TheSecurityAnalyst

I am gratified by the encouragement and response from the thousands of unique visitors to the site, TheSecurityAnalyst.com since I started it in May.  We also appreciate being picked up by Seeking Alpha at the end of June, which multiplied the readership.  I would note that since our last blog, two items of interest have popped up for investors who have been reading our missives:  (1) Brinks has announced the it will host its Q2 conference call on Thursday, July 31, at 11:00 a.m. (ET) to review second-quarter results – with keen interest focused on the pending spin-off of Brinks Home Security, and (2) the announcement by L-1 Identity Solutions on July 22 that its combination of Passport Card and U.S. Border Crossing card prime contracts had virtually doubled in value since the original announcement in March — to $239 million over five years—underlies our contention that U.S. driver license and border card programs are going to consolidate more rapidly and grow much larger than observers are expecting.

So with all these events developing, it with great anticipation that I announce, that as of tomorrow, I will be coming on as a managing director at Imperial Capital, a leading investment bank in the security industry.  This anticipation comes from joining a firm with such smart people, which has been so highly successful in the niches on which it has focused — one of them being the security industry.  Perhaps the one regret is in announcing that as of now, there will be no further contributions by me to this web site –TheSecurityAnalyst.com.  However, it is the intention that my current blogging can eventually continue at Imperial, as readers of TheSecurityAnalyst.com will be redirected to a special subsection of the Imperial Capital website, which will contain industry information and comments that are reviewed and approved by Imperial’s Compliance Group.  So wait and watch for the date – I will still be out there providing fodder for users of information and those thinking about the security industry.  I also look forward to working with all my new colleagues at Imperial.

Imperial’s New York office telephone number is 212-490-0004, and its Los Angeles headquarters number is 310-246-3700.  Their website is www.imperialcapital.com.

Thank you all,

Jeff Kessler

I am gratified by the encouragement and response from the several thousand unique visitors to the site TheSecurityAnalyst.com since I started it in May.  Since being picked up by Seeking Alpha at the end of June, I have been swamped with requests for a listing of the earlier blogs on the industry that are not currently on the website.  So here is the complete listing of our blogs in reverse chronological order.

07/02 – In An Economic Slowdown, Government Contracts Become Important for the Security Industry.  Four security companies demonstrating good growth in a bad economy, thanks to strong Government contract flow: FLIR, L-1, ICx Technologies, and China Security & Surveillance.  (Note:  ICx announced today yet another contract for its “Cerberus” surveillance towers, this time its first from the Secure Border Initiative).

06/29 – Has Single-Sign On Finally Hit “Prime Time” With Security End Users?  We may be at the inflection point of improved technology and enterprise end user demand for single-sign on solutions as part of the convergence of physical and logical security systems.

6/26 – China Security & Surveillance: Go-to-Market and Strategic Leadership in Security in China.  The leading domestic security company in China has developed a huge advantage (no channel conflicts between its manufacturing, installation, integration and monitoring businesses), in the world’s fastest growing security market (independent of the Olympics).

6/23 – “REAL ID” Controlled by a Foreign Entity?  Safran S.A. Bids Against L-1 for Digimarc’s ID Business.  With all of the hoopla over personal privacy and REAL ID, we just thought it a bit odd that an foreign entity, 30% owned by a foreign government would bid against L-1 for Digimarc’s ID (drivers license) business.  Oh well, at minimum they forced a competitor to pay $50 million more.

6/18 – Guest Blog: Risk of Critical Failure in Monitored Alarm Industry.  Guest blogger, and long-time monitoring industry consultant Lee Jones emphatically warns against industry laxness regarding false alarms and the looming threat of non-response without verification.  His point:  “The alarm customer and the police, the two most critical segments of the infrastructure, have been abused. We believe the alarm industry is losing the loyalty of both parties. Without the loyalty of the customer and the police, the entire infrastructure as we know it today, could collapse. “

6/15-6/16 –  Do Not Ignore L-1 Identity Solutions As the ID Market Grows.  The identification market (along with biometric technologies) is now sprinting in its growth and here is the undisputed market leader – like it or not.

