Investing in Modern Cybersecurity: A Portfolio For The Future
In the concluding episode of this five-part series, we round up analyzing the cybersecurity world, hypothesize about cybersecurity's future, and see how the market dynamics are about to change. Moreover, we comprehensively compare legacy to new-generation players and provide various backtests to pinpoint the best investment opportunities for the years to come.
Data security & Cybersecurity Services: less hype, astronomical growth
Data security, which includes encryption, erasure, masking, and recovery, is carrying a mission-critical status as data generation is set to quadruple by 2025.
Services cover a vast range of cybersecurity-related sectors that rely on a qualified workforce and not necessarily on specific technologies, e.g., disaster recovery and consulting.
Data security is among the highest growing sectors (~22% CAGR), albeit a modest $5bn addressable market compared to the slower-growing (~10% CAGR) mammoth $160bn services market. Both sectors offer limited pure-play opportunities.
The Future ahead: intensifying M&A and arrival of quantum
The sector has always been dynamic in terms of M&A. Larger companies acquire startups for specific capabilities, while legacy "losers" such as Norton and Avast merge to delay their collapse.
Brute-forcing encryption is not realistic with current computing power but is with quantum computing (parallel calculations). The industry must work on quantum-proof algorithms while practical applications are at least a decade away.
Quantum may also be used for communications. Such an application has already been tested on a handful of occasions. Today, less than a dozen companies offer commercial quantum communications, including Geneva-based ID Quantique.
Portfolio for the future
Investors must be exposed to new-generation players if they wish to capture the potential of the modern cybersecurity universe.
New-generation players are set to experience higher revenue growth, margin expansion, and much more solid and consistent cash flow generation.
Investors must focus on cybersecurity stock purity, specificity, and quality to ensure that their modern cybersecurity portfolio captures the numerous drivers and catalysts we outlined in the previous issues.
Data security & Cybersecurity Services: less hype, astronomical growth
As businesses continue moving to the cloud and the data they generate is set to quadruple by 2025, they understand that they cannot skimp on data security. To be precise, data stored in the cloud is projected to reach 100 zettabytes by 2025 (which, for ease of understanding, equates to ~59.5 quadrillion photos). Not surprising, the sector is on a path to reach a $5bn TAM by 2026 growing at 22% CAGR.
To simplify, data security protects digital data, mainly stored in databases, from predominantly unauthorized users' destruction or damaging actions. Data is essentially why we need cybersecurity, and it sits at the heart of the modern cybersecurity ecosystem.
Data security concentrates on four main areas:
- Encryption. Using an algorithm to transform data into an unreadable format that can be "read" only if the user has encryption keys. Most players in this niche concentrate on coming up with new algorithms and storing/managing security keys.
- Data Erasure. It is essential to understand that on the cloud, data cannot be erased in a typical way, as there is no way to ensure that every copy is permanently gone. A person would need to possess every storage device with a copy and destroy it. If physically securing all the hard drives with all the copies of the data that needs to be erased is unrealistic, data erasure comes in. It is more secure than standard data wiping as specialized software completely overwrites data and verifies that the erased data is unrecoverable.
- Data Resiliency. It focuses on how well an organization lives through and recovers from any cybersecurity incident, as the speed of recovery becomes synonymous with money and losses: reputational and direct costs of data loss.
- Data Masking. A more niche sector of data security focuses on dehumanizing data, i.e., deleting all personally identifiable information from the datasets so that companies can train their models using real data, e.g., training artificial intelligence-powered credit scoring models.
To solve all the challenges in the four areas above, data security players focus on the following main techniques:
- Centralized monitoring helps companies understand where data resides, track who has access to it, and block high-risk activities and potentially dangerous file movements.
- Data discovery and classification tools look for data across all repositories, including databases, data warehouses, big data platforms, and cloud environments, and automatically identify sensitive information and assess and remediate vulnerabilities.
- File activity monitoring tools analyze data usage patterns, enabling security teams to see who is accessing data, spot anomalies, and identify risks.
