A niche cybersecurity business: FirstWave Cloud Technology

David Kirton is the CEO of FirstWave Cloud Technology. This is another request from a subscriber who wants to know about them and it’s an interesting business, so we thought we’d do it. 

They are a cybersecurity business with a particular niche where they translate enterprise grade cybersecurity for small companies and they’ve just done a deal with Cisco systems. Whereby Cisco is going to white label their product and sell it to telcos as a Cisco product. 

Unfortunately, the share price has been falling this year from 35 or so cents down to around 20 cents and they’ve got to raise some more money, so a bit of a problem there in that they’ll be diluted a fair bit because they will probably raise some more money.

As I’m speaking to them on Monday 29^th of October, they’re about to have a board meeting and probably will announce very soon to have another capital raising. They’ve got an ambition to grow to about USD$100m revenue which is a fair way north of where they are now, but an interesting company and worth a look I reckon. 

Here’s David Kirton, the CEO of FirstWave Cloud Technology. 

David, perhaps you could just start by telling us a bit of a background about the company, in particular, focus on what exactly the technology is and how it came about?

Yes, that’d be good, Alan.  FirstWave’s been around for quite a number of years, it’s was started in 2001 by two individuals.  One remains a director to this day, a gentleman by the name of Scott Lidgett and the other remains steel an employee of the company, Greg Maren – they are still our two biggest largest shareholders.  Just shortly after Scott and Greg started the company, our CTO, Simon Ryan, joined.  Our CTO, Simon Ryan, had a background at Telstra Research Labs.  He exited out of the research labs at about the time 2004 when Telstra made the decision to shut down the research labs.  He really was looking for a company whereby he could actually get closer to customers and to able to have an impact with customers with his area of focus and speciality. 

When he’d been working at the research labs he’d been doing cloud-based work, very early back in those year.  He also had a focus on data classification and he was working on early artificial intelligence and implying that into a customer environment.  So, the origin of the WAVE acronym, Alan, is some work that the company was doing for Telstra at that particular time.  WAVE stands for wholesale anti-virus engine.  That’s how the name was evolved.  It was the first wholesale antivirus engine that the company was developing with Telstra. 

What exactly did Greg Maron and Scott Lidgett start?  What was the business then?  Because I’m hearing the technology was created after they started the business by Simon Wright, is that correct?

It was.  They were effectively in product and technology distribution.  That was their background, they’d been working and they’ve been basically distributing out Apple products and other technology elements, so they’re effectively starting up a technology resale distribution company that saw an opportunity to move into professional services and technology services and I think it was with the addition of Simon to the team, that the whole platform and journey started.

Simon came on and created – what is it?  Wholesale….? What does it stand for again?

At the start they were working on a wholesale anti-virus engine.  Effectively, this is well before my time, Alan, so it’s sort of pre-dating some of my history, I may need to check some of the facts for you.  But basically, it was working in a dedicated way for Telstra developing cloud based anti-virus engines for different parts of the wholesale business. 

And so is that still the basis of a company, the whole anti-virus engine based on cloud.  Is that really what you’re talking about?

Yeah, it’s changed a little bit over the years, so effectively having done that work with Telstra and doing up specific expertise around a particular email security.  The company in 2014 saw that it had the potential to take the technology that it had built and developed and that was working in a tier 1 telco in Australia, and to take that technology to the world.  So, in essence, what we do today is that we’re a technology company.  We have developed an orchestration engine that has been purpose built for Telcos and managed securities services providers, so it’s enterprise grade and it focuses on the cybersecurity vertical and it virtualises security appliances in the crowds. 

It’s two things that we’re actually doing.  One is the orchestration engine which simplifies and automates the order entry service activation billing process for the telco, manages the security life cycle end to end and then it virtualises security appliances.  One of the things I try and get people to understand about our company is that we’re only a small company, $25m dollars has been invested in the company over that period.  Cybersecurity is a very fragmented business, there’s lots of intense competition around the world. 

We’ve carved out a niche for ourselves in that space where we effectively are targeting Telcos and managed securities service providers using our orchestration engine and our unique approach to multi-tenanting, which means that basically any customer of any size whether it’s a large corporate government type customer or even just a small five-seat business can effectively get access to the same enterprise grade cybersecurity.

