It's an interesting time to own cybersecurity stocks. The industry is growing fast as digital transformation sweeps across the globe, and investors in the companies that work to protect all the data that lives online have been richly rewarded over the past few years.
However, the torrid growth of cloud and edge computing and other digital transformations have left the door open to disruption, and numerous upstarts have taken the opportunity to win business at the expense of older security firms. There's no denying that the landscape for cybersecurity investing looks much different today than it did a decade ago, and it will likely look very different in another 10 years.
Blindly investing without knowing the underlying dynamics can be disastrous.
It's a complicated picture populated by both pure-play cybersecurity stocks (many of them young companies) and the larger firms that provide cybersecurity as part of a larger suite of services. This guide aims to simplify the matter and point you toward the best cybersecurity investments right now.
What is cybersecurity?
Cybersecurity is the science of keeping digital data safe and only in the hands of, and in front of the eyes of, those who should have access. Traditionally, cybersecurity consisted of a piece of hardware called a firewall as part of a business' server. A firewall monitors and decides what data is allowed in and out of network and what gets blocked. Think of it like the security check at the airport, monitoring luggage hiding dangerous items.
But the script has changed. The cloud -- data storage, apps, and computing processes done remotely at a centralized data center and accessed via the internet -- has altered both the workplace dynamic and the way companies do business with customers.
Employees can now access business apps from anywhere and from any number of devices, making a complicated mess of security and rendering a firewall in an office building useless. And customers are putting more and more data online as they do business with companies.
The amount of data online is increasing, a lot. And so is the need to protect all that data.
Digital transformation and how cybersecurity is contributing
Research from Global Market Insights says that the total cybersecurity industry will grow an average of 12% a year and reach $300 billion by 2024 and within the broad category are niches that can be growing even faster, including identity, authentication, and access management (IAAM) and security information and event management (SIEM).
Lots of cloud-native security start-ups -- offering software started and solely based on centralized data centers -- have popped up in the last decade or so to take on the new challenges presented by doing business in the cloud. Older firms slow to the punch have lost business at the hands of these upstarts, while others have been doing OK.
For example, Cloudflare -- which got its start offering internet security and website performance services -- recently had its initial public offering (IPO). The decade-old company hauled in $193 million in sales in 2018, and grew at a 48% year-over-year rate through the first half of 2019. With growth that high, Cloudflare is outpacing the industry average, which implies the small outfit is taking market share.
There are other firms, like Zscaler (NASDAQ:ZS), that act as cloud-based software web gateways to better protect modern business operations on the internet. Privately held and Goldman Sachs-backed iboss plays in the same sandbox. Rather than hardware-based security that only takes care of the office, cloud web gateways dwell in the cloud and thus follow users' devices, scrubbing and encrypting data in transit to and from the data center to ensure compromised information never makes it to the end user. While not investable yet, iboss CEO Paul Martini said in an interview that an IPO is in the works. Keep an eye out for that one in the years ahead.
As new players take the stage, older ones face change. Symantec, for example, founded back in the early 1980s, just had its enterprise security division bought out by semiconductor giant Broadcom. The remaining consumer-facing security unit is drawing interest from private equity firms. With the old guard in retreat and newer outfits taking the reins, here are the top places to invest in the fastest-growing segments of cybersecurity.
The top seven cybersecurity stocks
Appliance firewalls up their game
When it comes to disruption, some of the first outfits to displace the oldest segments of the industry were Palo Alto Networks (NYSE:PANW) and Fortinet (NASDAQ:FTNT). The companies got their start making hardware-based and software-based firewalls and antivirus tools (they were founded in 2005 and 2000, respectively), but have steadily expanded into other areas of the security market. The two firms now rank among the largest cybersecurity pure-play stocks on the market.
Once the disruptors, Palo Alto Networks and Fortinet have recently been facing disruption from upstarts. The cloud was barely in its infancy at the companies' founding, and newer cloud-only security businesses have been outpacing the two companies. That isn't to say they are dead in the water. On the contrary, they have both continued to put up solid double-digit growth for years, all while progressively adding new services like cloud firewalls, IAAM, endpoint security (for laptops, tablets, smartphones, and IoT devices), and SIEM.