- Finally, physical security and backups (both local and remote) ensure that facilities are secured against intruders, fires, accidents, or any other event that may compromise them.
Nevertheless, the number one reason for compromised data is human error - both unintentional and due to hacker manipulations. Training employees in enterprise security is essential for good security practices and decreasing the risk of social engineering attacks. Training and workshops are crucial elements for comprehensive cybersecurity. This is where cybersecurity services come in.
Services' $160bn TAM extends over a vast range of cybersecurity-related sectors that rely on a qualified workforce and not necessarily on specific technologies. Services include companies that offer educational workshops for employees, consulting services that help companies set up cybersecurity measures, or other more niche services used, for example, in law enforcement.
Disaster recovery services, else known as "Disaster-Recovery-as-a-Service" (DRaaS), are responsible for protecting applications and data from natural disasters and human disruptions. DRaaS offers full recovery in the cloud and provides standby computing capacity to recover cloud-based applications.
Consulting services, as the name suggests, help guide companies through cybersecurity tools and their digital environments to develop the best cyber defense plan. Should companies wish to outsource the setup and management of cybersecurity solutions completely, they may use services of "managed" services providers. Indeed, with a constant shortage of cybersecurity specialists, only a few people and businesses have the knowledge or the resources to deploy and operate the new generation solutions. As seen on the diagram, managed services (outlined in orange) provide the people and expertise to implement cybersecurity solutions in all key areas, e.g., network, endpoint, application, and threat intelligence.
Finally, digital forensic services focus on identifying, preserving, analyzing, and documenting digital evidence to present it in a court of law. Given that it deals with courts, digital evidence must be handled very specifically to be accepted, ensuring criminals have not tampered with it. However, the application of digital forensics extends to the business setting, as logs and records must be kept for both audits and thorough incident response processes.
Among the most prominent players, we note N-Able Inc with its Cove Data Protection platform. For customers needing a comprehensive solution, Cove Platform offers everything: backup, disaster recovery, and archiving. Being designed specifically for cloud applications, it can protect servers, workstations, and Microsoft 365 data both in the cloud and on-premises. With its 30 data centers worldwide, the company already protects >135K businesses and is projected to grow its revenues by 15% YoY.
We observe more established providers in the services market, such as Accenture, Infosys, and Booz Allen Hamilton, who offer consulting services to businesses and governments. However, the sector has also welcomed smaller and more niche players. Knowbe4, for example, specializes in educational workshops for employees to learn how not to fall victim to a phishing attack. At the same time, Chinese Xiamen Meiya Pico is an expert in the digital forensic segment.
The Future ahead: intensifying M&A and arrival of quantum
The cybersecurity field has always been dynamic in terms of M&A activity. Indeed, our cybersecurity universe includes approximately 100 publicly-listed companies and over 300 private companies and startups. It is pretty common for smaller and private companies to come up with new solutions for a specific niche and then get acquired by larger companies.
Additionally, other trends may be observed. First, private equity firms are acquiring listed companies, e.g., Thoma Bravo has acquired Proofpoint for $12.3bn and identity security platform Ping Identity for approximately $2.4bn. Secondly, legacy "losers" from the old world, such as NortonLifeLock and Avast, are merging to delay their demise as new generation players are quickly eroding their market share.
Speaking of the new generation players who are now considered market leaders - these players have little incentive to merge. However, should pressure from PE firms inflate valuations, it can create quite some volatility in case of failed deals, e.g., Darktrace.
Modern IT security relies on encryption to ensure safe communications that are not prone to eavesdropping. Current popular algorithms such as Advanced Encryption Standard (AES) or Rivest–Shamir–Adleman (RSA) rely on complex mathematical functions, e.g., integer factorization (decomposing a large number into smaller ones) or using prime numbers to add difficulty. This leaves no other choice to hackers but to either have the deciphering key, find a weakness in the device, or try brute-forcing solutions (submitting many passwords with the hope of eventually guessing correctly) to decipher encrypted data.
