How to invest in cybersecurity actions – The Motley Fool

As the increasingly digital world transforms the way we live, the bad guys are also changing the way they live and work. This means that cybercrime is increasing all over the world, both in frequency and complexity. In fact, according to a study conducted in 2018 by the McAfee security group, cybercrime would cost about $ 600 billion a year, or just under 1% of global GDP (value of all goods and services provided in the course of the year). a given year).

This huge cost has put companies, government entities and other businesses under pressure. Protecting their own sensitive information and protecting customer data are top priorities in today's digital age. A security breach can lead to loss of trust, loss of credibility and ultimately loss of business.

Enter the cybersecurity industry, a growing service sector that is evolving rapidly to address online threats. Not producing a tangible good or service that the everyday consumer can recognize, cybersecurity does not allow the most attractive technology investments. And the pace of change required to stay ahead of those with bad intentions means that investing in cybersecurity companies can be tricky.

Nevertheless, there is no doubt that investors are eager to take an interest in this growing sector of the economy. And there are many investments to choose from.

All kinds of businesses are lining up to ensure the security of the digital world. Some offer security as part of a broader technology offering, while others make cybersecurity their one and only goal. The type of cybersecurity also differs, with some companies striving to offer complete software to secure the data, while others seek to solve a specific problem with connection or device security software.

With Internet attacks continually disappearing, investors looking to capitalize on this trend should invest in the stocks of companies dedicated to cybersecurity to maximize their growth potential. Read on to find out how to determine how to invest in cybersecurity actions.

Basics of cybersecurity business analysis

Invest in cybersecurity actions, especially those representing companies only Cybersecurity-driven is not as easy as choosing the fastest-growing companies. Many companies that crack down on cybercrime alone are not yet profitable. It is therefore useful to understand some less obvious measures.

Generate and maintain revenue

Income (money earned for the provision of a service or the sale of a product) is of course the logical starting point, but the gross profit margin is important, as is the top line. Gross profit margin subtracts from income the cost to provide a service or the cost to produce and sell a product. The bigger the gross margin, the better; it means that the company keeps more money. Software services generally offer a higher profit margin than hardware sales because the product is manufactured once and can be sold countless times thereafter (relative to the hardware, which must be manufactured for each customer) . As cybersecurity is essentially a software industry, many cybersecurity companies have the potential to become profitable businesses.

However, software development is expensive initially and only begins to bear fruit if enough customers sign up for the service. Newer firms will generally have lower gross margins than established firms because they earn less and you need to spend more on acquiring customers – making fast revenue generation an important factor to consider when looking for small start-up cybersecurity companies.

All services are not created equal

Then there are the details of how a company is paid. Most cyber security firms divide revenues into two basic categories: (1) subscriptions and (2) support services and professional services.

Subscription revenues (sometimes referred to as software products or products because the category covers recurring services delivered through software or other security products) are much more valuable because they require less labor once they are established. . This is often the case because a company can sell the same package multiple times with minimal work. Subscriptions are also sold as licenses or contracts in progress, which means that the revenue stream is more predictable and stable in the long run. The more predictable a company, the less negative surprises for investors, which will help keep the price of the action less volatile.

In comparison, the purchase of support services and professional services ensuring the backup of the software is usually billed as a lump sum payment and is not as profitable for the company. For example, during the first quarter of 2019, Okta $ 8.1 million in professional services revenue. However, the cost of producing these services was $ 10.6 million, resulting in a $ 2.5 million loss to the sector due to high labor costs. However, sales generated sales of $ 117.2 million and a gross margin margin of 79.1%, which means the company retained $ 92.7 million of this total.

Track the number of customers

For a small business trying to locate, adding new customers will be the most important indicator of how well the company is building a profitable base.

For a large company, the activity of existing customers is just as essential, if not more so. Look for what is known as net dollar retention or net dollar expansion rates, which measure the amount of money that existing customers spend on each year. If the number is less than 100%, it follows that customers leave or spend less. If the measure exceeds 100%, it means that the company sells more to its customers. Loyal customers who spend more on services over time can be a powerful force that improves results.

How much does the management of the company

By lowering the income statement, operating expenses can be hard to read. Operating expenses cover costs not related to the production of a service but necessary to keep the lights on. As cybersecurity grows and evolves rapidly, research and development expenditures may require a significant outflow each year. Sales and marketing also tend to be high for companies looking for new customers. The high costs in these areas tend to be the main reason why a cybersecurity company operates in the red.

However, many of them are profitable on an "adjusted" basis. It is therefore important to look at adjusted operating expenses (and therefore adjusted net income) because they remove items such as stock-based compensation to employees and only reflect actual cash expenses. Investors will want to see stock-based salaries decline as their business matures. However, even if the latter is in growth mode, its expenses tend to be high because they use it as an incentive to attract and retain talent.

