Hackers never sleep

Hackers never sleep

by Pininvest Analysis

Cybersecurity Platforms on pininvest.com

  • 37 constituents
  • 19.4% 1y performance
  • 22.2% volatility
Check the investment theme exit_to_app

Pin-insights

'Cybersecurity' cannot be confused any longer with 'protection' of a business against digital assaults, with a whole array of defensive measures... This never was a correct understanding of cybersecurity, or at best a very partial one

With a virtually infinite number of interconnected entry points, every company becomes an amorphous data entity in lieu of a streamlined organization, making threats a possibility anywhere within the organization

If porosity of any company's perimeter is a given , rather than assume a cybersecurity wall to be impenetrable, choices have to be made

Core security priorities however will remain convoluted and changing over time

A challenge for the cyber security industry which has to anticipate evolving - and splintering - security expectations

 

***

 

On the prowl

Hackers pride themselves on bringing down the largest corporations, putting out massive hauls of consumer data, credit card numbers, social security data, addresses … anything goes

Presumably, the companies are jolted by each new data spill and IT spending on cybersecurity will be ramped up (again)

From a conservative 2% of IT budgets focused on cybersecurity around the year 2000, broad agreement within the industry puts cyber budgets at 10% of total IT expenditures today, with further significant increases mapped out

Organizations also come to recognize that security is not only about defensive measures – from network protection to email filters, data base protection and cloud security

  • cybersecurity calls for a shared culture, associating company employees at every level
  • in the every-day chaos of a connected world, the assumptions underlying the software layers on which each company has come to rely must be reevaluated - the effort is on going and never let up

High profile data privacy breeches have undoubtedly roiled the reputation of the targeted companies, and by extension, all the organizations serving as data stewards are at risk of losing the trust of their clients

It is worth paying attention...

 

Consulting

By category, consulting services are the major beneficiaries, and the largest consultancies, drawing on global and cross-industry capabilities, rule the roost

According to Consulting.us, the security consulting service market grew from an estimated $17.4 billion in 2016 to $19 billion in 2017 – a growth rate of 9.2%

With the continuation of the upward trend for 2018, a reasonable assumption, revenues will top $21 billion

2018 market shares of the 10 top consultancies, based on their respective upward trends since 2016, are approx. as follows (our calculations)

Global cybersecurity consultancies
Majors  Market share
Deloitte  15,50%
EY 11%
PwC 11%
KPMG 9%
IBM 3,50%
Accenture 3%
Booz Allen Hamilton 2,50%
Optiv Security 2%
HP Enterprise 1,80%
BAE Systems 1,50%
  60,30%
Source - consultancy.uk

While only indicative, the dominance of the 4 largest consultancies (servicing approx. 50% of the cyber consulting market, worldwide) gives a strong hint about the true nature of 'cybersecurity', which cannot be confused much longer with 'protection' of a business against digital assaults with a whole array of defensive measures...

This never was a correct understanding of cybersecurity, or at best a very partial one - defensive measures to protect a network or a data base are inescapable, but only make sense in so far that the architecture of a company's digital infrastructure keeps up with evolving challenges and deep involvement of its employees at every level of responsability is nurtured

One-size fits all cybersecurity strategies relying on entry point protection to network and big data security might actually create a false sense of security

With constant evolving threats, originating in every quarter of a business ecosphere, cybersecurity can only be as effective as the company's commitment - delegation to third parties is not an option

 

Arbitrage – how to make orderly choices in chaos

The transition from a clean company network, operating safely behind a firewall, to today’s reality of legacy data centers, manufacturing facilities, and networks, connecting to an uncontrollable mass of independently governed endpoints, has been chaotic – and remains largely ‘sui generis’, unique and unpredictable

Control of the flow of information in a coherent, structured fashion, through strategic use of firewalls and security, is not an option

With a virtually infinite number of interconnected entry points, creating an amorphous data entity in lieu of a streamlined organization, threats are a possibility anywhere within the organization

To be effective, cyber security will have to investigate and test the information that is allowed through the firewall, going well beyond the screening of malicious senders

Presumably any threat could be detected, contained and mitigated, but this would not be true for all threats, all the time…

Security carries costs, not simply for original implementation and updates to maintain relevance, for continuous screening and inspection, but also in terms of computational demands of every security interaction, driving power expenses up and slowing processes down

Ultimately, the computing power required of the security infrastructure consumes far more resources than required of the relatively simple networks themselves

This is why arbitrage between potential cyber threats is preordained

 

