The WannaCry ransomware attack recently hit computers in 150 countries, locking up computers from over 10,000 organizations and 200,000 individuals. The attack -- which targets Windows XP and other Windows versions that weren't updated with the latest security updates -- encrypts a user's hard drive and demands a ransom payment of $300 in bitcoin to decrypt the data.
The rapid spread of the attack highlighted two serious flaws with how organizations handle cyber threats. First, many organizations still use Windows XP, presumably to avoid the headaches and expenses of upgrading, even though Microsoft (MSFT 0.68%) officially stopped supporting the OS with security updates three years ago. Second, organizations which were hit by ransomware attacks continue paying the attackers to get their data back -- which likely encourages future attacks.
These bad habits won't change overnight, but devastating attacks like WannaCry should convince organizations to pay a premium for better cybersecurity services. That's why research firm Markets and Markets estimates that the cybersecurity market will grow from $122.5 billion in 2016 to $202.4 billion by 2021. Let's examine three companies that could ride high on that growth -- FireEye (MNDT), Palo Alto Networks (PANW 2.87%), and CyberArk (CYBR -0.42%).
FireEye's on-site appliances and cloud services detect and stop threats before they breach an organization's network perimeter. The company serves over 5,800 customers in 67 countries, including over 40% of the Forbes Global 2000. The company mainly serves large enterprises in the U.S., but it's planning to expand globally with new services for businesses of all sizes.
Over the past few quarters, FireEye has been pivoting away from slower-growth appliances to subscription-based cloud services. The core components of that push include Helix, a unified platform that merges FireEye's threat prevention, MVX engine, iSight intelligence, and analytics services into a single interface; and HX, a next-gen next-gen service that protects network endpoints from malware.
Wall Street expects FireEye's revenue to rise just 2% this year, due to its transition from appliances to cloud services. But after moving past that transition, FireEye's revenue is expected to rise 9% in fiscal 2018. FireEye isn't profitable by either GAAP or non-GAAP metrics yet, but it hopes to achieve non-GAAP profitability by the fourth quarter of this year.
Palo Alto Networks
Palo Alto Networks is the market leader in next-gen firewalls, which strengthen traditional firewalls with network device filtering tools. The company serves over 37,500 customers in over 150 countries, including over 85 of the Fortune 100 companies and half of the Global 2000.
Like FireEye, Palo Alto has been bundling multiple services into a single platform, dubbed the Next-Generation Security Platform, which simultaneously protects network endpoints, data centers, and cloud-based environments. This platform could widen Palo Alto's defensive moat against bigger tech companies, which frequently bundle comparable security products with their enterprise hardware and software.
Analysts expect Palo Alto's revenue to rise 25% this year. It's also profitable on a non-GAAP basis, and its earnings are expected to rise 49% on that basis. But on a GAAP basis, which includes hefty stock-based compensation expenses (31% of revenues last quarter), it remains deep in the red -- so investors should be wary of that disparity.
While FireEye and Palo Alto focus on external threats, CyberArk protects organizations against internal threats, like careless or disgruntled employees. When CyberArk's Privileged Account Management (PAM) products detect internal attacks or breaches, it quarantines the computer and the affected network.
Markets and Markets believes that the PAM market will grow from $922 million in 2016 to $3.79 billion in 2021 -- easily outpacing the growth of the broader cybersecurity industry. The company currently serves more than 45% of the Fortune 100 and 25% of the Global 2000, and is widely considered the leader of the PAM market.
CyberArk expects its revenue to rise up to 25% this year, but its earnings are expected to decline due to higher operating expenses and the costs of integrating Conjur, a DevOps software provider it recently acquired. Despite those headwinds, CyberArk remains one of the few cybersecurity companies which is profitable by both GAAP and non-GAAP metrics. That's mainly because it uses a much lower percentage of its revenues (9% last quarter) to cover its stock-based compensation expenses than most its industry peers.
Should you buy these three stocks?
These three cybersecurity stocks can be volatile investments, but I believe that they will all gradually trend higher over the next few years as cyberattacks intensify. They're not ideal core investments for a retirement portfolio, but I believe that investors should keep some extra money in these cybersecurity plays as long-term side bets.