• My top three cyber stocks
  • The new vanguard

No apologies for coming back to cybersecurity today. It’s a vexed and confusing subject for investors as I understood from talking to a cross section of VCs and fund managers over the last six months.

The $80 billion global cybersecurity sector is shaking out, ever more vigorously and is brimming with logical take-outs.

Having done the due diligence, I’m convinced of three things…

  • This shakeout will last five years
  • The big vendors will control 40% of the market by then
  • Four AI startups threaten the legacy companies

The immediate problem is that the world is under a sustained cyber attack and not just from the Russians meddling with US elections but also from small teams of crack hackers or individuals, able to acquire the tools of the trade from the dark internet, and with the skills to breach systems and networks anywhere, often via a single mobile device.

The ‘attack surface’ is vast and further extensible with IoT, the attackers so sophisticated and well armed and the defences so last generation that breaches will keep on rising, increasingly to lurk, disrupt and steal, often undetected, for months even years, within government and corporate networks.

Most breaches are an “inside job”

ADVANCE TO GO WITH RUSSIA US CLINTON FILE In this file photo taken on Saturday, Sept. 8, 2012, Russian President Vladimir Putin, left, meets U.S. Secretary of State Hillary Rodham Clinton on her arrival at the APEC summit in Vladivostok, Russia. During her recent acceptance of the Democratic party nomination to run for the U.S. presidency, Clinton said Russia is an enemy and cannot be trusted, a statement which clearly stung the Kremlin and seems to have heralded a new era for the coming presidency if Clinton wins. (AP Photo/Mikhail Metzel, pool, FILE)

The fact of the matter is that all breaches are more or less ‘inside jobs’ due to internal, supplier or customer mischief or malevolence or more often a lack of ‘cyber hygiene’ within organisations.

Every major and not so major company or organisation should assume it has been breached, is being breached and will be breached. Lloyds of London estimates that cyber attacks cost global business loses at least $400 billion a year.

And, as Kevin Poulsen has pointed out, this will go on rising as long as the assets the cyber-attackers are targeting are more valuable than the cost of getting them.

The solution?

The emergence of a new cybersecurity industry employing big data analytics, deep learning, collaborative networks and technology able to detect and collate low frequency data.

This is being led by big IT platform vendors, notably IBM, Cisco and Microsoft and such high octane AI architected disruptors as Splunk, Darktrace, Palantir, and Illusive Networks — snapshots below.

So is the sector bid or offer?

It’s tending offer.

I see a strong case for forecasting that the top four vendors IBM, Cisco, Microsoft and Symantec will control over 40% of a market turning over at least $120 billion a year by 2020 vs less than 25% today.

This will be due to a growing raft of acquisitions, roll-ups and bankruptcies over the next five years.

Cisco alone has already spent nearly $2 billion making 24 acquisitions over the past eighteen months. Microsoft and IBM have made over a dozen acquisitions each.

These big platform suppliers and a handful of explosive start-ups will develop the technologies and methodologies needed to build up the countervailing power to the cyber-criminals, state sponsored and otherwise, currently lacking. But it’ll probably take at least five years to achieve a power balance.

Snake oil atmosphere has to clear

Right now, the sector is oversupplied, over capitalised, generally ‘unfit for purpose’ and only has three large caps — each only just qualifying as a large cap — among the top 20 US listed ‘pure play’ cybersecurity companies.

Much of this stems from a crazy period in 2014/2015 when there was a panic reaction to a series of high profile cyber breaches at, among many others, JP Morgan, Sony, The US Government Personnel Department, TalkTalk.

The buy side went on a spending binge of $150 billion over the period, venture capitalists poured billions, almost uncritically, into what suddenly became the ‘hot sector’ du jour, and the majority of legacy cybersecurity companies threw cost controls to the wind.

Inevitably, there was a ‘snake oil’ sales atmosphere and the sector temporarily became a crowded trade with some stocks rising 50%, since given back and more in some cases.

si13-10-16b_opt

The base problem was that much of that spending was slapdash and went on buying patchworks of ‘oversold’ and largely ineffective anti-virus and firewall products from multiple suppliers–some large companies had up to a hundred vendors–which proved almost impossible for straitened IT security departments to manage, not least given the pure volume of alerts and false positives sparse cybersecurity staff had to chase up.

The reality has sunk in that what is needed is ”better’ not ”more” security–more platform based and from fewer vendors. The vendor lists are now being actively trimmed and the more and more vendors are claiming to offer platforms rather than ‘point’ products.

My top three plays

Inevitably, there has been a technical recovery from the dramatic sell off between last July and this April and I believe the following companies are worth investor investigation at this stage.

I focus on the ‘pure play’ cybersecurity companies amid the rising tempo of M&A. Here are my top three to look at, which include two of the sector’s three large caps.

<> Symantec — the industry veteran and the biggest of the ‘pure play’ companies, known for its Norton anti-virus business is fast reinventing its core Norton business. It invested $4.65 billion earlier this year to acquire high-flying networks and cloud security company Blue Coat. In the process it acquired Greg Clark — widely regarded as one of the finest strategists in the business. Clark is now CEO of Symantec and is building out a platform, almost certainly with the help of further acquisitions to replace 8-10 vendors at a customer site with a broad-based offering. He was plenty of financial fire power
behind him.

<> Check Point Software — in a sector not known for prudent management Israeli based Check Point is a standout. Its founders Gil Shwed and Marius Nacht hold 30% of the equity and firmly impose cost control over growth as the priority. Nonetheless,the business is growing at 9% pa and as a result of its strong management returns robust and consistent profits.

<> CyberArk — a small cap specialist in the key area of privileged access ID management. Over 90% of cloud attacks are down to privileged access breaches. The company sports BT, Barclays, Novartis and Deloitte among its blue chip clients. One of the most logical take outs in the sector.

The new vanguard

And I think there are three very clever start-ups developing next generation technologies…

<> Palantir — in the forefront of the business of mining massive, dispersed datasets and connecting the dots of almost invisible but highly significant low frequency data. Valued at $20 billion and funded by PayPal founder Peter Thiel, the CIA’s investmentarm Q-tel and ex Soros partner Stanley Druckenmiller.

<> Darktrace — co-founded by Mike Lynch of Autonomy fame in 2013, has attracted over $100 million in funding from Lynch, KKR and Softbank and is valued at $400 million. Its technology was built in part by former members of M15 and GCHQ and uses unsupervised machine learning algorithms to train themselves to find abnormalities in networks. Darktrace, among others, is leading cybersecurity into a battle between ‘white hat’ and ‘back hat’ AI.

<> Illusive Networks — This Israeli start-up introduces guile and table turning to the fray by installing decoy data on to laptops, DTs, and servers and false information about the victim’s network resources.

I especially like the look of Nasdaq listed Splunk, which is widely perceived to be the leader in middleware that extracts operational intelligence from huge volumes of fast moving machine generated data. You can read full my report on Splunk here.

The issue with AI systems, of course, is that they can be stolen as well.

Recently computers scientists at Cornell published a paper titled “Stealing Machine Learning Models”, which details how they reverse-engineered the most sophisticated black box systems used by Amazon by simply sending them queries and analysing the responses.

In prospect: AI competing with AI in an escalating struggle.

Along with robotics, broadly defined, and genetics I see cybersecurity as becoming one of the great growth industries of the future once the rationalisation that currently underway has licked the industry into a better shape.