The Equifax hack, which compromised the personal data of more than 140 million Americans, was the latest in a string of hacks affecting major companies in recent years, underscoring the need for companies to bolster cybersecurity defenses.
Predictably, the stocks of firms specializing in cybersecurity have rallied after the Equifax breach was announced Sept. 7, with investors betting that companies will purchase more cybersecurity services going forward.
Since Sept. 7, shares of FireEye Inc. increased by 17.4 percent, Symantec Inc. by 12.3 percent, and Fortinet Inc. by 3 percent, as of Sept. 15. The ETFMG Prime Cyber Security ETF, which tracks the performance of a select group of companies in the cybersecurity industry, was up 2 percent during that span.
Despite elevated investor interest and demand for cybersecurity services, the security industry as a whole has been underwhelming in terms of growth and innovation, and may be ripe for consolidation.
Shift Away From Firewalls
For one, some experts view the current trend of companies moving their data onto the cloud as being detrimental to companies specializing in cybersecurity services.
Investment bank Credit Suisse, which initiated research coverage on cybersecurity giants Palo Alto Networks Inc. and Fortinet recently, assigned “underperform” ratings to both in a note on Sept. 5. Analysts at Credit Suisse believe companies with an established position in cloud-computing have higher upside instead.
“While we consider cybersecurity to be a secular growth theme, as the corporate network disintegrates we anticipate spend will be redistributed away from the network to the detriment of incumbent firewall vendors,” Credit Suisse analyst Brad Zelnick noted in a research report.
Traditionally, companies centralized their systems and data in on-premises data centers. This type of system architecture employs a “walled garden” defense—deploying strong firewall hardware around the data center and defending the walls vigorously. Think of the typical spy or “heist” movie where an intruder attempts to penetrate a well-defended room full of servers.
Most cybersecurity firms specialize in the “walled garden” defense strategy.
But a recent secular shift by companies away from self-administered data centers toward decentralized cloud storage has complicated matters. For many companies, the majority of data is stored in the cloud, often via software as a service (SaaS) or infrastructure as a service (IaaS) platforms such as Amazon Web Services, ServiceNow, or Workday. In this type of setup, security often depends on software inherent in these services instead of hardware.
Last year, marketing research firm Gartner predicted that by 2019, more than 30 percent of the 100 largest software vendors’ new software investments will be cloud-only.
“The cloud, being by its very nature distributed, dissolves the concept of network perimeter,” Credit Suisse points out. “As workloads move out of data centers, it becomes less clear at what point the bounds of the corporate network begin and where they end.”
This inevitable shift could see corporate IT departments allocate budget dollars away from traditional firewall solution providers in cybersecurity as SaaS and IaaS platforms gain more traction.
Better, Not More, Cybersecurity Needed
Cloud-based IT infrastructure has increased the challenge of delivering cybersecurity. For a company, securing access to several cloud-based vendors and thousands of simultaneously connected devices such as iPhones and iPads—each of which may access cloud-based solutions independently—is far more challenging than implementing a “walled garden” defense.
In a late 2015 Morgan Stanley survey of corporate chief information officers, most said that they bought or planned to purchase more than 15 different security technologies.
Clearly better, not more, cybersecurity is needed. This shift could prompt more consolidation in the industry, coalescing around some of the bigger technology giants. “We think the security software industry is reaching a tipping point of maturity, where we will see a faster pace of consolidation than we’ve seen in the past,” Morgan Stanley’s Keith Weiss, head of U.S. software coverage, said in a research report last year.
The industry agrees with this assessment. Steve Morgan, CEO of Cybersecurity Ventures, says the venture capital funding that security firms enjoyed from 2013 to 2015 is now running dry. “Only so many companies will excel in the market, and we can expect that many will crash and burn,” Morgan told InformationWeek.
A handful of deals have occurred over the last year, many of them involving technology giants. In November 2016, Symantec Inc. bought identity theft monitoring service LifeLock for $2.3 billion. Earlier this year, CA Technologies purchased Veracode, a cloud-based security platform, for more than $600 million. In January, TechCrunch reported Amazon Web Services bought San Diego-based artificial intelligence startup Harvest.ai in 2016. Harvest.ai develops advanced AI algorithms to secure files and documents stored on the cloud.
Apple Inc. earlier this year purchased Israeli-based facial recognition startup RealFace for an undisclosed amount. RealFace’s technology no doubt made its way into Apple’s newly unveiled iPhone X, which uses advanced facial recognition as an unlocking tool.