Published March 12, 2013
With everyone from Facebook (FB) to the Federal Reserve suffering high-profile cyber intrusions, it’s never been a better time to be involved in the multibillion dollar cyber-security business.
The dramatically increased attention from corporate America and the federal government alike has helped transform cyber security from a niche area few CEOs lost sleep over to a key growth sector that is likely to receive a larger and larger chunk of both private and public sector budgets.
“Clearly people are now paying attention. Cyber security is no longer a footnote in the needs of supporting a business end-to-end,” said Frank Cilluffo, director of George Washington University’s Homeland Security Policy Institute.
Not unlike how a hurricane may boost sales for demolition companies, the increased pace, intensity and disclosure of cyber attacks has proven to be a boon to the bottom lines of cyber-security firms.
“It’s the best it’s been and I hope it will even get better,” said Roy Zisapel, CEO of Radware (RDWR), a networking solutions company that sells security products. “For us, the level of activity, engagement and budgets in Fortune 100 accounts to cyber security is dramatically higher than any year before. It’s night and day.”
Cyber Concerns Grow
The increased willingness to spend on security comes as attacks have become more commonplace.
According to the U.S. Computer Emergency Readiness Team, the number of cyber attack incidents reported by federal agencies has skyrocketed 782% since 2006 to nearly 49,000 in 2012. Attacks jumped 13% last year alone.
And those are just the ones we know about.
“There are far, far more attacks than are being reported,” said Zisapel, who estimated that just 1% of all attacks are disclosed.
According to a Deloitte survey of almost 2,000 executives last week, 58% plan to boost spending on cyber security measures in the next 12 months and 79% are not confident about the efficacy of their existing measures.
Sequester Effects Eyed
Attacks are not only increasing, they have shifted in motive from financial to political gain amid a rising number of attacks from state actors like China and hacktivist groups like Anonymous.
“This has triggered a greater sense of urgency for security initiatives at the federal level,” Aaron Schwartz, an equity analyst at Jefferies, wrote in a note to clients.
Of course, the U.S. government has some serious spending limitations, especially given the impact of the $85 billion in spending cuts mandated by sequestration.
Dave Aitel, CEO of cyber-security firm Immunity, is already seeing a “trickledown effect” caused by lower defense spending, which has hurt orders from big contractors and increased competition among security firms catering to the commercial sector.
“Everyone is buying less because of sequestration,” said Aitel. “Deep down sequestration is a shadow that looms over the landscape quite a bit. We’d definitely feel happier if the federal government got its budget act together.”
Schwartz said while federal cyber security spending may be more “back-loaded” due to sequestration, overall it “should be immune from broader budget pressure.”
Zisapel concurs, saying: “These are types of projects you cannot cut. I don’t see any impact. I think this issue is completely isolated.”
Believe the Hype?
Remembering cyber scares of the past (see: Y2K), some worry the current cyber threat is being overhyped by an industry that clearly has a lot of skin in the game.
Cilluffo, a former homeland security aide to President George W. Bush, believes in the seriousness of the cyber threat but said the old Reagan adage of “trust but verify” can apply here.
“Obviously we need empirical evidence and data to be able to determine just how much of a risk it is,” he said. “We should never be overhyping a set of issues, but I also think this space moves so quickly we want to look forward not just backwards.”
Others note that while business is looking up for many cyber security players, the current strategies being deployed have not stopped attacks from skyrocketing.
“These firms seem to be doing pretty good business but I don’t think the problem seems to be getting any better. Where are they failing their customers?” said Christopher Bronk, a fellow at Rice University’s Baker Institute.
Bronk said the industry has been slow to grasp the predictive logic needed to forecast attacks. “Cyber security is good at seeing what and how. Rarely do we ask who or why?” he said.
Zisapel doesn’t dispute the notion that cyber security needs to do a better job as a whole.
“A lot of the legacy security vendors are failing to protect customers. That’s where the opportunity lies for us and the new generation of companies that actually build solutions,” said Zisapel.
Patchwork Investing Picture
Even though the industry should be a focal point for investors, the cyber security landscape is currently very fragmented, especially given a lack of guidance from Congress on security standards.
“Right now you have a lot of neat services and technologies but no one really knows what that good housekeeping seal of approval will look like,” said Cilluffo. “I see it a bit like kids' soccer right now where everyone is swarming the ball. At some point I think the field will even out and you will have some big winners.”
Cilluffo notes that today there aren’t really any major security firms that offer comprehensive solutions on the cyber front. “I think a smart investor is going to look back and pick and choose the best pieces,” he said.
Some of the biggest names in the industry include Symantec (SYMC), Intel’s (INTC) McAfee, Sourcefire (FIRE), F5 Networks (FFIV), Palo Alto Networks (PANW), Cisco Systems (CSCO), Juniper Networks (JNPR) and Fortinet (FTNT)
Schwartz, the Jefferies analyst, said he prefers Check Point Software (CHKP) as an investment in the IT security space, projecting a re-acceleration in product growth in 2013 thanks to a better product mix.
Robert Breza, an analyst at RBC (RY), recently told FOX Business he’s bullish on a number of security stocks, including Symantec, proactive messaging company Proofpoint (PFPT) and identity management company Lifelock (LOCK).
Given the evolving nature of the security industry, some of the best investments are likely still in the startup phase and will eventually join more established players by testing the IPO waters in the coming years.