Tell us what you mean by virtualisation of appliances, what does that mean?

Yeah, basically what we do is the multi-telling approach, it’s rather than taking a traditional approach, Alan, of trying to run many tenants inside a security appliance, what we actually do is the platform takes many appliances and then we form them into homogenous elastic pools.  What that does is over these we add a separate layer that isolates the data and the policies on a per tenant basis.  What that approach gives us is it gives us cloud scalability that is telco grade, but also allows the data and resource isolation necessary which breaks the usual, dependencies between vendor infrastructure, licencing complexities and service lifestyle requirements of a security of a service offering such as managing a licence. 

In simple language what that means is that, if you think about a big company that needs a very strong cybersecurity defence, it will generally have money to spend, it’ll have an IT department, probably a Chief Information Security Officer that has a lot of intellectual property and knowledge about how to protect the company.  If you’re a small company, you generally won’t have the money to spend or you may not necessarily have the dedicated expertise in your organisation.  What we actually do is enable you and other organisations like you to be able to share access to the cybersecurity tenancy that we create.  Therefore, rather than having to be a big customer having dedicated access to a cybersecurity application, you can share access to that cybersecurity application using the multi-tenancy approach that we have developed in our platform. 

Well, to sum up, it sounds like you’re selling access to small companies, to something that would otherwise be only available to large companies, is that correct?

That’s exactly right, Alan.  In a sense that’s been one of the big changes that we’d make.  In our early years, we would dedicate it to the upper end of town and one of the things that we’ve been able to do more recently with our technology and with our attempts to basically take the technology onto a global platform is that we actually make enterprise grade cybersecurity available to all businesses. 

Obviously small businesses have access to cybersecurity software, there’s no shortage of that but as you say there’s tons of it everywhere.  What’s the edge that you provide, what’s good about your sort of enterprise grade software that is not true of what they can get hold of now?

Well, there’s two things I think, Alan, of what we’re targeting for.  One is, is that we target telcos and manage security providers.  Effectively, the small business can effectively get that as a part of their telco bundle.  They would be able to get their cybersecurity along with their broadband, their collaboration, their other services, etcetera, that they get.  They can get that monthly on a single bill and on a monthly subscription basis.  Essentially, they don’t have to worry about the determination of what’s the best product or which is the best offering for them to go and take.  Effectively they can bundle it up as a part of their monthly telecommunications bill.  On the other side of it, we effectively choose the best degree products that we’re virtualising.

We are working with companies like Cisco and Palo Alto networks, to a lesser degree, Fortinet, who are the companies that are investing the most in cyber security globally and you have a significant investment in the virus engines and we effectively provide the access through our technology to those products.  We’re generally only choosing products that are in the top right-hand quadrant of the Gartner suite, that they’re really at the bleeding edge.  And traditionally, only the bigger organisations would have had the budget to be able to afford.

What do you charge for it?

We charge a monthly subscription fee, Alan.

Of what?

Well we charge the telco and then the telco or the managed security service provider would charge the end customer.  Roughly, if you’re buying an email service.  You might be paying something in the vicinity of about $4 per month for each user that you have on the platform.  If you buy a web-based service and it’s a similar sort of thing.  If you’re buying a firewall for your environment it’s a slightly different model because essentially, email and web-based pricing is user based.  Firewall is organisation based.  Generally, we’re sort of in a position where you can get an email and a web bundle for around about $6 dollars a month per user in your environment.

And what does it actually do to the email, does it clean it until the email arrives or what?

Yeah, it stands and filters it.  So, basically, if you’ve got a domain name, essentially what happens is, is you change the pointer of the MX record, so effectively it goes to our email filter.  That’s run through the security filter that we apply over email is a Cisco based product.  It gets run through Cisco’s security engine and then once it’s got through their, if it’s clean it then comes through our security engines and we use different classifieds.  You can set your policies, you can set your environment up to basically quarantine to make sure your email is scanned, to do things like retaining your data.  There’s a whole series of valuated services that we provide over the top of the standard filtering services provided by Cisco.