Brute-forcing is not realistic with current computing power. Hence those who want access opt to focus on stealing keys (fishing, human engineering, etc.) or finding other weaknesses. For example, in 2016 FBI wanted to unlock a shooter's iPhone in the San Bernardino case, and in the end, they had to buy exploits on the darknet to unlock the phone.
However, this will change with quantum computing, which schematically will enable brute forcing as quantum computers are massively parallel machines. They can submit multiple passwords simultaneously to arrive at the correct one much faster. The algorithm that can break the aforementioned popular encryption schemes, notably RSA, is already developed. Called "Shor's algorithm," it just needs the hardware to unleash its code-breaking capabilities.
Nevertheless, quantum hardware is at least a decade away from practical applications, and the existence of quantum algorithms is not an emergency. The need to develop and implement quantum-proof algorithms is understood, and quantum-proof standards are already being developed. One thing is certain - encryption algorithms will become much more faceted, increasingly complex, and more secure!
While the "quantum time bomb" is not expected to go off for the next ten years, it should not necessarily be a "bomb." Quantum may be used as an additional layer through quantum key distribution (QKD), i.e., "secure communication involving components of quantum mechanics which enables two parties to produce a shared random secret key known only to them, which can then be used to encrypt and decrypt messages." What is unique is that parties involved may immediately know that someone is trying to eavesdrop and get access to communication content.
While it sounds magical, quantum key distribution has already been tested several times. In 2004, a bank in Austria used QKD to complete a bank transfer, and the Swiss canton of Geneva used QKD provided by ID Quantique to transmit ballot results in 2007. Currently, Japan is testing a Tokyo QKD network.
Today, less than a dozen companies are offering commercial QKD systems worldwide; Geneva-based ID Quantique, New-York MagiQ Technologies, Indian QNu Labs, Australian QuintessenceLabs, Russian QRate, French SeQureNet, and German Quantum Optics Jena. Some other larger companies are also actively running research programs, such as Toshiba, HP, and IBM.
Portfolio for the future
The concept of cybersecurity is not new. It had existed since the '60s when we observed the first "password management" solutions. Since then, humans have come up with new defense measures every time there has been further technological advancement. The first virus triggered the emergence of antiviruses in the '70s, the complexifying network invited firewalls in the ecosystem in the '80s, and the emergence of cloud computing and the Internet of Things triggered the revolution in the 2010s. However, many players focusing on next-generation cybersecurity tools remained private. The market was saturated with a few evolving legacy players stuck in a quickly evolving environment.
However, the unexpected catalyst came in 2019 with Covid-19. The epidemic forced the world to instantaneously adopt the cloud and beef up their cybersecurity measures across all domains - from endpoints to networks, cloud, and threat intelligence platforms. Therefore, companies had no choice but to turn to the players with the next-gen capabilities and offerings. These players included newly-listed Cloudflare (IPO in 2019), Zscaler (IPO in 2018), CrowdStrike (IPO in 2019), as well as those players that were able to break the chains of the "old" world and innovate, such as Fortinet (founded in 2000, IPO in 2009) and Palo Alto Networks (founded in 2005, IPO in 2012).
The time dichotomy in demand for the old vs. new offerings is especially noticeable in stock performance, as shown in the chart below. We took our pure-play universe of a little over 100 names and conducted an equally weighted backtest over the past eight years, distinguishing between legacy and new-generation players. The results are self-explanatory. Both groups performed pretty similarly when cybersecurity was not at the top of everyone's list. When Covid-19 changed the paradigm, new-generation players, often cloud-native and adapted to the new reality, astronomically outperformed legacy players.
Moreover, if we repeat the exercise, but instead of equally weighting, we perform a market-cap weighted allocation, the spread between the two groups becomes even more significant. Indeed, larger cap, legacy names like Nice, Infosys, Cisco, NortonLifeLock, and Trend Micro, which show little to no innovation in modern cybersecurity settings, further drag down the performance, as the chart below neatly shows.
