ARK Invest Europe | Investing in Cybersecurity | Key Growth Areas for 2021 & Beyond

Written by Rahul Bhushan

2020 has been an inflection point for the cybersecurity sector. It’s a year that has fundamentally changed how governments and companies secure themselves online, but also how we – individuals – consider our own security and privacy in the new digital age.

This year, cyber-attacks and data breaches have escalated to levels unseen before. This year, it truly has felt as if nothing has been immune. Household names like Facebook, Twitter, Cathay Pacific, EasyJet, Microsoft and Capital One have all been targeted by hackers, affecting billions of users. Hackers have targeted coronavirus relief packages, the World Health Organisation, video communications platforms, and even the US Presidential election according to reports from Microsoft.

Now, of course, cybercrime is not a new phenomenon. The first ever cyber-attack dates back to 1986. However, the effects of the pandemic on our digital lives – this year – has been unprecedented, and the resulting vulnerabilities – well, we’ve not been prepared for them. The ‘work from home’ or WFH lifestyles that we’ve all adopted has meant that hackers have had easier access to our networks and data than ever before. As expected, they’ve been sure to take advantage of that.

The rate of phishing attacks alone has risen by more than +600% since February.[1] The number of attacks against banks have soared +238%.[2] We have seen an +148% increase in ransomware attacks this year.[3] As many as 80% of companies have reported increases in cyber-attacks targeting their infrastructure.[4] And it’s not just companies. The government of Puerto Rico too, this year, fell victim to a scam, duping them out of 2.6 million US dollars.[5]

What we have today is an “organised cybercrime” environment that is far more complex, far more crowded and far more dangerous than any time in our recent history. Gone are the days of lone-wolf, nonpartisan computer nerds carrying out hacks to make a quick buck. Today, the average cyber-attacker is part and parcel of a much larger organisation, which is far more likely to resemble a corporate entreprise than an average crime ring. According to security intelligence, as many as 80% of today’s cyber-attacks are carried out by cybercriminal organisations.[6]

What’s more, the market for cybercrime has also become terribly efficient. Today, a hacker can outsource each link in their cyber-attack chain to different parties or individuals, making traceability back to the initiator of the cyber-attack far more challenging. You can’t fault a cybercriminal for wanting to keep a low profile.

With a threat environment so multi-dimensional and pluralistic, and with cybercriminals becoming more organised and sophisticated, the cybersecurity sector has had to adapt. Cybersecurity professionals has had to evolve their products and services, incorporating the best of modern tools and technologies to improve security around our networks and endpoints. The cybersecurity sector has been forced to disrupt itself, as traditional hardware security vendors have continued to go extinct, replaced by new, cloud-based and analytics-driven cybersecurity software. We’re now entering a new age of cybersecurity, one that will be more predictive, more distributed and one which will by default trusts no one. With this backdrop, there are 3 key trends that we’re watching unfold, and which we believe will offer outsized returns for the cybersecurity sector in 2021 and beyond:

1. The adoption of AI and machine learning to offer more predictive security technologies

We have already seen the emergence of cybersecurity companies, leveraging technologies like AI and machine learning to identify and eliminate threats in real-time. Both companies and governments are now using such security tools to – in many cases – plug vulnerabilities before they even have a chance to mature into real threats. This has become known as predictive security. One company that has stood out this year for its offering is CrowdStrike. Their Falcon platform is one of the world’s first and leading cloud-based platforms known for its powerful application of prognostic threat detection to help secure endpoints in real-time. Other companies that have leveraged AI and machine learning include players like Dark Trace, F-Secure, and Vade Secure.

2. The death of hardware, the accelerated shift to the cloud and the emergence of Security-as-a-Service

One of the major business model innovations in the last decade has been Software-as-a-Service or SaaS as it’s conventionally known now. This type of business model was first pioneered by Mark Benioff at Salesforce and has since then been adopted by a host of software businesses. The trend has also spilled over into the cybersecurity sector. Today, we talk about security, but we talk about it “as a service”. Put simply, these are cybersecurity software solutions delivered entirely over the cloud. The idea is simple; leverage the distributed nature of the cloud and have a security model that is able to learn and diagnose threats in real-time and improve over time. We’re now in the early innings of an industry that will in totality metamorphose into a cloud security business in the years to come, and we’ll see it increasingly take the shape of a kind of ‘Salesforce for Security’.

