Cybersecurity: A unique, defensive play in thematic tech

Produced in partnership with Nasdaq

Cybersecurity has become a critical need in today’s society as our dependence on technology and data grows.

Globally, there has been increasing frequency and sophistication of cyber attacks in recent years with governments and corporates spending large amounts on cybersecurity solutions to prevent sensitive data breaches from occurring.

With the rise of artificial intelligence and its associated demand for large amounts of training data, the need for robust cybersecurity solutions has never been more important.

This presents a compelling investment case that Australian investors can access through the Betashares HACK Global Cybersecurity ETF . HACK aims to track the performance of the Nasdaq CTA Cybersecurity™ Index (before fees and expenses).

The following research article was written by Sanjana Prabhakar, Index Research Specialist – Nasdaq Index Research & Development. All dollar amounts are shown in US dollars, unless otherwise stated.

What is cybersecurity?

Cybersecurity involves both measures and technologies that protect digital systems, networks, and data from unauthorised and/or unintended access. It has become a top priority for businesses and governments alike as cyber attacks have risen in recent years due to several factors including the rise of connected devices, shift to the cloud, remote work, and increased network complexity.

The most common types of cybersecurity attacks include malware, ransomware, phishing, insider threats, DDoS (distributed denial of service) and social engineering-based attacks.¹

As a defense against these attacks, companies have developed comprehensive defense tools that span network security, endpoint security, cloud security, application security, IAM (identity & access management) and data security².

Why is cybersecurity important?

Cybersecurity has become critical to ensuring that organisations are safe from attacks both from internal and external bad actors as the world continues to become more open, connected, and digital.

It has been flagged as a top 5 global risk by the World Economic Forum in their most recent survey, among other pressing global issues such as extreme weather from climate change, the cost-of-living crisis, and societal/political polarisation.

Statistics validate what is now indisputable in the cybersecurity community, that both the cost and number of cyber attacks continue to increase at an alarming rate.

As per a study by Statista, the cost of cybercrime amounted to a whopping $8.2 trillion in 2023 and is expected to rise to $13.8 trillion by 2028. Cyber attacks continue at the rate of one every 39 seconds, as per another study by the University of Maryland³. If measured as a country, cybercrime would be the third-largest economy after the US and China.

Additionally, ongoing pressures from geopolitical tensions and the rise of generative AI have added a layer of complexity to the threat landscape.

Given the scale of impact of cyber attacks, it comes as no surprise that 96% of CEOs surveyed by Accenture said that cybersecurity is critical to organisation stability.

What is the state of the cybersecurity industry?

The landscape of the cybersecurity industry is changing rapidly with the emergence of new growth drivers by way of generative Artificial Intelligence (AI).

Companies in the cybersecurity industry face a demand and operating environment quite different from that of the previous decade with the rise of insider threats and demand for AI-driven security solutions.

Following recent attacks on US critical infrastructure, cybersecurity became a national policy issue, leading to the issuance of an ‘Executive Order on Improving the Nation’s Cybersecurity’ in May 2021 by President Biden.

At the same time, several Big Tech companies have pledged to ramp up investments in cybersecurity, adding another stabilising force to the revenue growth trajectory of the overall market.

The new narrative of cybersecurity is likely to be dominated by the zero-trust model of security and AI-based security solutions. The zero-trust security model assumes that no user or device can be trusted without continuous verification.

An estimate of the total addressable market by McKinsey suggests that the cybersecurity market is $1.5-$2.0 trillion globally, and at best only 10% penetrated with a very long runway for growth.

As per Statista, during the period 2024-2028, cybersecurity revenue is expected to grow at an annual rate of 10.6%, resulting in a total market size of $273.6 billion by 2028.

These projections suggest that the growth outlook is optimistic for the overall market and not limited to a few key players.

Cybersecurity ecosystem expansion

The cybersecurity ecosystem has expanded rapidly over the past decade or so, especially with the recent emergence of generative AI as a new growth driver.

Given the vastness of the attack surface, it comes as no surprise that there are solutions tailored to protect different parts of the attack surface, including firewalls, emails, networks, and the cloud.

While there is increasing demand from customers for a single unified solution to prevent tool sprawl, the current landscape is still dominated by companies specialising in one or two areas of cybersecurity versus companies becoming a one-stop shop.

As it currently stands, cybersecurity companies offer more than a dozen offerings with a heightened focus on providing solutions to customers moving workloads to the cloud.

While there is potential for increasing revenue streams by specialising in multiple offerings, cybersecurity companies continue to focus on a few areas.

Zscaler, for example, which went public in 2018, specialises in cloud-based security for protection against malware.

Qualys and Rapid 7, which went public in 2012 and 2015 respectively, offer vulnerability management as well as identity and access management services.

Okta, which went public in 2017, offers identity and access management solutions. Palo Alto Networks, which went public in 2012, offers enterprise-wide network and cloud security solutions.

Darktrace, which went public more recently in 2021, is a leader in the global-AI cybersecurity domain. It has a self-learning AI tool that is the industry’s only solution to learn from data without reference to historical events.

These examples illustrate the diversity of offerings by cybersecurity companies.

Cybersecurity industry tailwinds

Federal government agencies are expected to provide a fillip to cybersecurity sales as they work towards implementing zero trust architecture to comply with Executive Order 14028, “Improving the Nation’s Cybersecurity”⁴. They are likely to upgrade their legacy IAM infrastructure, implement cloud security controls and upgrade risk controls as they ramp up their cybersecurity infrastructure⁵.

