Data security has been a major area of interest and investment over the past decade, but it's been a tough place to be an investor. Though industry leader Symantec (NASDAQ:SYMC) is up more than 850% in the last decade, if you had invested in some of the other leading players, like McAfee (NYSE:MFE) or Internet Security Systems (NASDAQ:ISSX), you'd be just about breaking even right now. As the industry continues to mature and consolidate, I believe that the gorillas of the industry, such as Symantec, McAfee, or Check Point (NASDAQ:CHKP), are the best places to invest.
Evolution of a con
Hacking, cracking, phreaking, phracking, phishing, scripting, virii, bots, Trojan horses, worms, sniffers, exploits, and wardialing -- call it what you will, it's just as unpleasant. If you mentioned a hacker ten years ago, you were generally talking about a bug-eyed thirtysomething nerd or outcast teenager who wanted to impress other web denizens by replacing 3M's website with something like "D3struct0 Cr3w Rul3zzz" or "U h@v3 b33n h@ck3d by Wh1t3R@bb1t." Of course, virii (the hacker-ese plural of "virus") have always represented a more malicious part of the hacking underworld, but back then, even virii were generally more about bragging rights than wreaking real havoc.
As we place more and more valuable information on the Web, breaking through security measures to gain access to that information has become a very lucrative business. The faces behind hacking have quickly changed from thrill-seekers, anarchists, and intellectual showoffs to criminals interested in sensitive corporate information, credit card numbers, bank account access, and personal data like social security numbers. The compensation that a hacker expects from his or her trade has gone from the simple sweet taste of victory to thousands or even millions of dollars.
Taste the rainbow
Just as there's no single flavor of Internet evildoer, there's no single flavor of attack used to cause chaos on the web. Today's attacks still include time-honored favorites like virii and hacking, but they are joined by a host of other threats, including bots, scripts, spyware, adware, spam, and social engineering.
As the data-security industry evolved, many companies were born to combat individual types of security threats. McAfee and Symantec were initially known for their antivirus tools. Other companies such as Netscreen, which was later acquired by Juniper (NASDAQ:JNPR), focused on firewalls, while firms like Brightmail, which was purchased by Symantec, fought spam emails.
Though data security is arguably more important today than it was back then, the industry is having increasing trouble supporting companies that target a single category of threat, no matter how effective their products. Putting a good security scheme in place is troublesome at best, and few corporate chief technology officers enjoy the additional worries of having to manage separate software or hardware for their firewall, virus-scanning, VPN, spam, spyware, policy, and intrusion-detection and -prevention needs. So now, the name of the game is assembling security packages that integrate all of the facets of data security, or, even better, offer full implementation and management of a total security package.
Gorillas in the mist
Security "point products" have fallen out of favor, and many companies with traditional strengths in a single category, such as Internet Security Systems with intrusion detection and prevention or Tumbleweed with mail security, are trying to expand their product offerings to provide end-to-end security. The middle market already contains numerous companies scrapping for customers, including ISS, Tumbleweed, Secure Computing, Websense, SonicWALL, and WatchGuard. As the larger security players continue to broaden their services, and other mainstream information-technology behemoths move into security, it will be even tougher for these smaller players to make ends meet.
The biggest, best-regarded companies with the best-integrated software packages will benefit most from big companies' security spending. In the world of stand-alone security companies, these include Symantec, McAfee, Trend Micro (NASDAQ:TMIC), and Check Point. Now that protecting internal systems is more a matter of preventing millions of dollars of data theft than it is preventing nuisance, companies and consumers alike are less likely to take a perceived gamble on a lesser-known security company. Though smaller private companies like Panda Software and Fortinet or open-source solutions like Snort have garnered some attention, it's typically easier for a CTO to explain to the CEO that an attacker breached a full Symantec system, rather than a free open-source product.
Along with the gorillas of the security industry, titans from other industries have been encroaching on the space over the past few years. Most recently, EMC (NYSE:EMC) snapped up RSA Security, but Microsoft, Juniper, Computer Associates, 3Com, and Cisco have also made some major security acquisitions. Larger acquisitions, like EMC's RSA deal or Juniper's 2004 acquisition of NetScreen, can be more difficult to integrate, but the market has definitely been sensitive to the potential for players like these to build security capabilities into their products, siphoning business from the stand-alone security players. I think that such fears are overblown, but I do think the increasing competition will contribute to the pressure on the lower- and middle-market companies.
The h@ck3rs will be crushed
Now there's some wishful thinking. It's doubtful that there will ever be a clear winner in the war against online malcontents. As long as a data-security company can hire a Ph.D. to write an encryption algorithm, there will be crime rings out there willing to pay another Ph.D. a hefty sum to find its holes. That said, since there's no indication that individuals, financial institutions, and other businesses and corporations plan to reduce their exposure to the Internet, there should be a continued demand for products that will keep their virtual valuables secure. Looking ahead for the next decade, I'd recommend that investors who want to secure returns from data security should climb on the back of one of those 500-pound gorillas.
We've secured further Foolishness:
McAfee is a Motley Fool Stock Advisor pick, while Microsoft made the cut at Motley Fool Inside Value . For even more superior investing advice, try any of our market-beating Foolish newsletters free for 30 days.
Fool contributor Matt Koppenheffer does not own shares of any of the companies mentioned and obtained none of the information in this article through hacking. He always encourages c0mm3nts. The Fool has an ironclad disclosure policy.
