Cybersecurity Stocks: What to Watch in 2017

Over the past few years, the surge in data breaches worldwide has boosted bullish interest in the cybersecurity industry. However, many cybersecurity stocks have stagnated or faltered over the past year due to slowing sales growth, low profitability, high valuations, and rising competition.

Image source: Getty Images.

The PureFunds ISE Cybersecurity ETF, which owns a basket of top cybersecurity stocks, has advanced less than 3% over the past 12 months, underperforming the S&P 500's 6% gain. To see if these stocks can bounce back, we should identify some key trends which could affect the cybersecurity sector in the coming year.

Weak security, more sophisticated attacks

More than 5.3 billion records were lost or stolen during data breaches over the past three years, according to the Breach Level Index. 52% of respondents in CyberEdge Group's 2015 Cyberthreat Defense Report believed thattheir companiescould be hit by successful cyberattacks within the year.

Bigger companies are slowly responding to these threats, butCisco's 2016 Annual Security Report found that only 29% of small to medium-sized businesses used basic security tools to prevent breaches. Symantec (NASDAQ: SYMC) also found that three quarters of all monitored websites had exploitable vulnerabilities.

Those weak security measures, combined with the growing number of unsecured IoT (Internet of Things) gadgets on the market, could result in more catastrophic attacks in the coming year.

Image source: Getty Images.

Higher enterprise and government spending

As more data breaches occur, companies will need to prioritize cybersecurity spending. Lloyd's andJuniper Research estimate that the global cost of handling cyberattacks will surge from $400 billion in 2015 to $2.1 trillion in 2019 -- indicating that demand for "best in breed" cybersecurity services will rise over the next few years.

The Trump Administration plans to develop a newnational cybersecurity plan to counter attacks from foreign hackers. This means that higher spending from government agencies could boost revenue at government-certified cybersecurity firms like FireEye (NASDAQ: FEYE) and Palo Alto Networks (NYSE: PANW), as well as the cybersecurity arms of defense companies like Raytheon.

However, President-elect Trump faces a tough uphill battle to restore confidence in the government's cybersecurity capabilities -- three-quarters of respondents in Passcode's recent survey of digital security and privacy experts didn'tbelieve that cybersecurity standards would improve under a Republican administration.

Balancing expenses and profitability

Many cybersecurity companies post solid revenue growth, but only a few are able to generate consistent GAAP-adjusted profits. This is because many cybersecurity companies have weak cash flows, and use high stock-based compensation (SBC) to attract top talent.

Those high expenses made Silicon Valley-based FireEye and Palo Alto unprofitable on a GAAP basis, and both companies have struggled to keep those costs under control. However, Israeli cybersecurity companies like CyberArk (NASDAQ: CYBR) and Check Point Software (NASDAQ: CHKP) generally pay lower salaries and stock bonuses than their Silicon Valley counterparts, making both companies profitable by both non-GAAP and GAAP metrics.

Looking ahead, investors should see if the Silicon Valley players can get their costs under control, and see if non-Silicon Valley cybersecurity firms can keep expanding and building competitive workforces.

Market consolidation

Many analysts believe that the fragmented cybersecurity market is on the brink of a major consolidation. Over the past few years, larger tech companies like Cisco, Symantec, and IBM have all beefed up their security businesses with various acquisitions.

Cisco became a direct competitor to Palo Alto and FireEye with its purchases of Sourcefire and ThreatGRID; Symantec is evolving into an end-to-end player with its purchases of BlueCoat and LifeLock; and IBM's purchases of Resilient, Lighthouse, and CrossIdeas bolstered its IT security capabilities.

Smaller stand-alone service players like Palo Alto, FireEye, and CyberArk could find it tough to compete with these bundled solutions. But at the same time, these companies all have "best in breed" products -- Palo Alto's next-gen firewall, FireEye's threat prevention solutions, and CyberArk's privileged account management platform are all widely used by large companies.

Therefore, it's more likely that bigger companies like Cisco, Symantec, and IBM will simply acquire these companies and their customers instead of trying to marginalize them. However, some of these companies' valuations might need to drop before they can be considered reasonable acquisition targets. For example, Palo Alto and CyberArk both trade at 9 times sales -- which is much higher thanthe industry average of 5 for software companies.

The key takeaways

Investors should be very picky with cybersecurity stocks in 2017. It's better to stick with companies like CyberArk, which have concrete profits, than companies like Palo Alto, which have robust revenue growth but weak control over their expenses.

However, I believe that all investors should have some exposure to the cybersecurity market, which could experience very steep growth over the next few years as cyberattacks and data breaches escalate.

10 stocks we like better than Symantec When investing geniuses David and Tom Gardner have a stock tip, it can pay to listen. After all, the newsletter they have run for over a decade, Motley Fool Stock Advisor, has tripled the market.*

David and Tom just revealed what they believe are the 10 best stocks for investors to buy right now and Symantec wasn't one of them! That's right -- they think these 10 stocks are even better buys.

Click here to learn about these picks!

*Stock Advisor returns as of November 7, 2016

Leo Sun owns shares of Cisco Systems and CyberArk Software. The Motley Fool owns shares of and recommends Check Point Software Technologies and FireEye. The Motley Fool recommends Cisco Systems, CyberArk Software, and Palo Alto Networks. Try any of our Foolish newsletter services free for 30 days. We Fools may not all hold the same opinions, but we all believe that considering a diverse range of insights makes us better investors. The Motley Fool has a disclosure policy.