As the increasingly digital world transforms the way we live, the bad guys are changing how they live and work, too. That means cybercrime is on the rise around the globe, both in frequency and in complexity. In fact, according to a 2018 study conducted by security outfit McAfee, cybercrime costs an estimated $600 billion a year -- just shy of 1% of global GDP (the value of all goods and services provided in any given year). 

That enormous cost has put companies, government entities, and other enterprises under pressure. Protecting their own sensitive information and keeping customer data safe and secure are top priorities in today's digital age. A breach in security can lead to lost trust, lost credibility, and ultimately lost business.

Enter the cybersecurity industry, a service sector that is growing and changing fast to keep up with online threats. Since it doesn't produce a tangible good or service the everyday consumer can recognize, cybersecurity doesn't make for the sexiest of technological investments. And the rate of change required to stay ahead of those with nefarious intent means investing in cybersecurity companies can be tricky.

Still, there's no doubt investors are keen to get in on this growing sector of the economy. And there are plenty of investments from which to choose.

All sorts of businesses are lining up to keep the digital world safe. Some offer security as part of a larger technology offering, while others make cybersecurity their one and only focus. The type of cybersecurity also differs, with some companies working to offer a comprehensive software package to keep data secure, while others aim to solve a specific pain point with software for login security or device security.

With attacks via the internet not going away anytime soon, investors looking to make money from the trend should look at investing in the stocks of cybersecurity-only companies to maximize growth potential. Read on for an in-depth look at how to figure out how to invest in cybersecurity stocks.

An illustration of a shield over the top of numbers in small cells

Image source: Getty Images.

The basics of analyzing cybersecurity companies

Investing in cybersecurity stocks, especially those representing companies that are solely focused on cybersecurity, is not as simple as picking the companies posting the largest sales growth. Many outfits that make cracking down on cybercrime their only endeavor are not yet profitable, so understanding a few less obvious measures is helpful.

Generating income and holding onto it

Revenue (money earned for providing a service or selling a product) is of course the logical place to start, but gross profit margin is important to look at, along with the top line. Gross profit margin subtracts from revenue the cost to provide a service or the cost to produce and sell a product. The larger the gross margin, the better; that means the company keeps more money. Software-based services generally scale to a higher profit margin than hardware sales because the product is produced once and can be sold countless times after that (versus hardware, which needs to be manufactured for every customer). Thus, as cybersecurity is basically a software industry, many cybersecurity companies have the potential to become lucrative businesses.

However, developing software is expensive up front and doesn't start paying off until enough customers sign up for the service. Newer companies will thus typically have lower gross margin than established companies as they make less money and have to spend more to acquire customers -- making fast revenue generation an important factor to consider when looking at small start-up cybersecurity companies.

Not all services are created equal

Then there are the specifics surrounding how a company gets paid. Most cybersecurity companies break revenue into two basic categories: (1) subscriptions and (2) support and professional services.

Subscription revenue (sometimes called product or software revenue, as the category covers recurring service delivered via a piece of software or other security product) is far more valuable, as it is less-labor intensive once established. That's often the case because a company can sell the same package many times with minimal work. Subscriptions are also sold as ongoing licenses or contracts, which means the revenue stream is more predictable and stable over the long term. The more predictable a business is, the fewer negative surprises will crop up for investors, and this helps keep the stock price less volatile. 

By comparison, purchase of the support and professional services backing up the software tends to be billed as lumpy one-time payments and isn't as profitable for the company. For example, during the first quarter of 2019, Okta made $8.1 million in professional services revenue. However, the cost to produce those services was $10.6 million, leaving a $2.5 million loss for the segment due to high labor costs. However, subscriptions generated $117.2 million in sales and ran at a 79.1% gross profit margin, meaning the company kept $92.7 million of that total.

Track the number of customers

For a smaller company trying to establish itself, adding fresh customers will be the most important metric pointing out how well the company is building a profitable base.

For a larger company, existing customer activity is equally -- if not more -- critical. Look for what are called net dollar retention or dollar-based net expansion rates, which measure the amount of money existing customers are spending compared year to year. If the figure is under 100%, the implication is that customers are leaving or spending less. If the metric is over 100%, it means the business is selling more to its customers. Loyal patrons who spend more on services over time can be a powerful force that boosts the bottom line.

How much it costs to run the business

Moving down the income statement, operating expenses can be a tricky item to get a read on. Operating expenses cover costs not associated with producing a service but still necessary to keep the lights on. Because cybersecurity is growing and changing fast, research and development expenses can require a hefty cash outflow every year. Sales and marketing also tend to be elevated for companies that are jockeying for new clients. High costs in these areas tend to be the biggest reason a cybersecurity company operates in the red.

However, many of them are profitable on an "adjusted" basis. Thus, adjusted operating expenses (and therefore adjusted earnings) are important to look at as they back out things like stock-based compensation to employees and only factor in actual cash expenses. Investors will want to see stock-based pay decrease as a company matures, but while it's in growth mode, that expenditure tends to be elevated as companies use it as an incentive to attract and retain talent.