6/12 – Stanley-Sonitrol: Strategically Smart, But with Franchisee Relationships to Fix.  Stanley Works is becoming a legitimate security systems integration threat to the likes of Siemens, ADT, and Securitas Systems (recently renamed Niscayah), with its acquisitions of HSM Security and now, Sonitrol Management (the leading brand for verified, quick response by police).  However, Stanley has also acquired some very frayed relationships with Sonitrol’s significant franchisee system, which will have to be fixed.

6/10 – ADT’s Growth Strategy Unveils its Underestimated Integration Business.  ADT now comprises the largest single entity of any of Tyco International’s revenues and over half of its EBITDA.  We think Wall Street analysts are missing a key development underlying ADT – its already well-regarded and now growing systems integration business.

6/4 – BHS Steady State Cash Flow Still High, per SEC Filings.  As a follow-up to our June 2 blog, with the SEC filing by Brinks Home Security on its proposed spin out from Brinks, several investors asked us to recalculate the 2007 steady state free cash flow of the company (SSCF being the most important metric besides attrition).  Taking on its own corporate overhead, BHS SSCD for 2007 falls to 178.5 million (36.8% margin) from our previous estimate of $191.3 million (39.5%).  However, that is still way above the margin of any other public monitoring company and virtually the highest of any public or private company.

6/2 – Sonitrol: Can the Vaunted Franchise System & Brand Hold Together?  With rumors in the industry that the Sonitrol business was close to being sold by its private equity owners, we issued a warning to any buyer of this verified alarm leader:  Fix the relationship with the franchisees.

6/2 – Brinks Home Security:  A Brief Look at “The Surprises.”  On May 30, BHS filed a “Form 10” with the SEC, representing its preliminary pro forma financials as well as its ongoing relationship with Brinks Inc.  Along with the financial pro forma’s, there are two “surprise” issues which popped up in the filing (you have to dig to find them):  (a) the loss by BHS of its “Brinks” brand in three years and (b) the royalties that BHS has been paying to Brinks – over $30 million in 2007 — which were formerly not reported (or at least never seen by me).  The ongoing royalty payments fall dramatically, however.

5/13 – Somebody Needed to Love Protection One.  Protection One has a great management that has fixed a disaster and stabilized the company, the third largest monitoring business in the U.S.   However, a thinly traded stock, lack of growth and a balance sheet that won’t allow a lot of acquisitions has investors snoozing on this name.  We still think investors may be asleep at the switch on this one.

5/13 – Video Standards That May Finally Mean Something.  On May 12, a consortium of Axis Communications, Sony and privately-held Bosch – three of the leading names in video surveillance, formed a group aimed at developing a standard for the interface of network video products. Currently, while there are video compression standards (MPEG-4, and the new H.260), there is no global standard defining how network video products such as cameras, video encoders and video management systems should communicate with each other.  Note: This blog actually generated a lot of comments around why it has even taken this long for open systems to emerge in video, along with skepticism that proprietary video systems (which are maybe good for individual companies, but bad for overall industry growth), can be “overcome” any time soon.

5/13 – FLIR Systems and Axis AB:  A Tale of Two Video Technology Companies.  Axis Communications (Axis AB, based in Lund, Sweden) and U.S. based FLIR Systems are the two leading companies in their respective technological niches in the $7 billion video surveillance industry.  Axis is the leading provider of IP network video cameras, while FLIR is the leading provider of infrared cameras for surveillance and thermographic (temperature control) use.  Unfortunately, for Axis, a couple of its key commercial markets are slowing due to the economy – and hurting its stock.  Fortunately for FLIR, its Government business is booming, as is the rapid expansion of infrared in non-military use – helping its stock.  We like both companies; investors will have to talk to their analysts to make their own timing choices.

The writer current holds positions in L-1 Identity Solutions, ICx Technologies, and is considering a position in China Security & Surveillance.