The measurement of free cash flow, or money remaining after the payment of basic operating expenses and capital expenditures, is closely related to this. It is a much more accurate measure of the actual profitability of any business. For example, when it released its third quarter of fiscal 2019 (the quarter ended April 30, 2019), the leader in cybersecurity Palo Alto Networks (NYSE: PANW) recorded a net loss of $ 20.2 million on revenues of $ 727 million. Adjusted free cash flow was $ 276 million, representing a profit margin of 38% and a 30% increase over the previous year. Non-monetary adjustments can tell a very different story.

The digital age raises cyber security bids

In recent years, some key technology trends have made cybersecurity a growing industry. One is the cloud computing boom.

The cloud refers to the computing done remotely in a data center. Video streaming is an example of cloud computing that millions of Americans use daily. Rather than watching a movie or TV show at home on a DVD or Blu-ray player, consumers use a library of entertainment content contained in a data center (like the one hosted by Netflix), which they access via the Internet for a fee.

This business model based on the remote cloud has also gained popularity in the business world. Rather than spending their own computing power or buying software for download at the office, companies are using the cloud to get the digital tools they need. Cloud computing – and the subscription-based model that it uses often – has been a winning strategy in recent years.

It also creates a growing need for security services to protect all information stored and used online. According to the company's Internet infrastructure whitefish, global Internet traffic is expected to increase by an average of 26% per year by 2022. This is a large number of new data to preserve.

Another development that reinforces the need for cybersecurity is the proliferation of Internet-connected devices, often identified by the generic term "Internet of Things", or IoT. This is no longer just computers, tablets and smartphones. On the consumer side, everything from clothing items like watches and headphones to household items such as televisions and appliances is connected to the Internet. For a business, connected devices may include industrial equipment, vehicles, or shipping containers.

The number of devices connected to the Internet – and the digital data track they create, which must be collected and secured – is mind-boggling. Cisco estimates that there were 2.4 networked devices for every man, woman and child living in 2017. Until 2022, the number of devices per person should reach 3.6. More simply, this would represent approximately 28.5 billion devices connected to the Internet in 2022, compared to 18 billion in 2017.

How data is protected

With billions of devices creating data around the world, the responsibility of companies to protect them is growing. This responsibility is increasingly falling on cybersecurity companies and their various solutions.

Hardware versus software

Firewalls are traditionally the first line of defense. A firewall is either a physical device connected to a network, or a software acting as a gatekeeper, monitoring the traffic and deciding which data to allow to enter and which data to block. Companies such as Cisco still offer hardware-based firewalls, but with the vast majority of computing now going into the cloud, software firewalls are gaining importance. Leading vendors migrating to cloud-based gatekeeping include Palo Alto Networks and Fortinet.

Technology to the rescue

The amount of sensitive information and critical data in cyberspace, however, is not the only challenge. The complexity of attacks also increases, as bad actors search for and exploit loopholes in the vast communication and data networks between organizations, their employees and their customers. Artificial intelligence and its sub-discipline machine learning – a software that mimics the human brain and draws lessons from the experience – will be key factors for suppressing digital crime. Security software vendors such as Palo Alto Networks and Fortinet are taking advantage of technology and leading the way. Palo Alto, for example, has launched an AI-based service called Cortex that tracks, attacks, and automates threat detection.

New developments in cybersecurity

Secondly, there are new defense mechanisms that analyze information and adapt to operational changes in real time. These approaches include SIEM (Information and Event Security Management) and SOAR (Security, Orchestration, Automation and Response) and are among the most dynamic segments of the cybersecurity industry. Inheritance technologist IBM offers SIEM with its QRadar product. Newcomers on the scene, as FireEye, have submitted similar offers, as well as Palo Alto Networks and the company's big data analysis Splunk added SOAR services to their respective software solutions.

All of these companies and services have started to simplify the security process for the IT teams of companies. Security operations can be complicated for organizations. A one-stop solution (or as close as possible) is of considerable interest, but there are other offers that meet more specific needs.

Terminal protection, which secures the hundreds of millions of new devices (computers, tablets, smartphones, and other connected devices used by employees or customers of the business) put online each year, is one these niches. CrowdStrike Holdings (NASDAQ: CRWD) specializes in endpoint security and has just successfully completed its public debut on the stock market. IAAM (Identity, Authentication, and Access Management) is another specialized need that helps organizations ensure that only people with access to data access the network. Okta is a leader in the IAAM space.

What is the size of the potential?