Palo Alto, in particular, has been aggressively expanding within the industry. It has been purchasing smaller start-ups for years and bolting them on to its existing suite of products, a strategy that has yielded sales growth but nonetheless been met with criticism as it eats into the bottom line in the short term. CEO Nikesh Arora defends the strategy and says customers he speaks with have too many security vendors and are frustrated with the number of choices. Thus the need -- from Arora's point of view -- to create more of a one-stop shop. The acquisitions will therefore continue, and management has said it fully expects revenue to average about 20% growth over the next few years.
As for Fortinet, its founder and CEO, Ken Xie, expects his team's more conservative approach to expansion to yield lower-double-digit sales gains, but profit growth is expected to average well into the double digits for the foreseeable future. With both of these cybersecurity companies well established and successfully making the cloud and niche security product transition, they're a great place to start for investors looking to get in on the industry's growth.
Big data and how it fits in with cybersecurity
My next top cybersecurity stock, Splunk (NASDAQ:SPLK), didn't start out as a security company at all. The company is a big data analytics business, helping organizations turn massive amounts of unusable data into actionable insights. If it's an electronic system, it can be "Splunked." Everything from manufacturing facilities to call centers to payment processing systems generate data -- lots of it -- and Splunk helps businesses analyze the data to figure out what is happening and how to make improvements in operations.
As it turns out, the ability to gain insight on operations and monitor digital systems in real time lends itself particularly well to cybersecurity. After making a few key acquisitions in 2017 and 2018, Splunk turned its big-data-parsing software into a full-blown security outfit -- one that has put up sizzling growth figures ever since. Specifically, the system harnesses artificial intelligence (AI) and machine learning -- a branch of AI discipline -- to manage and automate the security process for IT teams at large organizations. Known as security information and event management (SIEM) and security orchestration, automation, and response (SOAR), Splunk bought its way into a leadership position in one of the fastest-growing segments of the antihacker industry.
In fact, according to Gartner, 30% of IT teams larger than five people will utilize SOAR tools by the end of 2022. As of this writing, the estimate is that only 5% of IT teams put the technology to use. It's a potentially huge growth driver that complements Splunk's already-fast-moving business analytics and big-data business.
Betting big on the cloud
As cloud-native platforms, Zscaler and CrowdStrike Holdings (NASDAQ:CRWD) are much newer to the cybersecurity game. The two firms were founded a mere decade ago in 2008 and 2011, respectively. Nevertheless, they have quickly grown into two of the largest cybersecurity stocks on the market -- although they bring in far less revenue than either Palo Alto or Fortinet.
That could change in the years ahead, though. Zscaler, which provides secure web gateways and went public in 2018, saw a 60% jump in revenue for the year ended in July 2019. Management has indicated it will keep its foot on the gas and maximize growth as the cloud continues to expand. Estimates vary as to how big the cloud market will get in the next few years, but the consensus is for hundreds of billions of dollars spent every year. With so much business computing getting moved off-premises and into remote data centers, it doesn't seem so farfetched that Zscaler anticipates its own sales growth to grow by double digits every year, too.
There have been concerns that the competition is heating up, though. Palo Alto Networks has been boasting fast progress with its new cloud products, and Arora and Zscaler CEO Jay Chaudhry even exchanged verbal shots on their quarterly earnings calls about displacing each other when customer account renewals come up. For now, there should be plenty of new opportunity to go around.
Zscaler, the previously mentioned iboss, Palo Alto, and others are using web gateways to take care of data in transit, but there's another cloud business of securing the devices themselves. Because data-center-driven computing enables data and app access anywhere, the movement overlaps with the IoT (or Internet of Things) boom -- the millions of new devices every year getting hooked up to the internet.
That's where CrowdStrike comes in. CrowdStrike offers a platform for endpoint security, which protects the devices themselves that hook up to networks. Estimates again vary, but some analyst expectations are for the number of connected devices to increase by several billion over the next decade. It's an obviously huge opportunity for CrowdStrike and the myriad other cybersecurity plays in the game. Palo Alto and Fortinet, for example, have added endpoint security to their suites of software.
