Cyber Security Firms Could See a Spike in Investment

March 27, 2019
AP_19065653730430.jpg
A Nasdaq employee monitors market activity in New York. (AP Photo/Mark Lennihan)

Last year, Glen Kacher, founder of Light Street Capital Management in Palo Alto, California, told a group of hedge fund managers and other investors that a cyberwarfare-driven financial crisis could emerge in the years to come.

“A cyber security war is being fought right now between the east and west,” Kacher told investors in April 2018 at the annual Sohn Investment conference in New York. “One large cyber attack could cause the next major financial crisis.”

Kacher described a hypothetical scenario where cybercriminals could create an extended disruption in banking account activity, which could drive customers to conclude that it makes sense to withdraw cash from financial institutions, causing a cascading financial crisis.

The view led Kacher to back investments in Palo Alto Networks, a California-based cyber security company with a focus on firewalls and cloud-based offerings. Following Kacher’s comments at Sohn, Palo Alto’s share price has mostly been on an upward trajectory, trading recently at $239.72 a share.

Beyond Kacher, other experts envision an increased need for cyber security to protect against both state- and non-state-sponsored hackers. The emergence of disruptive technologies is making it increasingly easy for cybercriminals to wreak havoc.

As a result, corporations and governments that are shifting more data and workload into the cloud have become increasingly worried about cyber threats. Networks, personal computers, phones and email systems face new vulnerability.

“I expect to see $50 billion invested over the next five years in cyber security spent on protecting the cloud,” said Dan Ives, managing director of equity research at Wedbush Securities in New York. “As more work moves to the cloud, Amazon, Microsoft, Google will benefit first, then there will be a massive ripple effect of investment in companies that will seek to protect the cloud.”

Steve Koenig, managing director at Wedbush in San Francisco, cited a survey his firm conducts annually of 100 decision makers at major corporations. The most recent survey found that major corporate allocations are being made in three categories: cyber security, analytical technology and investments in the cloud.

Firm Acquisition and Consolidation

As far as cyber security is concerned, Cisco Systems Inc., Symantec Corp. and Proofpoint Inc. are leaders. Cisco is an incumbent in firewall and email protection, while Symantec is a key player in protecting personal computers and Proofpoint is the emerging leader in email protection, Koenig notes. Palo Alto Networks, Kacher’s suggestion, developed a next-generation firewall technology and has also emerged as a leader in network protection in the cloud.

“Palo Alto Networks is a company that has a really good chance of being a major player in cyber security and cloud technology over the next few years,” said Ives. “You will see a parabolic increase in investments into protecting the cloud.”

A number of other smaller venture-capital-backed companies have become cyber security innovators. Koenig said he expects many of these to be acquired by larger security corporations in the years to come, in part because the market is too fragmented for the average chief technology officer, who prefers to deal with fewer vendors.

“Hackers are continuing to evolve, so it’s an arms race,” Koenig said. “The good guys need to keep up and a lot of the innovation is happening at smaller companies that are venture-capital- funded. The big incumbents need to acquire these to keep up with the threat landscape, so that is why consolidation is a fact of life in cyber security.”

As cyber security shifts into the cloud, expect consolidation to occur with a number of the bigger players, such as IBM, Google, Microsoft and Symantec, acquiring smaller innovators, such as Zscaler, a cloud-based internet security company.

Koenig notes that many cyber security companies have traditionally focused on protecting internal networks by putting up firewalls around existing servers. However, business is increasingly conducted on the cloud, through mobile devices and other software-as-a-service (SaaS) applications, which corporate information technology (IT) departments have deployed. These SaaS applications are not going through internal networks and need new types of cloud cyber security protection, which companies like Palo Alto Networks and other firms such as Qualys and Mimecast are deploying.

Investments in Cloud Technology

Investments in cloud technology are expected to skyrocket, according to analysts. Wedbush’s Ives said the most disruptive trends he’s seen in his 20 years of covering technology is the development of the cloud and investments in the cyber security protecting it. Ives notes that about 30 percent of enterprise application loads are now in the cloud or hybrid architecture and he expects that to grow to 55 percent by 2022.