Although cybersecurity is a recent sector and many companies are not yet profitable, the long-term potential is considerable. According to research firm Global Market Insights, the sector is expected to grow by 12 percent annually by 2024, from $ 120 billion a year in 2017 to more than $ 300 billion. This means that smaller cybersecurity pur-play stocks could be big winners in the years to come.

While large companies that are not pure players could be less volatile – like Cisco or the software giant Oracle, which offers security features as part of its broader range of services – it is small businesses that are on the verge of achieving the biggest failure if they manage to disrupt their business. Small businesses and start-ups could end up eating their bigger and crazier peers.

CrowdStrike is a perfect example. Although the company was founded in 2011 and completed its Initial Public Offering (IPO) in June 2019, it is already valued at a market capitalization of $ 14 billion (at the time of writing). . Okta is another example. It recorded revenue growth of 50% in the first quarter of 2019 and is currently valued at $ 14.8 billion. By comparison, Palo Alto Networks is currently the largest cybersecurity-focused company and is currently valued at $ 20.3 billion.

How to choose cybersecurity investments

The simplest way for investors to play the general increase in the importance of cyber protection is to use an exchange-traded fund as the First Trust NASDAQ Cybersecurity ETF (NASDAQ: CIBR) or the ETFMG Prime Cyber ​​Security ETF (NYSEMKT: HACK). Both offer passive exposure to the industry through a stock portfolio and charge investors an annual fee of 0.6%.

There are, however, some key differences to keep in mind. Large companies represent a larger percentage of the equity portfolio of the NASDAQ Cybersecurity First Trust ETF, and exclude the smallest share of cybersecurity shares (anything with a market capitalization below $ 250 million). ETFMG Prime Cyber ​​Security ETFs weigh more equitably on its various stocks – regardless of size – and include small start-ups (valued at up to $ 100 million).

Entering small startups seems attractive, but it does not always pay off quickly. In this case, the focus on the NASDAQ Cybersecurity First Trust ETFDA on large companies generated a return of 44% over the ETFMG Prime Cyber ​​Security ETF ETF's 30% return since the summer of 2015. – the earliest date since the creation of the two funds. In this case, the best strategy is to focus on large companies that have quickly taken the lead.

Choose individual companies

Investors who want to become more selective with their cybersecurity actions could focus on the biggest players in the security industry. They could also focus on the companies that have the strongest momentum right now. Here is a list of things to consider by investors:

• Look for companies that do not add new customers but expand their relationships with existing customers.
• If a company is growing more slowly than the security sector (about 12% per year over the next five years, according to some estimates), is there a good reason for this? If no, go ahead.
• If a cybersecurity firm is not yet profitable, make sure that it is progressing in terms of gross margin, operating margin or adjusted profit.
• Operating expenses are often high or increase faster than sales, so check that expenses translate into revenue generation. For a larger and more established company, revenue growth is expected to outpace spending; for a smaller or start-up business, the gap between revenue growth and strong spending growth is expected to narrow over time.
• Innovation is essential in this rapidly changing sector. Does the company invest in research and development to stay relevant? Does it succeed?
• Are there competitors in the service of a cybersecurity company? If this is the case, compare the growth rate of the other company and the resulting valuation. If a company is trading at a premium relative to its peers, there should be a good reason (eg, increased revenue growth, increased profit generation, etc.).
• Traditional indicators such as price / earnings ratios generally do not determine which cybersecurity actions to invest in. If a company does not have a profit, the indicator does not exist. For small, fast-growing stocks, choose those with high income growth rates and compare their price-to-sales ratios (the lower the ratio, the higher the value). However, a more expensive title could still be worth it if he grew faster than his peers.
• For large, well-established companies, use the price / free cash flow ratio to determine a better value. Even the largest cyber security groups are expected to experience double-digit growth at this point in the game. However, the lower the price / FCF ratio, the higher the value. However, a higher number is acceptable if growth exceeds that of other large firms.

A note on the risks

Keep in mind that whether investing in a basket of cybersecurity securities through an ETF or creating your own securities collection, the cyber security sector is a volatile sector. As with high-growth sectors, equities tend to lose value and declines are the norm. This may be due to a large-scale security breach in a large enterprise, a lack of expected revenue growth in a security firm, or higher than expected expenditures to acquire customers or develop new technologies.

However, whatever direction you choose, investing in cybersecurity stocks is very promising. Keeping the digital world in a safe place is a big job – a job that will only grow. The rapid pace of change in the underlying technology means that the race will be particularly bumpy. Investors will want to stay focused on the long term and expect turbulence. But for those who can be patient and have the courage to buy when stock prices go down, investing in cybersecurity should be a profitable business in the long run.