The difference in the performance of the two universes is not a secret. Qualitatively speaking, new generation players are, first, confidently riding the wave of digitization of everything by perpetually innovating their offerings in a never-ending cat-and-mouse game. For example, new-generation application security players are automating vulnerability assessment; endpoint security is transitioning from old-generation antiviruses to more efficient AI-powered XDR platforms, and the explosion of data generation and internet traffic requires new firewalls and Zero-trust frameworks. Secondly, new-gen companies inject artificial intelligence and machine learning into their projects, allowing them to improve behavioral analysis and automate repetitive tasks, decreasing costs and improving margins, profitability, and growth.
Quantitatively, this translates into higher revenue growth, margin expansion, EBITDA growth, and much more solid and consistent cash flow generation. All of the metrics above may be compared in the table below. The main takeaway is that if investors wish to construct a portfolio best positioned for the future, they must prioritize new innovative players that offer solid growth opportunities and avoid the slowly dying whales of the old world.
Investors need to focus on three main areas if they decide to invest in the new generation of cybersecurity: Purity, Specificity, and Quality. Failure to ensure that the cybersecurity portfolio excels in these metrics may mean lost opportunities and style deviation.
- Specificity. Often, companies may offer a specific technology or a product that may be used for many digital-related cases but not specifically for cybersecurity, e.g., Broadcom manufactures and supplies semiconductor and network infrastructure products such as wi-fi routers, network switches, chips, and adapters. Such companies have very different growth, market, and risk/reward profiles than those cybersecurity stocks to which investors initially wish to have exposure.
- Purity. Another challenge is finding pure players. Undoubtedly, well-known companies such as Microsoft have working cybersecurity solutions, i.e., Microsoft Defender. However, these solutions generate a negligible proportion of the total company top-line, meaning that it is not cybersecurity drivers that will be driving the performance of Microsoft , and the portfolio behavior will not 100% reflect the cybersecurity market.
- Finally, both new-generation and legacy stocks have different risk/reward profiles in both camps. Concentrating only on reward, even among the new-gen players, may obscure the unnecessary high risk of the portfolio. As seen in the previous sections, some players have relatively recently IPOed, some have a fairly early-stage profile, and some have a precarious financial position or more risks than catalysts. It is not always the latest technology that will channel the demand but companies' ability to capture it while staying financially strong.
Below we provide a simple comparison between a selection of cybersecurity portfolios and two universes seen above - legacy and new. The spread between the orange line (new-generation players) and a tendency to stay close to the grey line (legacy players) may be explained by not investing 100% in the new-generation players or having deviations on the "specificity" and "purity" scales.
Suppose investors wish to be exposed to cybersecurity and all the drivers that come with it, outlined in the first article of this series. In that case, they must ensure that the portfolio they are exposed to is a very "specific," pure-play portfolio with the highest risk-reward possible.
"All good research series come to an end," but it is only the beginning for cybersecurity
This concludes this five-part series where we have introduced the $310bn (2026e) modern cybersecurity industry and dived into all its sub-sectors:
- Application security, a $18bn market growing at 22%, driven by ongoing digitization of everything around us that will run on code
- Endpoint security, a $19bn market growing at 8%, protecting over 200bn connected devices and driven by a transition to innovative and AI-powered XDR platforms
- Network security, a $58bn market growing at 14%, driven by data and internet traffic explosion, as well as adoption of the modern Zero-trust framework
- Cloud, a $52bn market growing at 17%, driven by cloudification, initially sparked by COVID-19 and the sheer amount of highly vulnerable and sensitive data stored online
- Data, a $5bn market growing at 21%, driven by the transition from using bytes and gigabytes to tera, yotta, and Zetta bytes, i.e., data explosion
- Threat Intelligence and Services, a massive $160bn market, driven by the shortage of IT specialists, cybersecurity complexity, and the need to educate users on proper digital hygiene
The entire modern cybersecurity universe is resumed graphically in a dynamic value chain diagram that we rely upon when constructing our investment universes and portfolios. By clicking on the sectors, arrows, and technologies, you may dive into the industry, and learn about the latest state of the cybersecurity universe, market size, and growth. You may also discover the players which we think are the leaders of their segments and which we believe are best bound to benefit from the numerous catalysts ahead.
