is to be achieved not only by investing across its sales and marketing activities to drive broader market knowledge of the importance of security awareness, but also through its technology and development activities to continuously strengthen the platform and add value for customers.
Background
In 2010, after his previous company Sunbelt Software was acquired, Stu Sjouwerman, a veteran IT industry entrepreneur, put up $1 million of his own money to build the infrastructure for a new security awareness and training company. A year later, due to a chance encounter with a mutual friend, Stu met “the world’s most famous hacker”, Kevin Mitnick, and offered him the role of “chief hacking officer”. In return for his knowledge, expertise, and his reputation, Kevin became an equal partner in the business.
At the time, high-profile news events were raising awareness of cybersecurity, and KnowBe4’s sales quickly grew. By 2015, KnowBe4 had become the world’s most popular integrated awareness training and simulated phishing platform with more than 1,000 enterprise customers using it to school their employees on cybersecurity. Over the years KnowBe4 has significantly expanded its footprint and boosted its capability with several acquisitions including Securable.io, Popcorn Training, exploqii, El Pescador, Twist and Shout Group, and MediaPRO, leading to its most recent purchase of SecurityAdvisor. A platform that leverages a network of more than 50 cybersecurity partners to identify and correlate human behavior-driven security alerts, which, in a valuable addition to the business, made real-time detection and response possible.
Holding a global presence with more than 47,000 customers and recording hundreds of millions in revenues annually, an effort earning them the title of Cybersecurity Company of the Decade by Cybercrime Magazine. KnowBe4 successfully went public in 2021. It is now focused on scaling the company to a milestone of $1 billion of annual recurring revenue.
Leadership
Founder and CEO, Stu Sjouwerman, is a serial entrepreneur and data security expert with more than 30 years in the IT industry. An accomplished technology author and five-time Inc 500 award winner, Stu has led KnowBe4 from its inception. Along with his CEO duties, Stu is editor-in-chief of Cyberheist News, the company’s e-zine tailored to deliver IT security news, technical updates, and social engineering alerts, which has amassed hundreds of thousands of subscribers.
Kevin Mitnick continues to be KnowBe4’s Chief Hacking Officer, also distilling more than 30 years of first-hand hacking experience into the company’s online training modules to ensure employees are properly equipped to deal with attacks and can spot social engineering red flags.
Customer
Despite being the most effective way for companies to manage the risk of social engineering, security awareness has historically been isolated to information security teams, focused on compliance and simplistic content delivery.
The KnowBe4 platform is designed to not only promote awareness but change human behavior and drive a security-minded culture. By combining automation, machine learning, artificial intelligence, and continuous testing with data analysis and interactive content, the company’s products aim to enable customers to strengthen their overall security proficiency with active user participation. On-demand, interactive, engaging training, coupled with unlimited simulated social engineering attacks through email, phone, and text, focus on mitigating the human element of security risk across an entire organization.
KnowBe4’s platform currently includes several products covering business needs across Security Awareness, Security Orchestration, Automation and Response, and Governance, Risk and Compliance:
• Kevin Mitnick Security Awareness Training (KMSAT) – the company’s flagship Security Awareness Training product that combines automated phishing and social engineering simulation tests with engaging and curated content spanning across a variety of mediums.
• Compliance Plus – provides organizations’ employees with content as well as training modules that address compliance topics ranging from data privacy to business ethics to diversity, equity, and inclusion.
• PhishER – a tool to help security administrators deal with the influx of user-reported social engineering attacks from an employee base that was made increasingly knowledgeable with KMSAT.
• Compliance Manager – an intuitive user interface with streamlined workflows that enable visibility into the ongoing audit and compliance processes at all levels of a business.
In addition, as part of KnowBe4’s go-to-market strategy, they offer a set of free software products. These include phishing, password, email security, and other security awareness training tools to not only help generate leads for its sales teams, but assist organizations to assess their vulnerability to various formats of phishing attacks. It also allows potential customers to benchmark their security awareness levels and help IT teams create and deploy security awareness programs. These free tools are often converted into paid products after adding more functionalities.
Thematic
Historically, organizations have invested significantly in cybersecurity defenses with the belief that infrastructure-centric tools alone could provide adequate protection. Despite the material amounts spent each year, security breaches continue to be reported with increasing frequency. Additionally, recent trends, including globally distributed workforces, work from home and the technological complexity of the modern digital workplace have vastly expanded the attack environment.