It is ironic that we have been writing for years that Government contracts are very important for the security industry, but ultimately most of them –even the largest – should mostly serve as beta-tests and reference sites for what should be a much larger industrial/commercial and institutional market.  Over the long term we believe commercial/industrial contracts are steadier and involve greater recurring revenues.  But, of course, during economic slowdowns it might just be a big help to depend on those Government contracts.  Some of the companies we have written up in our blog are doing just that – accelerating their Government business.  Whether it is the slow, but inexorable movement to improve identity management here, or protect sensitive domestic installations and ports, or to protect troops in the war theater, the companies that are winning these contracts (especially those smaller companies winning subcontracts and branding themselves in the process) are actually doing quite well in a bad economic environment.

Below we detail four security companies in the security industry, three on which we have written blogs, and one which we covered in a “past life,” which are likely to at least meet, and possibly beat estimates or management guidance, simply because their Government  contract momentum is so strong.

FLIR Systems.  The first, and perhaps most obvious beneficiary to Government contracts in the security industry this year is FLIR (see “FLIR and Axis AB: A Tale of Two Video Technology Companies,” published May 13).  Although our long-term investment case on FLIR is built on lower sensor costs accelerating demand in commercial, security, and civilian markets, it is military orders that have driven the stock up (37% year-to-date), and analysts’ estimates with them.  Indeed, one might speak of an avalanche of military orders, eight since late May, including the largest, a $358 million revision to an IDIQ (indefinite delivery indefinite quantity) order for the U.S. Army.  The orders range from infrared cameras on military vehicles, Coast Guard helicopters, surveillance airplanes in Colombia, medium-range thermal binoculars, and sensors to go on sensor-studded 8-10 story towers that the Army wants to have in Iraq and Afghanistan to protect each company of soldiers.  Those orders are part a two-year, $1.5 billion program called Base Expeditionary Targeting and Surveillance Sensors-Combined (BETSS-C).  FLIR’s current consensus estimates are $1.27 in 2008 and $1.46 in 2009, but that consensus is rising even as we write this blog.  The only questions for FLIR are what is the proper P/E on 2009 estimates, and are those estimates taking into account the tough growth comparisons they will now face for 2008.  For analysts, there is always something to gripe about.

ICx Technologies.  Another beneficiary of the BETSS-C program is ICx Technologies (ICXT), a company which we have covered in the past, but only now are writing the first blog, has also just won a series of new contracts.  ICx, though small (consensus estimates are $180 million for 2008), has nevertheless become the leading independent provider of small explosive/radiological/biological detection equipment, radar and infrared surveillance technologies, and “integrated solutions” combining the above.  ICx’ announced on July 1, that it had won a $14 million contract under BETSS-C for its “Cerberus” surveillance towers on which the sensor technologies from other companies (like FLIR) will be mounted.  Given the size of BETSS-C, we doubt this is the last order we will hear regarding ICx and FLIR.  However, ICx is also far more than its towers – indeed most of the attention from the investment community centers around its “Fido” handheld explosives detection devices, including its unique patented ability to detected hydrogen peroxide—based liquid explosive, where in May it won a $5 million contract from the military (Robotics System Joint Program Office). Nevertheless, ICx has just shocked at lot of folks when its Solutions division also won a $15.6 million contract at the end of June to manage an “intelligent transportation system: for Orange County, California.  The ICx contract includes installation of a real-time, bus-arrival passenger information system, preliminary design of a signal priority system and signal system enhancements to improve arterial operations.   Analyst consensus for ICx are for revenues of $180 million in 2008, with a GAAP loss of $0.72 per share and breakeven EBITDA.  Consensus estimates for 2008 are for $238 million in revenues, $0.10 per share in earnings, and EBITDA of $33-$35 million.