Closely related to this is the free cash flow metric -- or money left over after basic operating expenses and capital expenditures are paid for. This is a much more accurate measure of any company's true profitability. For example, when reporting on its fiscal 2019 third quarter (the three months ending April 30, 2019), cybersecurity leader Palo Alto Networks (NYSE:PANW) reported a net loss of $20.2 million on revenue of $727 million. After making adjustments, though, free cash flow was positive $276 million, good for a profit margin of 38% and up 30% year over year. Making non-cash adjustments can tell a very different story.

The digital age ups the ante for cybersecurity

In recent years, a couple of key trends in technology have led to cybersecurity becoming a hot industry. One is the boom in cloud computing.

The cloud refers to computing being done remotely at a data center. Video streaming is an example of cloud computing that millions of Americans make use of daily. Rather than play a movie or TV show at home on a DVD or Blu-ray player, consumers are making use of a library of entertainment content contained at a data center (like one hosted by Netflix), which they access via the internet for a fee.

That remote cloud-based business model has surged in popularity in the business world as well. Rather than expending their own computing power or purchasing software that needs to be downloaded at the office, companies are utilizing the cloud to get the digital tools they need. Cloud computing -- and the subscription-based model it often employs -- has been a winning strategy in recent years.

It also creates an expanding need for security services to protect all of that information being stored and used online. According to internet infrastructure company Cisco, global internet traffic is expected to grow an average of 26% every year through 2022. That's a lot of new data that needs to be kept safe.

Another development boosting the need for cybersecurity is the proliferation of devices connected to the internet, often identified by the catch-all phrase the "Internet of Things," or IoT. It's not just computers, tablets, and smartphones anymore. On the consumer side of the equation, everything from wearables like watches and headphones to household items like TVs and appliances is getting hooked up to the internet. For a business, connected devices can include industrial equipment, vehicles, or shipping containers.

The number of devices hooked up to the internet -- and the trail of digital data they create that needs to be collected and secured -- is staggering. Cisco estimates there were 2.4 networked devices for every man, woman, and child alive in 2017. Through 2022, the number of devices per person is expected to grow to 3.6. Put more simply, that would be roughly 28.5 billion devices connected to the internet in 2022, up from 18 billion in 2017.

How data is being protected 

With data getting created all over the place by billions of devices, the responsibility placed on companies to keep it all secure is getting heavier all the time. The onus of that responsibility is increasingly being placed on cybersecurity companies and their various solutions.

Hardware versus software

Firewalls have traditionally been the first line of defense. A firewall is either a physical device attached to a network or software that acts as a gatekeeper, monitoring traffic and deciding what data to allow in and what data to block. Companies like Cisco still offer firewalls in hardware form, but with so much of computing moving to the cloud, software-based firewalls are gaining in importance. Top vendors migrating to cloud-based gatekeeping include Palo Alto Networks and Fortinet.

Technology to the rescue

The sheer amount of sensitive information and mission-critical data out in cyberspace isn't the only challenge, though. The complexity of attacks is also increasing, with bad actors looking for and exploiting holes in the vast communication and data networks between organizations, their employees, and their customers. Artificial intelligence and its subdiscipline machine learning -- a software system that mimics the human brain and learns from experience -- will be key factors in suppressing digital crime. Security software providers like Palo Alto Networks and Fortinet are putting the technology to use and are among the leaders in this area. Palo Alto, for example, launched an AI-based service called Cortex that hunts down, attacks, and automates threat detection. 

New developments in cybersecurity

Then there are newer defense mechanisms that analyze information and adapt to operational changes in real time. These approaches include SIEM (security information and event management) and SOAR (security orchestration, automation, and response) and are among the fastest-growing segments of the cybersecurity industry. Legacy technologist IBM offers SIEM with its QRadar product. Newer entrants to the scene, like FireEye, have come out with similar offerings, and Palo Alto Networks and big-data analytics firm Splunk have added SOAR services to their respective software lineups.

All of these various companies and services have been moving toward simplifying the security process for companies' IT teams. Security operations can be complicated for organizations, so a one-stop-shop solution (or as close to one as possible) carries substantial appeal, but there are other offerings that cater to more specific needs.

Endpoint protection, which secures the hundreds of millions of new devices (computers, tablets, smartphones, and other connected devices being used by a company's employees or customers) coming online each year, is one such niche. CrowdStrike Holdings (NASDAQ:CRWD) specializes in endpoint security and recently completed a successful public debut on the stock market. IAAM (identity, authentication, and access management) is another specialized need that helps organizations ensure that only those who should have access to data are getting into the network. Okta is a leader in the IAAM space.

How big is the potential?

Although cybersecurity is a newer industry, and many companies are not yet profitable, the long-term potential is nevertheless great. According to research firm Global Market Insights, the industry's overall growth is expected to be 12% a year through 2024, going from $120 billion a year in 2017 to more than $300 billion. That means smaller cybersecurity pure-play stocks could be big winners in the years ahead.