KnowBe4 believes that infrastructure-based security controls alone are inadequate, requiring humans to become the critical last line of defense for an organization. In growing the category for security awareness, they have focused on building a platform capable of changing the behaviors of individuals, investing development resources to drive differentiation designed to address the human layer of security.
With the scope of this human layer constantly expanding, the ability to scale their technology to meet the needs of all organizations has been a central tenet of KnowBe4’s philosophy. As a result, they have made products to be both accessible to smaller businesses without dedicated IT departments, while being scalable to organizations with hundreds of thousands of users and multiple security teams dispersed across the world. Furthermore, a cloud-based delivery model and global content centers allow the company to regularly introduce new content and platform features to customers quickly and seamlessly across the globe. Since its inception, KnowBe4 has focused on growing the small to medium-sized customer base and believes that there is a significant opportunity to increase penetration in the enterprise segment.
International expansion is also a major strategy theme as the company looks to increase its physical presence in Europe, the Middle East, Asia-Pacific, and South America. In addition, they are investing in further localizing products through foreign language translation and customized content. The platform is currently accessible in over 30 languages, which they plan to expand on, along with increasing region-specific content offerings.
To assist this, KnowBe4 also plans to increase its channel partnerships to efficiently reach new territories, where managed service providers can provide an effective way to sell to smaller customers. As organizations with limited or no IT departments often rely on third parties to provide specialized knowledge.
While expanding the customer base will be a major focus, continuing to cross-sell products and upsell subscription tiers within the company’s extensive existing client list should also provide substantial opportunities. Along with the increased capabilities brought by the recent SecurityAdvisor acquisition, which is expected to add an estimated $5 billion total addressable market, new adjacencies and solutions will be invested in to retain existing customers and drive increased spending. This will include a new product being planned to launch in the second half of 2022, codenamed Password IQ, which will be used to mitigate risks related to password hygiene issues.
Financials
KnowBe4’s significant market presence as a result of a growing customer base across virtually all industries and multiple geographies has seen the company grow revenues rapidly in the last few years. The customer base grew by 28% in 2021 resulting in revenues increasing by $71.4 million or 41% to $246.3 million for the year. While annual recurring revenue also increased 44% to $285.4 million. In addition, the company’s diverse spread of clients has ensured no single direct customer represents more than 10% of total annual revenue.
Despite posting a net GAAP loss of $11.8 million for 2021, non-GAAP net income which excludes stock compensation expenses in particular, was $23.2 million for the year, as the company maintains a culture of incentivizing employee participation as long-term shareholders. Furthermore, they continue to invest in growth initiatives and are still in the early stages of international expansion, while strong cash flow generation saw the company end the year with approximately $274 million in cash.
Looking ahead to 2022, based on maintaining the company’s current product mix, KnowBe4 expects to continue its strong momentum seen in all segments and international markets. It is forecasting to achieve revenue between $328 million to $330 million, or approximately 34% year-over-year growth, which is also in line with consensus estimates. Additionally, consensus EPS growth of 19% would see earnings per share come in at $0.13, up from $0.11 in 2021.
Risks/Competition
While KnowBe4 operate within the broader cybersecurity market they are one of the only companies that are primarily focused on the human layer of cybersecurity, with the security awareness market largely greenfield. According to KnowBe4, certain larger enterprise providers attempt to address the awareness market through their own infrastructure-centric product offerings, however, these are often tied to other products within their portfolio and do not focus on changing human behavior. While there are some smaller security awareness focused companies in the market, none have grown to a meaningful scale to be considered a material competitor.
However, despite the company’s compelling outlook and strong market proposition, with a current forward price-to-earnings multiple of 179.2, it appears investors are required to pay a solid premium for future growth.
Conclusion
Benefitting from a niche product within a ubiquitous and growing industry, KnowBe4’s solid history of customer retention and growth has it well placed to deliver on its future expansion plans. The company’s efforts to continue bolstering its product offering and upsell to existing clients, while investing in its sales force to ensure awareness of the platform continues to build, should underpin a robust growth path, and strengthen its leadership position over the longer term.