L-1 Identity Solutions.  We have recently written in-depth about L-1 Identity Solutions (ID), the leading provider of identification solutions (“Do Not Ignore L-1 Identity Solutions as the ID Market Grows,” published June 15).  We strongly believe there will be consolidation among several of the long lineup of  U.S. and international identification programs now being implement and that L-1 (with the Digimarc acquisition in hand) will have a major role in many as a subcontractor or as a prime contractor.  Moreover we refuse to believe that the  highly publicized ID programs — PassCard program at the national level and Real ID at the state level — are going to be limited to their current budgets in the $220-$350 million range.  We are convinced there will be far greater dollars spent in these “regional” and “state-by-state” programs than what is budgeted today…  Finally the consolidation of identification programs should affect nearly all domestic initiatives from HSPD 12/24, to PassCard, to Western Hemisphere Travel Initiative, to US-Visit, to TWIC, Real ID, to Sarbanes-Oxley, to HIPAA, and war theater and defense identification.  We also believe there will be consolidation of Gulf States national identity programs, Latin American voting and ID programs, and even to Indian tax card and ID programs.  To get to the heart of the matter, we believe that both the “updated” drivers license and military identification programs are going to have a positive effect on L-1’s results in 2008.  Indeed, the company announced on June 27, a $5 million contract delivery for its HIIDE (Handheld Interagency Identity Detection Equipment), the company’s well regarded multi-modal biometric (iris-face-finger) handheld ID unit (customer not announced, but we assume it is the U.S. military), which we also assume will have follow-on orders.  Company management has guided to $670 million of revenue in 2008 (all numbers are pro forma, assuming the acquisition of Digimarc on January 1, 2008), EBITDA of $110 million, and a backlog of $1 billion.  Most recent analyst consensus GAAP estimates are for $0.15 in 2008 and $0.35 in 2009.

China Security & Surveillance.  Finally, we would again mention China Security & Surveillance (CSR) as a perfect example of a company where Government programs are driving revenues, even within a country that is trying to slow its economy down (“China Security & Surveillance: Go-to-Market and Strategic Leadership in Security in China,” published June 26.)  Although over half of the company’s revenues are in the commercial sector and subject to a planned slowdown in China, the percentage of growth from Government programs is growing rapidly.  While the company has won large contracts in the cities of Yinchaun, Jining and Qungzhou City, our sources believe there will be a series of $10+ million-sized contracts coming over the course of 2008 into 2009 which will be more typical of the types of contracts to be won.  The company just won its first two projects in Beijing, and we believe that government projects, once scaled up and proven out will lead to more commercial projects as well.

The author has a position in L-1 Identity Solutions and ICx Technologies, and is considering taking a position in China Security & Surveillance.

We’d like to thank our special “guest” assistant and end user sources for help on this blog.

SSO Becoming a Key Security Convergence Component.  With chief security officers at enterprises finding that physical security and IT infrastructure becoming more and more complex and harder for individual departments to manage, so-called “Single-sign On” (SSO) has become a hot topic in the IT world, leaking out to the physical world, as well.  Just like video analytics, SSO is not a new notion, nor has it been immune like video analytics from hype and subsequent end user disappointment.  However, the growth of SSO use among end users who accept what it can and cannot do, (similar to the growth of video analytics),  based on more realistic notions of what it can an cannot do, has created a much more accepting user community for the technology.  This is an important take-away as we begin to look at the market, the companies providing SSO solutions, and the possibility of who might want to team up with, or even acquire the better SSO providers.  We would reiterate, while we don’t ultimately view SSO as a “industry” unto itself, we see it as one of the very key components for end users in the move toward convergence between physical and logical security.

Compliance, Efficiency, Security and Total Cost of Ownership.  Not only can single-sign on help an organization in regulatory compliance (i.e., HIPAA and SOX) but it can also lower the total cost of ownership (TCO) of the security systems infrastructure being considered for upgrade or new installation.  For those that are just getting up to speed on this, SSO is a method of authentication which allows a user at the enterprise to log on to the security infrastructure once (primarily IT today, but becoming increasingly converged with physical systems) and gain access to multiple security systems without being prompted multiple times to “log on.”  By logging into the infrastructure once, the individual systems can take the infrastructure authentication and automatically apply it to their own individual authentication systems.

