Cybersecurity has become a top concern among corporate executives and national leaders. Events such as the hacking of the US Democratic National Committee, and also multiple high-profile data breaches over the last few years have raised a whole new set of issues. Furthermore, the pace of malware growth has been accelerating over the past few years. The average time it takes to detect these attacks can be several hundred days, and lack of rapid discovery could significantly hurt the corporate earnings and reputations of the affected enterprise. A study by Allianz estimates that cybercrime costs the global economy USD 445 billion annually.
Cybersecurity spending expected to grow at 7.5% per year
The mitigation needs for cyber risk led to a spending boom for IT security in 2014/15, with growth accelerating from 2.5% in 2013 to 9% in 2015. The surge in spending lifted most boats, but the aftermath was a deceleration in growth in 2016. Now, we think we are seeing growth stabilising. Cybersecurity spending is estimated to grow at a lower but steadier rate of 7.5% a year through 2020, to reach USD 114 billion, still more than twice the rate of overall IT spending. Near-term, several third-party research surveys highlight that security software ranks as top priority for CIOs (chief information officers).
We see three factors driving growth in IT security going forward, such as: 1) cloud computing, 2) the growing complexity and impact of cyber-attacks due to increased connectivity (mobility, Internet of Things, etc.), and 3) new regulation and public spending initiatives.
1) Cloud computing will transform cybersecurity
The increase in cloud computing adoption will have meaningful technical and economic ramifications on most areas of software, including the cybersecurity market. The shared nature of the public cloud is driving demand for unique security and data encryption needs. Naturally, security software vendors are adapting their offerings to this growing field with bespoke solutions. However, the shift to the cloud is also creating new potential long-term competitive dynamics and consolidation potential among security vendors. Then, the more homogenous nature of cloud architecture makes it less vulnerable to attacks, compared to systems that have a number of different products from different vendors tied together. Nevertheless, cybersecurity vendors are currently benefiting more as cloud computing is increasing IT security consumption. In addition, public cloud companies are also partnering with security software companies to provide greater protection and ease customer concerns on security matters.
2) Growing threat complexity and rising connectivity
The continuing evolution of threats and attacks on IT systems is another major factor driving the need for cybersecurity. Cybercriminals are becoming more sophisticated and well-resourced. Unique malware discoveries in 2015 jumped 36% over the previous year, to over 430 million new pieces of malicious software, while instances of stolen identities increased 23%, according to Symantec. Though malware, spam and phishing attempts have grown in number, such attacks have usually been controllable from a security perspective. What’s new is the increasing number of threats which are unknown at discovery (so-called ‘zero day threats’ exploitations), and make it challenging for enterprises to proactively fight them. Furthermore, the increased adoption of Internet of Things (IoT) devices is creating millions of new network endpoints, spawning fresh risks. These devices, from webcams to wearables and to internet-connected cars, are expected to reach almost 21 billion by 2020, versus six billion in 2016, according to Gartner. Looking forward, IoT attacks are set to increase, as vulnerable and poorly-secured IoT devices might be infected with malware and be used in a botnet – a number of Internet-connected devices, each of which is running one or more bots (i.e. software applications that run automated tasks over the Internet).
3) Regulation and government spending initiatives
Enterprises in the US have increased cybersecurity spending partly due to regulatory pressure over the last years. Data protection laws that have already been introduced or that will be implemented over the upcoming years in Europe and the Asia Pacific region are expected to accelerate spending on IT security solutions in these parts of the world as well.
We believe cybersecurity has become one of the most defensive IT spending items for enterprises as they have to safeguard their growing digital assets from rising malicious threats. Longer-term, we believe the most attractive areas of security will be those that offer tools and services to help improve the manageability of security architectures.
Winners: vendors which bundle various security tasks
With an increasingly complex IT infrastructure comes a need to simplify the management and protection of it. Trends point towards a platform approach whereby one vendor ideally covers all security needs with one single solution. This is certainly a very difficult endeavour, and has yet to be effectively achieved. Winners will be vendors which offer top working platform solutions, or which can consolidate others’ solutions. We believe we will likely see increased acquisitions going forward.
On the one hand, we believe that public cloud usage will increase strongly, and as such also the need for security solutions. On the other hand, the tail risk is that cloud vendors may capture cybersecurity demand growth from dedicated cybersecurity companies with solutions fully contained within their cloud offering, as some of the market transitions to public cloud providers.
Further market consolidation on the horizon
Furthermore, older cyber threat prevention methods never become obsolete, but rather new ones are needed and being added. As the trends point towards a platform approach, this could lead to industry consolidation and possible M&A in order to deliver one-stop-shop solutions. The dynamic cybersecurity market has introduced new solutions over time, but the old solutions are still relevant, even if their growth subsides. This presents not only opportunities for hyper-growth stocks, but also value names.
To conclude, the cybersecurity industry is far from maturity. Many new companies with new approaches and technologies are constantly emerging. We therefore recommend that investors take a diversified approach due to considerable volatility, consolidation potential, and technology risks, as the industry follows the constant arms race of attacker against defender.