What You Need to Know About Investing in Cybersecurity

There have been many headlines in the past decade about cybersecurity breaches and hacks -- not the least of which was the one that led to Target paying out nearly $300 million to cover damages.

Attitudes around online security are rapidly changing, as companies all over are waking up and starting to deal better with e-security. As a result, the sector is projected to grow to more than $170 billion by 2020.

In this clip, The Motley Fool's Chris Hill and David Kretzmann talk about the recent past and the promising future of cybersecurity providers.

A full transcript follows the video.

This podcast was recorded on 12/3/2015.

Chris Hill: Target has agreed to pay $39 million to settle claims related to the data breach in 2013. $20 million of that goes to the banks, $19 million to reimburse MasterCard card issuers. Earlier this year, Target reached a similar settlement with Visa.

And all told -- this is a little surprising to me -- all told, the company has said that they have spent nearly $300 million related to this data breach. And all I can think, David, is, I have to believe that at least one executive at Target is pounding the table, saying, "I told you for three, four, five years, I told you we should be spending more on data security." I mean, hindsight is 20/20, but don't you think that they could have paid a fraction of this amount, and made their security much much greater?

David Kretzmann: Certainly. Cyber security, I think, for that reason, is growing really quickly now. The global cyber security market right now is growing at about a 10% pace each year, and it's expected to grow to more than $170 billion in size by 2020. So, clearly, there's a lot of tailwinds behind that market as more companies recognize the risk. They don't want to be in the headlines like Target or Home Depot or Sony or even the federal government with the Office of Personnel Management earlier this summer, who had a massive hack.

So, in Target's case, they lost $40 million in credit and debit cards, and those were vulnerable for theft. And that obviously puts your customers at risk, it puts your brand reputation at risk, and certainly, the cost could have been a lot less than $300 million if they had been a bit more proactive in their security management. Part of the issue with, when we're talking about cybersecurity, a lot of the focus is placed on what we call "the firewall," it's like the perimeter around the network of a company.

But once a hacker gets through that network, and you can do it by accessing the credentials of a vendor, like with Target or Home Depot, then they can access your network, penetrate that firewall, or that perimeter around the network, and all of the accounts within that network don't have very much security. So, for example, if you have an administrative account, you might have 20 or 30 employees who all have access to the account, with the same password. So, if you're a hacker, as soon as you get that password, you blend right in with the employees. There's no way to tell that someone actually hacked the system.

And then you have massive data breaches like this. So, you have some smaller companies like CyberArk (CYBR -3.42%), which is focused on securing those internal accounts, they're also called privileged accounts. So, really, the cybersecurity landscape is really evolving and expanding very quickly.

And I think companies are recognizing now that it's not just a matter of regulatory compliance anymore. I think, maybe 10 or 20 years ago, that's what people thought about when they thought about cybersecurity, and that's how companies treated it. But now, they recognize, we have to be proactive with this. So, thanks to these big companies taking the hit in the headlines, I think companies are becoming more proactive.

Hill: When you look at a company like FireEye (MNDT), which is very much in the business of cybersecurity, and the fact that their stock has been cut in half over the last 12 months, more so, as an investor, if you think, "OK, I hear everything David's saying, this is a space I want to look at." Is the risk and reward much greater for a FireEye than it is for a company like, say, Cisco Systems (CSCO -0.52%), which is a behemoth, and has deep enough pockets to be able to throw more money at this than FireEye ever could?

Kretzmann: Sure. There's a wide array of companies on this spectrum. So, you have some of the smaller companies like FireEye, versus some of the larger companies like Cisco or, Check Point is another one. Just companies that are turning out a huge amount of cash. They're not growing as quickly like companies like Palo Alto Networks (PANW -2.48%) or FireEye, but they're also not losing gobs of money like Palo Alto and FireEye.

So, you definitely have to evaluate that. You definitely don't want to go all in on, probably, any one of these companies, especially with those younger, newer companies, which are really focused on R&D, they're hiring a lot of people, they're spending a lot on marketing, they're not making money today. So, obviously, that amplifies the risk a good deal.