SSO environment can benefit a CSO along with their IT and physical security departments in many ways.  It can limit the complexity of the user provisioning process, if user information is stored in a single central area.  IT Departments will have more time to focus on pressing and high risk issues – for inst, as having an SSO can limit the number of help desk calls. (User: “Hello, I’ve forgotten my password to XYZ application”). This in turn can reduce IT costs. Additionally, (which is everyone’s favorite benefit) having an SSO will significantly decrease the amount of passwords a user is required to remember.

More benefits to SSO include Compliance Reporting – If all user data is in a central place, I can get a single report from the SSO environment rather than having to get one from each individual application.  This, in turn, reduces end-user time as they don’t need to log on every time.

Another important aspect of SSO is the “push” it gives to the convergence of logical and physical security environments.  Many SSO software packages allow for physical and logical security to work seamlessly together.  When a user’s access is terminated in the SSO environment, their physical access card can be automatically disabled, as well.

The ROI Issue. A recent end-user study by Spire Security LLC, found that SSO generated ROI by (1) substantial reduced costs and improved efficiencies on existing accounts, (2) reduced costs on new and departing employee account management.

The Hurdles that Have Prevented Major SSO installations up until now. 

So why hasn’t an obvious benefit to convergence been implemented en masse up until now?  The biggest and most obvious bugaboo for SSO is security.  Primary among them is authentication.  SSO environments must incorporate some sort of strong authentication mechanism. Without strong authentication mechanisms, risk of a security breach might be increased exponentially. For instance, if strong password settings are not established in the SSO system, a ‘hacker’ who discovers the IT administrator password could possible have a ‘key to the kingdom” and gain high-level access to not just the security system, but theoretically nearly all of IT systems.  This is why from a CSO’s point of view, reference-site based proof of strong authentication is so important. By implementing authentication mechanisms, such as smart cards, RSA key fobs, and biometrics, these risks to giving up the “keys” can be minimized.  The mechanisms for doing this are beyond the scope of this blog, but are certainly available from numerous consultants, ranging from individual practitioners like Steve Hunt to giant consultants, like KPMG.

One of the responses to the “keys to the kingdom” argument has been that SSO providers also provide much stronger password protection protocols, including eliminating common password selections, and various means to permanently prevent users from writing down passwords.  The mere fact that end users can focus on one password, one sign on , can eliminate the common passwords and ID’s that come from user-password overload.

Complexity.  In addition to the risks – and partially because of them, SSO environments are becoming increasingly complex and complicated to set up.  Typically organizations do not have a homogeneous IT infrastructure, and probably and even more piecemeal physical security infrastructure.  My former organization is a true leader in attempting to integrate logical and physical security, and yet that is a task that is far from completed.  An organization may employ multiple applications, on multiple types of environments with multiple security settings and parameters for both physical and logical security.  We have found in talking to end users that too many IT departments still treat each of these environments as silos and may lack the understanding on how to incorporate authentication technology between them – and this is before even tackling the physical/logical convergence issue.

Conclusion:  Despite the continued challenges of complexity and security facing end users implementing single sign-on, we believe we are now at a level of maturity, integration, and end user acceptance that we have not seen before.  We think after hearing about it for a decade, and watching large numbers of venture and private equity investors waiting (…and waiting) for returns on their investment, the time for this segment appears to be arriving.  We would not be surprised to see a wave of joint ventures and industry consolidation.

Here is a short list of companies that offer SSO, along with their leading investors:

Private Companies and their Major Investors:

Imprivata: (SAP Ventures, Polaris Venture Partners, Highland Capital Partners

Sentillion: (HealthCare Specific): Merrill Lynch Investors, Dresdner Kleinwort Capital,

            First Consulting Group, Intersouth Partners, Newbury Ventures

Passlogix: Hanseatic Corp., Union Square Ventures

Enterasys: Gores Group LLC, Tennenbaum Capital Partners

Courion: Questmark Partners, Riggs Capital, JMI Equity

Shibboleth: Internet2 Middleware Initiative, under the National Science Foundation

MetaPass: Sunnyvale, CA

Atlassian : Sydney, Australia

Public Company:

ActivIdentity (ACTI)

Divisions of Larger Public Companies:

Microsoft (Identity and Access Management Series)

CA (Identity & Access Management Solution)

Hitachi ID Systems

Novell

Oracle

SAP

In one of the more bazaar moves we have seen, Digimarc has announced that it has received an unsolicited offer of $300 million in cash for its ID Systems division from Safran S.A., (the French parent of Sagem).  This tops a bid by L-1 Identity Solutions for $250 million, about half cash, half stock, in a transaction that was expected to close soon.  But, why is Safran S.A. (Paris:SAF) even bothering to make this bid for the ID Systems business of Digimarc (with nearly $100 million of revenues)?  With all of the grumbling about L-1 (or anyone, for that matter) controlling the information on “biometric” drivers licenses, and all of the current political fallout going on regarding the REAL ID program (based on Federal guidelines for information, authentication, and interoperability), it would seem insane to me for a foreign company to try to take over a company that will be involved in identifying U.S. citizens.  

Better yet, Safran is 30% owned by the French Government.  Won’t it be interesting for the Digimarc board of directors if someone were to poll the 30 states serviced by Digimarc — asking them how they felt about a foreign entity processing their drivers licenses, especially with the REAL ID program slowly, but inexorably making its way on to the scene?  If REAL ID is controversial now, is it even viable under this scenario?

While we can see some strategic reasons Safran might have for acquiring Digimarc’s ID business (diversifying beyond AFIS, building an international ID card business), the relative strategic benefit is far, far greater for L-1, in our opinion.   So is this bid by Safran just to just to make L-1 sweat and pay more, to sap its cash reserves so Safran can go after another target and NOT have L-1 as a competitor?  Is it because Safran believes that “money talks, nobody walks” and that a big cash offer at a premium will convince the Digimarc board to sell to them, take their money and run, and then leave all the inevitable political firestorm to Safran?   Anyone with a computer and the ability to receive “Google Alerts” can see the resistance by a vocal minority of state legislatures to REAL ID (granted, we believe that much of that opposition is related to money and not pure principle over privacy), and by individual groups over any one entity controlling personal privacy information.  If one thinks all of the articles screaming how “terrible” the REAL ID program is to privacy, or about how too much personal information is going to be on a drivers license (i.e., the “de facto National ID card”), think of what happens if under the threat of Safran S.A. manufacturing and servicing those cards.  All of a sudden, L-1 becomes a patriotic symbol and Bob LaPenta a hero, whether intended or not.

I don’t know if there are any “U.S.” only rules surrounding states’ drivers licenses and REAL ID, but I have to assume that a foreign entity owning the Digimarc ID business will create huge problems with some in the government, in the press (what happens if Lou Dobbs gets his hands on this?), and with special interest groups — even if Safran promises that all manufacturing and production in the U.s. will be done solely by its U.S. subsidiaries.  While I am not the biggest fan of one company (L-1) controlling 90% of the drivers license production, I certainly don’t see the rationale behind this bid by Safran. 

What does this all mean for L-1, which we profiled in a June 16 blog?  Yes, we believe that L-1 can muster the cash resources to fend off this bid.  And yes, we believe that L-1 is by far the best positioned company strategically to understand and integrate Digimarc’s ID Systems business and people, because they play and compete in the same space, and talk the same language when it comes to state drivers licenses.   But unfortunately, we now believe the bigger risk to L-1 is not Safran, but the possibility that another, larger U.S. integrator, noticing this “circus” for the first time, now becomes interested in Digimarc and pays its own “stupid” price (1) simply because it can, and (2) for the sake of its own strategic positioning.

Due to technical difficulties, the fifth paragraph of last night’s L-1 blog did not appear in full, missing several sentences (the paragraph immediately after the headline: Consolidation Seems Logical to us Among US Identification Programs).  The blog has now been edited to reflect the additional sentences to the paragraph which explains our views on the consolidation we expect to  see among some of the identification programs now making their way across the American landscape.

Jeff