Well-prepared companies like Sailpoint, Okta and Zscaler have taken advantage from the accelerated digitisation (and cloud adoption) we’ve seen this year. We expect that the tailwinds associated with WFH, and the sector-wide shift to SaaS will make cybersecurity companies even more attractive in the years to come, as SaaS companies by their very definition are able to show investors greater clarity and predictability around their revenue, simplifying discounted cash flow valuations.

3. “Zero Trust”, identity and the global imperative of better digital privacy

What is Zero Trust? Put simply, as we move to increasingly hybrid working environments, it’s not just going to be employees and their single corporate devices that are vulnerable endpoints in a network. In a WFH environment, every single company and personal device will represent an endpoint that needs to be secured. If I am connected to my corporate account through my local network, every single device that is also connected to that local network (i.e., my smartphone, my television, my printer, my digital camera, my toaster, my microwave, my fridge, the list goes on…) will need to be secured. Even more challenging will be the fact that we’ll be dealing not only with single networks but rather multiple and distributed networks; every employee connected through their own local network.

In such an environment, it’s going to be more important than ever to ensure that those people logging on to access corporate data, information and files are indeed who they say they are. Enter Zero Trust authentication. Zero Trust is an information security framework that states that organisations should not trust any entity inside or outside of their perimeter at any time. The goal of Zero Trust security is to protect the company from advanced cybersecurity threats and data breaches, while at the same time helping the company achieve compliance with GDPR, FISMA, HIPAA, PCI, CCPA, and any future data privacy and security laws.

Zero Trust is going to increasingly be a crucial component of a holistic identity access management (IAM) offering, and it’s natural to expect companies like Ping Identity and IBM benefit from this trend. Newer players include Varonis Systems and CyberArk, both now looking to benefit from the burgeoning opportunities in Zero Trust and associated data privacy tailwinds.

Statista estimates that global cybersecurity spending will hit $248 billion by 2023.[7] That equates to an approximate 11% Compound Annual Growth Rate (CAGR) for cybersecurity spending over the next 3 years.[8] It’s worth noting that Statista made these predictions prior to the onset of the global coronavirus pandemic.

It’s reasonable therefore to expect that cybersecurity spending is only going in one direction. From a corporate perspective, cybersecurity will no longer be a ‘work in progress’. Instead, it’ll need to become an integral part of the infrastructure of an organisation’s operations. As such, for investors, we believe the opportunities for the sector are plentiful.

References:

[1] Infosecurity Magazine, “#COVID19 Drives Phishing Emails Up 667% In Under a Month”, 2020. Available at: https://www.infosecurity-magazine.com/news/covid19-drive-phishing-emails-667/

[2] ZDNet, “COVID-19 blamed for 238% surge in cyberattacks against banks”, May 2020. Available at: https://www.zdnet.com/article/covid-19-blamed-for-238-surge-in-cyberattacks-against-banks/

[3] Carbon Black, “Amid COVID-19, Global Orgs See a 148% Spike in Ransomware Attacks; Finance Industry Heavily Targeted”, April 2020. Available at: https://www.carbonblack.com/blog/amid-covid-19-global-orgs-see-a-148-spike-in-ransomware-attacks-finance-industry-heavily-targeted/#:~:text=In%20March%202020%2C%20ransomware%20attacks,take%20advantage%20of%20vulnerable%20populations.

[4] CSO Online, “Top cybersecurity facts, figures and statistics for 2020”, March 2020. Available at: https://www.csoonline.com/article/3153707/top-cybersecurity-facts-figures-and-statistics.html

[5] AP News, “Official: Puerto Rico govt loses $2.6M in phishing scam”, February 2020. Available at: https://apnews.com/article/e03bea7e491b9c95350887880376562f

[6] Security Boulevard, “5 Biggest Cyber Attacks of 2020 (So Far)”, October 2020. Available at: https://securityboulevard.com/2020/10/5-biggest-cyber-attacks-of-2020-so-far/

[7] Statista, “Size of the cybersecurity market worldwide”, March 2020. Available at: https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/

[8] IBID

Subscribe to ARK Research & Insights

See all Articles

Select Your Country

Select Your Investor Type