Preordained and all-encompassing

The decision how to prioritize the protections in a fluid data environment ultimately belongs to the company

With much diversity in internet access solutions and proliferation of end-to-end devices, porosity of the perimeter is a given and, rather than assume a cybersecurity wall to be impenetrable, choices have to be made

  • The challenge to decide where to put the focus of protection will be the hardest at company level. Choices must highlight the core holdings – intellectual property in a biopharma research firm or client data in a financial institution – with the highest probability of attack, but budget allocation will inevitably downgrade the level of protection of less critical processes – not a happy prospect on interconnected systems
  • The concentration – and continuous update – of the core protection will divert large and costly power usage, and is likely to slow down computing capabilities across the entire company

To temper such negative side effects, cybersecurity will involve far-reaching evaluation of the company’s existing software framework and the hardware on which the company operates

Implications may be – and often are – dire because of delayed upgrades and aging equipment, out of sync with fast moving intrusion programs

Arbitrage – as it turns out – is all encompassing

Core priorities converge in decision sequences transforming the way the company can afford to operate its data cloud and do business

  • the entire suit of in-house cybersecurity expenditures – a combination of specialized software, on top of the continuous upgrade of framework software and hardware – may grow out of reach for even the largest companies
  • the transfer of core data from private data centers to third party cloud servers may suggest a growing trend – to name a few, Fire Eye, a cybersecurity specialist, and Capital One, a recently hacked financial institution both confirmed their reliance on AWS, the Amazon cloud giant

Cyber-attacks could well be the unlikely agent of fast growing trends of specialization – for the benefit of a few third-party cloud specialists who will deliver the most complete upgraded data protection suites

Making it much harder for hackers to loot valuable core data, the streamlining of software systems at company level by processes of containerizing and by removal data holdings from local sites has hardly begun

Slow, complex and costly, linked to strategic overhaul at business level, IT security will have to be sustained without respite

It is hard to forecast how the software industry will respond to the demand for security services embedded in their client’s core processes but, given the complexity of the challenge, vendor restructuring looks a fair bet

 

Cybersecurity in search of a business model

It would be presumptuous to come to any definite conclusion in terms of client expectations and of security provider services, at this early stage and in a fast evolving technological landscape

Clients are presumably confronted with the security risks and fully aware of the trade-offs discussed in our note. The impact on in-house security of new technologies – from 5G to Internet-of-Things (IoT) – and of subscription-based business models – transformative of the client-provider relation –  might still be under review in many companies, but we suggest defensive perimeters might become even more difficult to outline in a deeply inter-connected world

While the perception of pervasive risk exposure in a ‘porous’ data-driven environment may not change much because of technological advance, new core security priorities could emerge and take front row seat – this will probably be true for the automotive industry as driver-assistant systems exposes each vehicle to hacking with extreme consequences for the manufacturer’s reputation

Ever widening security perimeters, encompassing potentially the entire eco-system, are challenging for companies but possibly more so for the cyber security industry which has to anticipate security expectations

 

Preliminary conclusions can only highlight some of the current trends

  • Strong share performance has benefitted companies sharing a focus on big data cloud protection (Zscaler, Rapid 7, Splunk) and privileged access security across the company’s eco-sphere (CyberArk)
  • Consistent with our general observations, the trends supporting big data protection and controlled access in a porous environment provide a reading of any cyber firm’s potential

For the vast pool of publicly listed and private cybersecurity firms, further factors stand out

Consultancies are bound to stay central in any transformative process involving each company’s operations to guarantee security of its core interests. Deloitte has clearly gained amongst the Big Four

Mergers and shake-out of the sprawling security industry is a strong possibility, supported and engineered by private equity

Mergers of complementary firms to cover a broad range of security threats

  • the model successfully implemented by high-flying Optiv Security, resulting from a 2015 merger of Accuvant and FishNet Security was subsequently bought by private equity KKR in 2017

Direct acquisition of a wide swath of cybersecurity firms, either private or listed, by private equity firms and by large tech firms, 

  • Thoma Bravo private equity stands out with the intent to create a cybersecurity powerhouse, by building up a portfolio of 19 cybersecurity oriented companies (out of a total portfolio of 35 companies), covering all market segments from consumer-oriented (MacAfee) to data security (Imperva)
  • Elliott Management acquired hardware traffic monitoring devices specialist Gigamon (2017), relying on the firm  for further acquisition in the security segment (such as threat detection specialist ICBRG in 2018)
  • IBM, Cisco and AT&T are also active acquirers in the security segment