You mentioned before – and it clearly is – you’re a niche in the big cybersecurity market, which obviously is huge and growing.  How big, or rather, how small is your niche?

We think that the market opportunity that we’ve got – our aspiration is to try and grow to about 1% of the cloud cybersecurity market, Alan.  We think the cloud component of that market is going to about US $10 billion.  Last year, we turned over $7.8 million dollars’ worth of revenue, but we have a 5-year business plan to try and grow the business to north of $100m Australia, which would have us at about 1% of the global market.  In support of that objective, in July this year we signed a software OEM agreement, which is an original equipment licencing and development agreement with Cisco. 

One of the things, Alan, that I should point out is that we don’t market the FirstWave brand.  Essentially, we’re a white label technology offering.  If we were approaching and selling our product to a telco, or even to a Cisco or a Palo Alto network, one of the things that we would do is that we effectively provide our technology as a white label and then they effectively put their brand and their value add over the top of that as they sell that to their end customers.  Under that OEM agreement, we’re working with Cisco at the moment to effectively – we’ve licenced our technology for them to integrate into their product road map and into their platforms and we are working with them towards the launch of our platform under their product road map and their branding in the quarter three of this fiscal year. 

How does the deal with Cisco work?

Essentially, we receive a royalty per user, Alan, for each of the email users or the web-users that sign up to the platform.  Essentially, the way the value chain would look is that our technology is provided to Cisco on a royalty basis.  Cisco will effectively brand that technology and sell it to their service provider customers around the world, service providers being generally a telco organisation and then that telco organisation can effectively either sell those as a Cisco security offering or they can re-budget and sell it under their own offering as a part of a bundle. 

There’d be two other margins put on?  Cisco’s margin and then the telco’s margin put on top?

Yes, when it goes through the telco channel, yes.

You’ll get squeezed down the bottom?

Well, we’ve got a royalty agreement locked in based on volume.  It is a – our business model really is a scale model and it is difficult when you’re a small company trying to negotiate with these larger organisations.  The royalty arrangement that we’ve got in place, if we can hit the target volumes that are in the business plan, it provides a strong economic return for the investment that we’ve got.  But the business does have to scale, and we don’t have the capital structure at the moment in our business to build and market our brand globally which is why we’re choosing to partner with companies like Cisco and Palo Alto network.  Cisco, globally and with Palo Alto networks locally.   

It’s interesting, I mean Cisco’s obviously a colossal company obviously and so is Palo Alto networks, for that matter.  I mean, I’m surprised they didn’t just buy you.

I think if we were still a private company, Alan, and not a public company, that may well have happened.  The fact that the company is now publicly listed and, on the markets, means that it’s up to us now to work with these agreements and to win as many customers as we can and connect ourselves to these organisations.  But if we were a private company than I think that probably would have been.  Certainly, it’s one of the things that they had mentioned to me previously that, at the moment, with a fair component of our value already on the table, we have to effectively prove out our technology with them and build a scale.  And we may well become something of interest to them into the future. 

Do they have many licencing deals like this with others?  I mean, I’m just wondering whether you’re in a crowd of people that they’re selling? 

Not so much, they did find OEM agreements with other technology players.  I think one of the things that does make us a little unique is that it’s a white label offering, and they’ll be branding it and selling it out through their channels.  But I think it is fair to say that there is competition in this space not just from external to Cisco, but certainly Cisco has a road map.  Our niche is targeting telcos and service providers globally.  We’ve got an opportunity to take advantage of that and that’s what we’re working very hard with them on at the moment on having the offering ready to launch and being launched onto their global stage in a year.

How much protection do you have for your technology, I mean, could somebody pinch it?

Well, I think we’ve got some patents over some of the technology.  We own our own IP, Alan, but I think we would be naïve to think that if someone had a big budget – and look, to be frank, a number of the decisions that generally take place at the telco level or even in the conversations where Cisco is a build or a buy type equation, one of the things that plays to our advantage is the 10 years’ experience that Simon and his team has had in purpose building this solution inside a T1 telco environment.   I’m not naïve in that sense.  Our window and speed is critical for us. 