In keeping with the changing requirements, the Biden administration is seeking $13 billion in cybersecurity funding across all agencies, with a fiscal 2025 proposal to include $3 billion for the Cybersecurity and Infrastructure Agency, a $103 million increase over the current budget⁶.

The budget is likely to secure funding for improving basic and advanced cybersecurity in low-resourced hospitals and the treasury department’s IT systems⁷.

The ongoing shift to the cloud has spurred higher demand for cloud-based security products. Cloud-based environments are more complex to secure than on-premise environments, necessitating new solutions.

Some players – including Crowdstrike, Zscaler, Palo Alto, Cloudflare, and Fortinet – are likely best positioned to capitalise on increased demand for cloud-based solutions.

While security software continues to be a smaller market than infrastructure software and application software, the migration to the cloud is likely to propel the security market forward to an impressive $290 billion by 2026, as per Bloomberg and IDC⁸.

The pace of growth in security spending is even more encouraging when we note that overall security spend is likely to outpace IT spend by 200 bps through 2027⁹.

Interest rate cuts in the second half of 2024 could be another potential tailwind for companies in the cybersecurity universe, lifting valuations and boosting investor sentiment.

As many of these stocks belong to the high-growth universe, they came under pressure when the Federal Reserve embarked on its most aggressive rate hiking cycle in decades in 2022.

How to invest in the cybersecurity theme?

Investors can gain access to the cybersecurity space through the Nasdaq CTA Cybersecurity™ Index (NQCYBR™). The index is designed to track the performance of companies engaged in the cybersecurity segment of the technology and industrial sectors.

Companies included in the index are classified by the Consumer Technology Association (CTA) and are primarily involved in the building, implementation, and management of security protocols, applied to private and public networks, computers, and mobile devices, to protect the integrity of data and network operations.

All index constituents must have a minimum free-float market capitalisation of $500 million, three-month average daily dollar trading volume of $1 million, and a minimum free float of at least 20%. The index is a modified free-float market capitalisation index¹⁰.

How are cybersecurity companies leveraging AI?

AI has emerged as a double-edged sword for cybersecurity companies. Bad actors have developed new attack strategies with generative AI. They are automating attacks, scanning wider attack surfaces, and targeting a broader range of victims.

As these attacks are distinct by nature, they require more sophisticated solutions. On the flip side, cybersecurity companies are leveraging AI to automate threat responses including prevention, detection, and response capabilities.

Several companies that make up the Nasdaq CTA Cybersecurity™ Index (NQCYBR) have brought to the market AI-based cybersecurity products and services, with a few companies ahead of the curve.

Blackberry released CylancePROTECT, which delivers threat prevention powered by AI to identify threats before they cause harm. CrowdStrike announced a new AI-powered generative assistant called Charlotte AI in May 2023 to help everyday users operate as if they are seasoned security professionals.

It announced a new AI-powered indicator of attack (IoA) model, which uses machine learning intelligence to stop breaches in real-time. Okta hasn’t released an AI-based security product yet, but has announced that it will allocate $40 million of its annual R&D budget to new AI projects.

Generative AI-based solutions have also been leveraged quite rapidly. Zscaler has released AI-powered controls which use generative AI to improve threat detection and response. SentinelOne uses generative AI to stop attacks, combining a real-time neural network with a large language-model (LLM)-based natural language interface.

Cloudflare released a tool called Cloudflare One, which uses generative AI tools without putting data at risk. The integration of AI into security offerings is expected to potentially act as a fillip to growth for companies in the near-term.

Conclusion

Companies that make up the Nasdaq CTA Cybersecurity™ Index continue to be well-positioned to capture value in an environment that is seeing increased “platformisation” and a shift towards the cloud. Fundamentals of the sector continue to be strong, with artificial intelligence driving renewed investor interest.

Near-term risks are likely to be outweighed by a strong demand environment. Gartner’s most recent spending projections on cybersecurity were revised upward to a growth rate of 14% in 2024, lending further support to the theme’s underlying story of consistent, above-average growth.

Lastly, as hacks continue to proliferate and regulatory pressures increase, end-users are ever more likely to shore up their cybersecurity defenses in the years ahead.

Sources: Nasdaq Global Indexes, FactSet, Bloomberg

Sources:

1. https://www.ibm.com/topics/cybersecurity ↑

2. https://www.accenture.com/us-en/insights/cyber-security-index ↑

3. https://ung.edu/continuing-education/news-and-media/cybersecurity.php ↑

4. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ ↑

5. https://www.ey.com/en_us/government-public-sector/top-seven-government-and-public-sector-cyber-trends ↑

6. https://federalnewsnetwork.com/budget/2024/03/biden-budget-request-includes-13b-for-cybersecurity-continuing-upward-trend/ ↑

7. https://www.bankinfosecurity.com/us-federal-budget-proposes-275b-for-cybersecurity-a-24575 ↑

8. https://www.bloomberg.com/professional/insights/trading/cloud-security-remains-in-secular-growth-mode-with-a-long-runway/ ↑

9. https://www.bloomberg.com/professional/insights/trading/cloud-security-remains-in-secular-growth-mode-with-a-long-runway/ ↑

10. https://indexes.nasdaqomx.com/docs/Methodology_NQCYBR.pdf ↑