Koenig affirms that there are three major players when it comes to cloud platforms: Amazon Web Services, Microsoft and — a distant third — Google.  

“Google has to make acquisitions to be a contender,” Koenig said. “I don’t think they can do it on their own. They are going to have to acquire a company that knows how to sell [cloud technology] to enterprises.”

A second bucket of cloud-focused developers are enterprise SaaS firms, among them Salesforce.com Inc., WorkDay Inc. and ServiceNow Inc., Koenig said.

Experts agree that Amazon Web Services is currently the leader in cloud development, while Salesforce.com is the top cloud service provider. However, Microsoft CEO Satya Nadella has a good chance of taking the lead, as cloud computing begins to offer users new powerful tools, such as artificial intelligence and complex machine learning, Ives notes. A key plus for Microsoft is its Azure application, a cloud computing service.

“Salesforce.com is the gold standard in transitioning to the cloud,” Ives said. “Amazon and Microsoft, Jeff Bezos and Satya Nadella, are in a two-horse race to lead the cloud market. Amazon has written the first chapter but the next chapter will go to Microsoft, which is a leader in complex machine learning workloads with Azure.” 

Ives said he believes Microsoft, which has an $889 billion market capitalization, will reach a $1 trillion market capitalization this year, because it is playing a disproportionately large role in enterprise software as more applications, workloads and data move to the cloud. “When you look at the next phase, you will see much more complex workloads move to the cloud and this goes right into Microsoft’s backyard,” Ives said.

To catch up, Google may have to do a game-changer-type acquisition in the cloud computing space. Ives speculates that the internet search giant could seek to acquire an IT services company that offers privileged account security, such as CyberArk Software Ltd.

For now, the hacker-versus-cyber-security arms race, as Koenig puts it, is escalating, as online criminals look for new ways to shake up the global economic system.

Cybercrime and the Global Economic System

The threat is real, as a number of high-profile research firms and top bankers have pointed to cyber risk as a critical issue. JPMorgan Chase CEO Jamie Dimon, who weathered the global financial crisis of 2008 and heads one of the largest US  banks, suggested in October that “we are not prepared for cyber, and it’s already a cyberwar.” Dimon added: “Companies like JPMorgan and hundreds of thousands of others are attacked every day by state actors, criminals, and we don’t have the authority in place to have the proper response and protection.”

Particularly troubling is the escalation of state-sponsored cybercrime targeting financial institutions. Consider a new paper, issued on March 24 by the Carnegie Endowment for International Peace, which identified a spike in cyber attacks on financial institutions connected to nation-states. The paper, “Cyber Threat Landscape: Confronting Challenges to the Financial System,” noted that “targeted network intrusions against banks were rare just a few years ago, but now they are happening on a weekly basis.”

Reuters’ analysis of the study noted that 23 of 94 cases of cyber attacks identified over the past decade as financial crimes were believed to be connected to state sponsors, including countries such as North Korea, China, Russia and Iran.

“State actors have a disproportionate effect on the threat landscape, as they have the resources to invest in offensive cyber tools and techniques,” the study’s authors, Adrian Nish and Saher Naumaan, said.

As technology advances, complexity increases, network defence becomes more difficult, Nish and Naumaan note, adding that the next destination for attacks could include foreign exchange markets and trade finance.

With cyber attacks on the rise, it isn’t a surprise that Palo Alto Networks and other next-generation cyber security firms have become continued recipients of capital investments. As the cyber arms race escalates, expect to see more investment allocated to cyber security enterprises.

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.

About the Author

Ronald Orol is a senior editor at The Deal and writes about hedge funds and bank and securities regulation for The Street. He is the author of the book Extreme Value Hedging: How Activist Hedge Fund Managers Are Taking on the World, and holds a master's degree in business and economics journalism from Boston University.