Cybersecurity: Trust No One
Cybersecurity attacks have been growing more sophisticated in recent years, making headlines with major breaches that have compromised the personal information of millions. However, beefed up spending on security hardware and software have done little to stop cybercrime, as more than 90% of successful breaches result from either human error or complicit insiders. Moreover, very few enterprises have the skills or resources needed to effectively deploy more than basic technology against incursion, and organizations strongly resist the stringent policies, disciplined enforcement and extensive user training that would be the most effective defense. Luckily, basic protections are falling in price and being integrated into general purpose systems, while the coming credit card tokenization may eliminate one of the most tempting targets for thieves. Moreover, SaaS application and IaaS hosting provider brings significant cybersecurity firepower to protect the client data in their care, relieving overtaxed IT departments as enterprises shift their focus to the cloud. With Gartner projecting that global security hardware and software spending growth will slow to just 6% through 2019, we believe consensus expectations for the 13 cybersecurity specialists with cap over $800M are optimistic, and, despite the substantial sell off over the past 6 months, we believe the stocks are generally overvalued. We are particularly concerned for companies with expectations for meaningful sales acceleration (VRSN, FFIV, QLYS), companies expected to sustain hyper-growth over the next 3 years (FTNT, FEYE), and companies expected to significantly expand margins in an increasingly competitive sector (CHPT, SYMC, VRSN).
- Hackers gonna hack. 2015 saw 781 high profile data breaches in the US, the 2nd most since the ITRC started tracking them in 2005. Theft for financial gain remains the overwhelming motivation, despite growing fear of hack-tivism and state-sponsored cybercrime. Increasingly, hackers are part of highly sophisticated organizations, able to quickly monetize breaches. Credit card theft is waning on heightened financial industry attention and should decrease further as tokenization becomes commonplace. In their place, social security thefts, which enable many avenues of illegal gains and are much more difficult for consumers to discover and resolve, are the new threat, with 164.4M records stolen in 2015, accounting for more than 40% of total breaches. In all, the annual cost of incursions is estimated at $400B by Lloyds of London, which last year underwrote $2.5B in policies to protect against cybercrime.
- IT security spending ineffective. Spending on data security hardware and software has grown at a 9.5% rate over the past 3 years to little avail. Most all organizations now protect their networks with basic measures – firewalls, anti-malware protections, spam filters and VPNs – products that are now largely commoditized. More elaborate defense tools are expensive and require dedicated skilled personnel to deploy and monitor properly. Few enterprise IT departments have these resources. In this context, spending on security products slowed in 2015, according to Gartner, and is expected to slow further in 2016 and beyond.
- The problem is people. More than 90% of successful breaches rely on human error or complicit insiders, bypassing external defenses through social engineering techniques, like phishing, to install malware that facilitates data theft. The best way to combat these approaches is through tight security protocols, disciplined enforcement and extensive user training. Unfortunately, the safest policies are also the most intrusive on employees and most organizations find enforcing them extremely difficult.
- Some help is coming. Moves toward credit card tokenization and biometric authentication make certain forms of cybercrime much more difficult and far less lucrative. We also believe that the shift toward SaaS applications and IaaS hosting have important advantages for data security. 1. Homogenous architectures that are MUCH easier to defend than enterprise nets. 2. Proprietary security software that is more difficult to probe for vulnerabilities. 3. The best security talent in the industry designing their security systems and policies, and available to quickly address threats. 4. Much greater discipline than enterprises in administering sound security policy. 5. Massive amounts of usage data for threat assessment analytics based on cutting edge AI techniques and huge computing resources. 6. Security is included within most SaaS and IaaS bundles, reducing costs. Given all of this, we believe security concerns will hasten the migration to the cloud, with high risk applications, like e-mail and customer record keeping, particular candidates.
- Security stocks risky. In this context, spending on commercial security hardware and software has begun to decelerate, with 6.4% annual growth forecast through 2019. This is in contrast to the 17.8% growth expected by consensus for the 13 largest security product specialists for 2016, every one of which is expected to expand margins as well. The market is even more bullish, assigning a rich 4.9x sales multiple to that group despite sharply slowing growth in 2015. Broadly, this is far too optimistic. Similarly, security products are a major part of the resurrection narratives pressed by old paradigm names like IBM, CSCO, JNPR, INTC, and EMC. We are skeptical.
- The biggest losers. We see risk outweighing opportunity for the group, with particular caution advised for stocks expected to show a sharp reacceleration in sales growth – VRSN, FFIV and QLYS. We are also concerned for high multiple data center security appliance makers expected to sustain their recent growth rates despite a deteriorating market – FTNT, FEYE. Finally, we are skeptical that older, slower growing security names – CHKP, SYMC, VRSN – can deliver against projections of sharply higher margins.
- While we see the cybersecurity market stalling, PANW and CYBR have been significant share gainers that have been able to buck recent trends toward deceleration and quarterly disappointment. Moreover, with traditional IT vendors like IBM, CSCO, and others looking to security as a growth driver for their otherwise moribund businesses, M&A remains a very realistic outcome for companies perceived as leaders. We also note that the inability of most enterprise IT shops to cope with the challenges of a holistic security strategy opens opportunity for 3rd party security services, a category projected to grow at a 9% CAGR. Here there are no pure play investments, but larger IT services organizations like ACN could see a boost.