A woman thinking, with an illustrated thought bubble containing a bag of money above her head

Image source: Getty Images.

While larger companies that aren't pure players could be less volatile -- such as Cisco or software giant Oracle, which offers security capabilities as part of its larger suite of services -- it's smaller companies that are poised to get the biggest bump if they succeed at disruption. Smaller niche players and start-ups could end up eating the lunch of their bigger and clunkier peers.

CrowdStrike is a perfect example. Though the company was founded in 2011 and completed its initial public offering of stock (IPO) in June 2019, it's already valued at a market cap of $14 billion (as of this writing). Okta is another example. It posted 50% revenue growth during the first quarter of 2019 and is currently valued at $14.8 billion. By comparison, Palo Alto Networks is currently the largest cybersecurity-focused company out there and is currently valued at $20.3 billion. 

How to pick cybersecurity investments

The easiest way for investors to play the general rise in the importance of cyberprotection is via an exchange-traded fund like the First Trust NASDAQ Cybersecurity ETF (NASDAQ:CIBR) or the ETFMG Prime Cyber Security ETF (NYSEMKT:HACK). Both offer passive exposure to the industry through a portfolio of stocks and charge investors an annual fee of 0.6%.

There are a few key differences to keep in mind, though. Larger companies make up a larger percentage of First Trust NASDAQ Cybersecurity ETF's stock portfolio, and it excludes the smallest of cybersecurity stocks (anything with a market cap under $250 million gets tossed out). ETFMG Prime Cyber Security ETF weights its various stocks more equally -- regardless of how large the company is -- and includes smaller start-ups (valued all the way down to $100 million).

Getting in on tiny start-ups early sounds appealing, but it doesn't always pay off quickly. In this case, First Trust NASDAQ Cybersecurity ETF's focus on larger firms has yielded a 44% return compared to ETFMG Prime Cyber Security ETF's 30% since the summer of 2015 -- the earliest common date since the two funds' inception. In this case, focusing on larger companies that have jumped out to an early lead has been the better strategy.

Choosing individual companies

Investors who want to get pickier with their cybersecurity stocks could focus on the largest players in the security space. They could also focus on those companies with the strongest momentum right now. Here's a checklist of things for investors to consider:

  • Look for companies that are not just adding new customers but also expanding relationships with existing ones.
  • If a company is growing more slowly than the security industry (about 12% a year though the next five years, according to some estimates), is there a good reason why? If not, pass.
  • If a cybersecurity company is not yet profitable, make sure it's making headway on gross margin, operating margin, or adjusted earnings.
  • Operating expenses are often elevated or rising faster than sales, so check that the spending is translating into revenue generation. For a larger and established company, revenue growth should be outpacing spending; for a smaller or start-up company, the gap between revenue growth and high expense growth should be narrowing over time. 
  • Innovation is a must in this fast-changing industry. Is the company investing in research and development to stay relevant? Is it succeeding?
  • Are there rivals to a cybersecurity company's service? If so, compare the other company's growth rate and resulting valuation. If one company trades at a premium to its peers, there should be a good reason why (i.e., higher revenue growth, higher profit generation, etc.).
  • Traditional metrics like price-to-earnings ratios usually don't help when deciding which cybersecurity stock to invest in. If a company doesn't have earnings, the metric doesn't exist. For small, fast-growing stocks, pick ones with high rates of revenue growth and compare their price-to-sales ratios (the lower the ratio, the more of a value it is). However, a more expensive stock might still be worth the money if it is growing faster than its peers.
  • For larger, established companies, use the price-to-free-cash-flow ratio to decide on a better value. Even larger cybersecurity outfits should be growing by double-digits at this stage of the game, but the lower the price-to-FCF ratio, the greater the value. However, a higher number is acceptable if growth is outpacing that of other large companies.

A note on risk

It is worth bearing in mind that, whether investing in a basket of cybersecurity stocks via an ETF or creating your own collection of stocks, the cybersecurity industry is a volatile one. As is the case with high-growth sectors, stocks tend to bounce around in value quite a bit, and steep declines are the norm. This can be driven by anything from a high-profile security breach at a large organization, a miss in expected revenue growth at a security comapny, or higher-than-anticipated expenses to acquire customers or develop new technology.

No matter the direction you choose, though, investing in cybersecurity stocks holds a lot of promise. Keeping the digital world a safe place is a big job -- one that will only get bigger. The swift pace of change in the underlying technology means the ride will be an especially bumpy one. Investors will therefore want to stay focused on the long term and expect some turbulence. But for those who can be patient and have the fortitude to buy when stock prices dip, investing in cybersecurity should be a profitable endeavor for the long haul.

This article represents the opinion of the writer, who may disagree with the “official” recommendation position of a Motley Fool premium advisory service. We’re motley! Questioning an investing thesis -- even one of our own -- helps us all think critically about investing and make decisions that help us become smarter, happier, and richer.