Spend To Defend – Why Cybersecurity Is A Sustainable, Investable Theme by Scott McCabe, Columbia Threadneedle Investments

  • Companies across the globe have to deal with the growing threat posed by security breaches and their high associated financial, informational and reputational costs.
  • No one vendor dominates both network and endpoint security, and we want to be overweight vendors that deliver the broadest end-to-end/device-to-network security platform.
  • We believe the IT security market remains a very attractive investment area because it is sizable, defensive and open for disruption.

Target, Nieman Marcus, Ebay, Albertsons, UPS, Dairy Queen, Home Depot, Jimmy John’s, JPMorgan, Kmart, Staples, Bebe, Sony and the U.S. government. Although they all differ in industry and focus, they share common ground. All must deal with the growing threat posed by security breaches and their high associated financial, informational and reputational costs. While conventional warfare took place on the battlefield, cyber warfare is waged in the digital domain. The information pilfered can provide significant strategic and financial gains for its acquirers. Although we are hesitant to sound alarm bells of paranoia à la ‘Dr. Strangelove’, we highlight the following as evidence the war is real:

  • The Director of National Intelligence named cyber threats as the number one strategic threat to the United States, placing it ahead of terrorism for the first time since the attacks of September. 11, 2001.
  • President Obama issued an executive order on April 1, 2015, declaring “the increasing prevalence and severity of malicious cyber-enabled activities… constitute an unusual and extraordinary threat to the national security, foreign policy and economy of the United States. I hereby declare a national emergency to deal with this threat.”
  • According to McAfee, a security software firm owned by Intel, cybercrime costs the global economy an estimated $400-575 billion annually.

The cybersecurity threat is reaching unprecedented scale and severity

Information technology and the internet have created billions in economic wealth, with new devices and services that change the way we work and live. A prime example of this is the explosion of smartphones, which are projected to grow from 300 million units in 2010 to 1.7 billion by the end of 2015. Smartphones have extended network compute capabilities outside the walls of the home and office and with this rapid growth and extension in computing power has come an explosion of cloud-based applications. The exponential growth in access points and the frequency in which people interact with networks means billions of new potential attack targets, making protecting networks even more critical and challenging. We highlight Symantec’s 2015 Internet Security Threat Report, which emphasizes the increasing cybersecurity concerns within the mobile ecosystem. Symantec analyzed 6.3 million applications in 2014 and found that 1 million of these applications (16%) were classified as malware.

This very same technology is vulnerable to cybersecurity attacks which are creating profound risks and costs; $400-575 billion in costs annually to be specific. This growing threat is driving increased spending on next-generation technologies to defend against the escalating economic, operational, and reputational costs of cyberattacks. As a result, security investments are now a top priority for enterprises and governments, and with the adversary consistently evolving to defeat existing security measures, spending must continually increase to meet new challenges. This creates opportunity for security vendors and investors in IT security companies.

The stakes are high

The environment is increasingly dangerous with hackers continually shifting their targets while seeking out new vectors; compliance requirements are rising due to online and mobile payments; business user demand is rising for mobile devices and cloud-based applications.  These continue to be the main secular drivers that should augment network security spending. C-level executives have also taken note of the escalating economic, operational and reputational costs during recent events at Target, Home Depot and the NSA. So they are spending more on security which is creating a tailwind for network security vendors. The stakes are clearly growing, as the amount and importance of data stored in corporate networks and on personal devices continues to expand rapidly.

Security needs have evolved

Security customers are moving beyond perimeter defense, which has proven insufficient by itself, to more integrated approaches to securing networks. Specifically, data security and identity & access management are becoming more important. We believe the ability to integrate these features into one solution without sacrificing network performance is key. Further, the rise of mobility is leading to a battle for control of “endpoint security.” No one vendor dominates both network security and endpoint security. The complexity and lack of integration among multiple point solutions create opportunity for security vendors that offer greater integration, automation and management, pointing to broader suites in time. We want to be overweight vendors who can deliver what over 50% of chief information officers say they are looking to purchase: a security platform capable of integrating key security features such as firewall, application control, intrusion detection & protection and advanced malware/advanced persistent threat (APT) onto a single platform.

Spending on IT security will continue to grow

Last year, the broader security industry generated $34 billion of revenue from sales of equipment and services relative to the $400-575 billion of annual costs related to security breaches. So there appears to be ample room for growth for vendors whose technology minimizes these costs. To further illustrate the opportunity, security spending accounts for only 5% of total IT spend and defense spending. Each 1% gain of wallet share drives an incremental 20% annual growth for the industry versus current expectations for 10% total annual growth. Given the ongoing, evolutionary nature of cyberattacks, coupled with the relatively low share of total IT spend security accounts for, we believe industry growth rates will remain stronger than industry forecasts. We expect 10-15% growth over the next 3-5 years versus the 8-10% forecasted by industry analysts like Gartner. This creates immense opportunities for innovative cybersecurity companies as well as potentially outsized investment returns for those capitalizing on the theme.

A long-term investable theme

We believe the IT security market remains a very attractive investment area. It is sizable ($34 billion in aggregate spend), defensive (companies are hesitant to cut nominal security spending during economic downturns), and open for disruption with the network firewall refresh cycle driving double-digit annual growth, lasting longer than the market currently anticipates.

Spend To Defend - Why Cybersecurity Is A Sustainable, Investable Theme