Cybersecurity: the next generation

Opinions expressed whether in general or in both on the performance of individual investments and in a wider economic context represent the views of the contributor at the time of preparation.

Executive summary: More than $55bn is spent annually on cybersecurity. Yet it still yields ineffective defences, with cybercrime having cost the world economy over ten times this figure ($575bn) last year, equivalent to more than 1% of global GDP. There is, however, a solution at hand. A combination of increasing processing power and cheaper storage costs means that ‘next-generation’ cybersecurity businesses are deploying artificial intelligence and machine learning as proactive, predictive and preventive tools, with much higher success rates than legacy systems. The market for next-generation cybersecurity solutions is correspondingly expanding at ten times the rate of general cybersecurity spend and could be worth at least $7bn by the end of the decade. Many new players have entered this sphere creating a range of opportunities for both public and private investors. Our preferred approach for gaining exposure to the theme is via UK-listed Sophos, a holding in the Future Trends Fund.

By the time you have finished reading this document, roughly 150 people will have been a victim of identity theft.1 Since we last wrote on this topic in 2014, the number, scale and complexity of cyberattacks on both individuals and organisations has grown exponentially. The WannaCry and NotPetya attacks have brought the issue firmly into the public domain. High-profile organisations including the UK’s National Health Service, Deutsche Bahn, Renault, WPP and BNP Paribas saw their defences breached and services impeded. More starkly, since the start of this decade, there has been a 60% compound annual growth rate in cybersecurity incidents globally (per PWC), while at least 80% of European companies experienced some form of breach during 2015 (the last year for which the data is available, per the European Commission).

The bad news is that over $55bn is spent annually on cybersecurity software and services, yet it still yields ineffective defences. Furthermore, it is necessary to accept that cyberattacks are inevitable; they are the corollary of living in a world defined by connectivity. Mobile devices, social networks, the burgeoning internet of things and increasingly embedded and interlinked systems have transformed society – it is now possible to be virtually anywhere and connect with almost anyone.

Historically, attackers were largely creatures of opportunity, seeking the path of least resistance in order to achieve their ends. Now, the landscape has changed. With the digitisation of corporate assets (intellectual property, customer records, financial statements etc.) and personal information, there is a growing presence of highly motivated professionals looking to penetrate networks for monetary gain. These are often well-funded by criminal organisations. Moreover, increasingly nation states are leveraging cyber-vulnerabilities to disrupt or gain proprietary information for economic and/or national security purposes.

The scale of the problem is staggering. To give some context, over 1m new malware threats (malicious software or code that typically damages or disables, takes control of, or steals information from a computer system) are released daily, while ransomware attacks (software that is designed to block access to a computer system until a sum of money is paid) have jumped 50% in the last year and 160% over the past two, per data from the Ponemon Institute, a research organisation. Dealing with the problem is also expensive: the median cost of a cybercrime for a US business is $11m (data again courtesy of Ponemon), while the Centre for Strategic and International Studies has calculated that cybercrime costs the world economy some $575bn, equivalent to over 1% of global GDP.

Against this background, there is a clear and pressing need to derive new solutions for dealing with such emerging threats. The traditional – or ‘old world’ – approach simply does not work. Conventional network and security solutions based around firewalls and intrusion prevention systems were never designed to meet the challenges of advanced attacks. Such systems are reactive: they are able to deal with what has already been seen, experienced or known – but not with new threats. By definition, this is highly limiting.

The good news is that there is now an alternative: a new technology paradigm for cybersecurity is emerging based around artificial intelligence and machine learning. Under such an approach, software can make a ‘choice’ about something it has never seen before and therefore be proactive, predictive and preventive in dealing with cyber-threats. The ecosystem is self-sustaining: to learn, it must observe; to observe it must know what to look for; to know what to look for, it must have previously learned. Such approaches have, of course, been tried in the past, but failed for a variety of reasons: either sufficient data samples were lacking, algorithms were too imprecise or costs were too high. Now, with the advance of technology (faster processing power, better memory, cheaper storage), all of this has changed. Cylance, a leading business operating within the field, estimates that using an AI-based approach to cybersecurity can prevent 99% of existing and never-before-seen malware threats. This compares to a c60-70% success rate for traditional cybersecurity approaches (per Frost & Sullivan, a consultancy).