High-profile cyberattacks. Previously unthinkable cyberattacks against high-profile targets would immediately put the entire sector under the spotlight.
Jump in digitization. New ways to use technology, e.g., virtual universes, would mean an exponentially higher demand for cybersecurity solutions.
Addition of Artificial Intelligence and Machine Learning. New technologies would either bring a significant performance gain, improve economies of scale and profitability, or make previous systems obsolete, driving the new-generation cybersecurity players.
Cybersecurity leaders being breached. It would not only mean a reputational loss but also that the public trust in cybersecurity could be betrayed, taking years to rebuild.
Funding for the private players. New technologies often come from the private market that are later integrated into public companies and rely on funding. Funding drying up would slow down the innovation.
Unmanageable cyber threats. The whole sector may collapse if existing cybersecurity measures and solutions prove unhelpful.
Companies mentioned in this article
Accenture (ACN); Avast (AVST); Booz Allen Hamilton (BAH); Broadcom (AVGO); Cisco (CSCO); Cloudflare (NET); CrowdStrike (CRWD); Darktrace (DARK); Fortinet (FTNT); HP (HPQ); IBM (IBM); ID Quantique (Not listed); Infosys (INFY); Knowbe4 (KNBE); MagiQ Technologies (Not listed); Microsoft (MSFT); N-Able Inc (NABL); Nice (NICE); NortonLifeLock (NLOK); Palo Alto Networks (PANW); Ping Identity (Not listed); Proofpoint (Not listed); QNu Labs (Not listed); QRate (Not listed); Quantum Optics Jena (Not listed); QuintessenceLabs (Not listed); SeQureNet (Not listed); Toshiba (6502); Trend Micro (4704); Xiamen Meiya Pico (300188); Zscaler (ZS)
- Cybersecurity Universe Diagram
- Hot trends in cybersecurity
- Investing in modern cybersecurity: Application security
- Investing in modern cybersecurity: Cloud security
- Investing in modern cybersecurity: Endpoint security
- Investing in modern cybersecurity: Network security
- Investing in modern cybersecurity: Threat Intelligence
- Proofpoint: A whole new private story begins
- Quantum Computing: The next IT revolution
- Top pick: Cloudflare
- Top pick: Crowdstrike
- Top pick: Zscaler
- When AI met cybersecurity
- Wikipedia: AES
- Wikipedia: FBI-Apple encryption dispute
- Wikipedia: Quantum Key Distribution
- Wikipedia: RSA
- You cannot trust a cloud not to rain
This report has been produced by the organizational unit responsible for investment research (Research unit) of atonra Partners and sent to you by the company sales representatives.
As an internationally active company, atonra Partners SA may be subject to a number of provisions in drawing up and distributing its investment research documents. These regulations include the Directives on the Independence of Financial Research issued by the Swiss Bankers Association. Although atonra Partners SA believes that the information provided in this document is based on reliable sources, it cannot assume responsibility for the quality, correctness, timeliness or completeness of the information contained in this report.
The information contained in these publications is exclusively intended for a client base consisting of professionals or qualified investors. It is sent to you by way of information and cannot be divulged to a third party without the prior consent of atonra Partners. While all reasonable effort has been made to ensure that the information contained is not untrue or misleading at the time of publication, no representation is made as to its accuracy or completeness and it should not be relied upon as such.
Past performance is not indicative or a guarantee of future results. Investment losses may occur, and investors could lose some or all of their investment. Any indices cited herein are provided only as examples of general market performance and no index is directly comparable to the past or future performance of the Certificate.
It should not be assumed that the Certificate will invest in any specific securities that comprise any index, nor should it be understood to mean that there is a correlation between the Certificate’s returns and any index returns.
Any material provided to you is intended only for discussion purposes and is not intended as an offer or solicitation with respect to the purchase or sale of any security and should not be relied upon by you in evaluating the merits of investing inany securities.