Before it went public in July 2019, CrowdStrike opened its books to investors to show that revenue had at least doubled in each of the three years prior to its debut. That trend of doubling has thus far continued since the IPO, with CrowdStrike picking up new customers and existing customers spending even more money with the security firm as time goes on. That's due to businesses adding new connected devices. With a long runway ahead of it, this endpoint security stock looks intriguing for investors interested in high growth.
Identity protection pure plays
Let's finish out with IAAM, which ensures that an organization's data and apps are only accessible to those on a need-to-know basis. Obtaining login info is a big win for the bad guys, so keeping credentials on lockdown has become a top priority in recent years as businesses transfer operations and information onto the web. Two main components of IAAM are privileged account management (PAM) and identity access management (IAM) -- the former protecting specific, highly sensitive accounts (like logins for upper management) and the latter geared toward providing access to business systems to all employees.
The two are often paired together to create a comprehensive system of tiered access to an organization's systems and processes. In fact, CyberArk (NASDAQ:CYBR), which focuses on PAM, and Okta (NASDAQ:OKTA), which focuses on IAM, can integrate their services with one another if a customer chooses to do so to create a well-rounded IAAM security strategy. The two firms are the leaders in their respective niches.
IAAM hasn't looked like a niche service in recent years, though. Global Market Insights is calling for identity management to grow an average of 17% a year through 2024 into one of the largest subdisciplines within cybersecurity. Though CyberArk has been around since 1999, it has had its sales accelerate by double digits in recent years, and management foresees the trend continuing. Okta, which was only founded in 2009 and is one of those cloud-native companies, has quickly grown into a top 10 largest security pure-play stock, as measured by market cap (price per share multiplied by the number of shares outstanding), with sales growing over 50% a year the first couple of years after its 2017 IPO. Okta's team has similarly forecast continued rapid expansion rates.
In fact, CyberArk founder and CEO Udi Mokady highlighted on a recent earnings call that IAAM is growing so fast because identity-based breaches at businesses are on the rise, and government regulators are cracking down with big fines. Some of those levies have tallied to nine digits. It's not exactly the kind of negative-reinforcement-driven behavior anyone wants to see behind a growth trend, but it nevertheless illustrates why identity management can keep growing so fast for so long.
Who should buy cybersecurity stocks?
Cybersecurity is a fast-growing area within the greater technology movement. Companies are spending and it's obvious that investors want in, but a few notes of caution are in order.
Most of the aforementioned cybersecurity stocks are aggressively maximizing sales growth, purposefully keeping profits to a minimum or using up cash on the balance sheet to do so. Aggressive growth stocks like this can be especially volatile, with huge double-digit swings -- either up or down -- par for the course. Only investors who can stomach the volatility should buy in and it makes sense to keep cybersecurity plays balanced in your portfolio with less volatile investments.
Another risk is that, because of the changing tech landscape, dozens of new cybersecurity outfits are springing up to constantly challenge the incumbents. That creates risk for investors if the new competition means existing cybersecurity plays aren't able to meet their sales goals. Eventually, a period of industry consolidation will ensue, and to an extent that has already begun (like in the endpoint security space where BlackBerry purchased Cylance and VMware took over Carbon Black). Put simply, no one can say for sure which companies will remain standing in a few years' time and which will perform the best.
Thus, the best strategy is to buy a little bit of all of these top stocks and add to the positions -- like on a recurring monthly or quarterly basis, or every time there is a dip in valuation. This helps mitigate the risk involved with buying highly erratic company shares. For a more in-depth look at investing in cybersecurity stocks, check out this linked page.
In summary, cybersecurity is a fast-growing industry, but one also undergoing big changes. Investors would be best served buying into the disruptors leading the charge, and then strapping in for the long haul. No matter what happens, at least one thing seems certain: Cybersecurity will be a much larger market 10 years from now than it is today, and patience is sure to be rewarded.