There is no common definition for next-generation cybersecurity given both the complexity of the market and the fact that some of the underlying technologies and techniques have been around for the last decade. Nonetheless, it broadly relates to behaviour detection and threat containment using algorithmic techniques, aiming for accurate and resilient real-time protection in the face of constantly changing threats. The process works using a combination machine and algorithmic science, data sourced from millions of end-points (computers or mobile devices) and a lot of computing power. Artificial intelligence and machine learning can look deeper and faster than is humanly possible, thereby generally avoiding the faults, errors and omissions caused by non-machine based security systems.

With only 7% of organisations ‘extremely confident’ of their IT security protocol (per a 2017 survey by Check Point) and with Chief Information Officers citing cybersecurity as their second highest spending priority (after cloud computing, per a recent study by Morgan Stanley), growth in expenditure on next-generation cybersecurity software is likely to accelerate. The $55bn cybersecurity market is currently expanding at a rate of 6-7% p.a. – implying that the overall market could be worth at least $72bn by the end of the decade – yet Sophos (another leading player in providing new services) estimates that the market for next-generation solutions is growing at ten times this rate, albeit from a much smaller base.

Looking ahead, it is conceivable that within the coming years, artificial intelligence and machine learning will be the sine qua non of cybersecurity software provision. In other words, their presence will be so integral and ubiquitous that the term ‘next-generation’ may no longer exist. A valid analogy might perhaps be with Satnav in cars: historically, customers used to pay extra for this service, yet it is now commonplace and broadly accepted. For the cybersecurity industry, there is a clear opportunity cost attached to not participating in the provision of next-generation services – namely, increasing irrelevance as a vendor. Such a view is endorsed by BTIG (a research house), which estimates that corporates’ expenditure of next-generation services will account for at least 75% of overall security spending before the end of the decade.

While the prospect of a world free (or freer) from cybersecurity threats is a tantalising one, there are a number of important challenges that need consideration. The first relates to proof of concept: next-generation services can only be good as the data they get given. In other words, large data sets are required. More fundamentally, software code is inherently vulnerable – there is no silver bullet for all threats. Even if 99% protection is provided, 1% of threats will still get through. Furthermore, a global network that is approaching the complexity of a human’s biology may, ultimately, not be securable because of its very nature – just as a human can never be free of all illnesses. Next there is the issue of human capital (or available, metaphorical doctors): with close to 0% unemployment for security professionals and a projected 37% increase in demand for information security analysts over the next decade (per the US Bureau of Labour Statistics), skilled professionals will remain a scarce resource. Not all organisations will be able to afford them.

In addition, most investors lack a clear understanding of how the market will evolve. The increasing prioritisation of cybersecurity expenditure for businesses and individuals is evident, given the well-publicised threat environment. What is less evident, however, is how the threat environment impacts the size, strength and vendor footprint of the security technology and services market, and also markets beyond technology. Chief Information Officers need to increase the cybersecurity budgets, but they also need to spend effectively.

From an investment perspective, we would highlight the following three crucial observations: it is not always obvious which vendors have the most effective technologies/tools/solutions – one size does not fit all; the rate of change within the industry is very rapid, so today’s leading technologies may not be tomorrow’s; and, just because companies have leading technologies, it does not mean that they are always good investments.

What does at least seem evident, however, is that there will be more industry consolidation. There were 137 cybersecurity M&A transactions in 2016 totalling $20bn, while an additional $10bn was invested by private equity in the field in the past year (per Momentum Partners, a VC firm). Furthermore, at present there are at least 30 players active within the next-generation market (per AGC Partners, another VC player), with the vast majority of these businesses still unlisted. Leading private players include Carbon Black (founded in 2002), Tanium (2007), CrowdStrike (2011), Cylance (2012) and SentinelOne (2013). In addition, Sophos provides a listed way for investors to gain exposure to the next-generation theme. Capitalised at £2.3bn ($3.0bn), Sophos offers its customers a single and consistent cloud-based platform with next-generation end-point solutions. The recent acquisition of Invincea should also boost further its AI capabilities. Given the importance for all businesses to secure themselves, expect more growth (and further deals) within the field.

Alexander Gunz, Fund Manager, Heptagon Capital