We had to take advantage of the technology that we build and the opportunities that we have in the market place.  If someone – and there are plenty of organisations out there that have bigger budgets and have more development resources than what we do.  If they through their mind to it, then it’s not impossible that they could replicate what we’ve got, but nonetheless, Cisco did enter into this agreement with us and they are moving forward with us and we’re trying to take advantage of that for our shareholders.

Obviously with any subscription business, really, the operating leverage is pretty strong.  I’m just wondering what sort of margin you would get if you did manage to get to $100m US in revenue, which is your aim.  What sort of margin are we looking at? 

It’s pretty high, Alan.  In terms of the commercial models that we’ve got, there’s a sort of combination of different ways that we can go to market.  But for us, given that most of the investment that we’ve made is sunk, then in terms of gross margins it will generate – we would expect them to be up around 85-90%. 

And tell us about your cash position at the moment.  Your most recently quarterly that I looked at was for June, I haven’t seen the one for September yet, so you probably can’t tell me because you haven’t released it…

Yes, it’s coming out in a couple of days.

Are you still burning cash right now?

We are, yes.  Basically, we’re burning about $2.5 million dollars a quarter.  The board, in going to the market in May to raise the money, a lot of time and effort has been put into the relationship with Cisco and the board at that stage decided that it didn’t make sense to try and raise a large amount of money until that agreement had been put in place, which was then consummated in July.  In our, operating update or in the slide for the company, the annual results.  We indicated our three-year plan is to take the business to $50 million dollars and there’s probably another $15 million dollars of investment required to be able to fully realise that opportunity that we’ve got. 

The board tomorrow, at the board meeting we’ll be considering what is the next steps in terms of the capital structure and funding for the business and we need to be able to demonstrate for the shareholders that they’re making enough progress and that the upside that we’re calling out there is still there and that it continues to be a good investment for shareholders to invest in this business.

It sounds like you’re talking about another capital raising?

Potentially, yeah.  Obviously, the board has to make those decisions but in order to fully prosecute the opportunity, more money will be required to take full advantage of the global scale and opportunity that we have.

Unfortunately, the share price has been sinking this year.  You got up to 35-36 cents in February, but you’re down to below 20 now.

That’s right, Alan.  We just sort of look at it off the back of the initial OEM announcement, we did see a kick in the share price.  Since then, the share price has come down.  One of the challenges that we have operating in this space that we do is that there is some pretty reasonable handcuffs in the commercial arrangement that we’ve got about what we can say externally in the market place around our agreements and the engagements that we’ve got with potential customers moving forward.  That’s one of the challenges that we’ve got that, that there’ll be an operating update that will come out this week off the back of the 4C as well and I know the directors are talking to the shareholders and getting their feedback on the way forward, but it has been a challenge. 

Our revenue is still growing and still has an element of unpredictability to it, so we still have the characteristics of a start-up even though the company operated as a private company for 10 years.  Those things need to be worked through and I know the board and I know myself were having a number of conversations with shareholders and putting the investment case and also getting that feedback on the way forward.

Poor old Scott and Greg have been diluted down to 10% each, they must be thinking, crikey, we don’t want to have another big raising now, 20 cents will be delivered well-down.

No, they probably don’t, Alan, but I think the question then becomes is, has the size of the price increased.  I think when they started out on that journey, even if you went back to the IPO and looked at what the potential that the Cisco OEM has done, you’re certainly true that there has been some dilution down.  If you think about global markets and sort of thinking, we went onto the public markets relatively early in our journey, we’re probably only somewhere between what would normally be a B and a C round, raising against companies of comparable aspiration globally.  There has been some dilution and resetting and that’s plaid out in a public environment where normally that would play out behind closed doors in a private environment as investment came and you re-rated moving forward.  My only answer for that at the moment would be they’re diluting down for a size of a bigger pool.  

Yeah, possibly wishing that they’d stay private!

[Laughs] Yes, well they’d have to comment for themselves, I can’t comment on their behalf obviously. 

No, of course not, but it’s been interesting talking to you, David, thanks a lot.

Alan, thanks for your interest and we appreciate you giving us some time to talk about our company.

That was David Kirton, the CEO of FirstWave Cloud Technology.