Cybersecurity: The more things change…

Opinions expressed whether in general or in both on the performance of individual investments and in a wider economic context represent the views of the contributor at the time of preparation.

Executive summary: Cyberattacks could cost the world $9tr in 2024. This is despite annual cybersecurity spending growing at over 10% and remaining the number-one priority in enterprise budgets. Artificial intelligence (AI) has changed the rules of the game. It has increased both the range and sophistication of potential cyberattacks as well as the tools with which defenders can potentially manage them. AI needs to be incorporated into defences before large-scale adoption occurs in the hacker community. While the imperative is clear, the challenge relates to prioritising IT spend and ensuring appropriate ongoing training and education. Human error remains the number one reason why cyberattacks occur. From an investment perspective, there are multiple ways of playing the cybersecurity theme in both the public and private arena. Given the number of players, we expect industry consolidation to remain an active force and favour seeking exposure either through niche businesses or those with sufficient scale to develop dedicated platforms.

A lot has changed since 2017, when we last wrote a dedicated theme piece on cybersecurity. There has been a global pandemic, war on Europe’s borders and in Gaza, a marked change in monetary policy and the relentless rise of artificial intelligence, to name just some of the most significant. We all know that AI has been a game-changer and will only revolutionise the way we work. However, as the French author Jean-Baptiste Alphonse Karr prophetically wrote in 1849, “the more things change, the more they stay the same.”

Cybersecurity remains at least as big a risk today as it did when we previously explored the topic. Logically, AI will increase the sophistication of both attackers and defenders. See it as a security challenge, but also as a tool that can help CISOs (Chief Information Security Officers) win. As we have regularly noted, data have no value unless secured, stored and analysed. Cybersecurity remains an asymmetric risk. Even if 99% of threats are countered, the sole attack that is successful can have a massive impact on its target and their reputation.

First the facts. There has been a fourfold increase in cyber threats in the last three years. 72% of firms with annual revenues of more than $5bn say they have been attacked over the last 12 months. Tech, telecoms, financial and retail businesses as well as government entities are the most common targets (data from Statista, KKR and CrowdStrike respectively). Or, as Nikesh Arora, the Chief Executive of Palo Alto Networks puts it, “cyberattacks continue unabated.” Data outages (such as the incident that occurred in July as a result of a failed CrowdStrike software update) may also allow threat actors  to promote malicious websites with malware to compromise victims seeking legitimate information about the event.

The average cost of a cyber breach stands at over $4m, but when annualised, the annual cost of cyberattacks could surpass $9tr in 2024 (according to Statista). For context, that’s equivalent to about one-third of the United States’ GDP, or almost 25 times Apple’s annual revenues. If anything, this figure may be under-stated, since some organisations may choose to stay quiet about cyberattacks so as both to protect their reputations and to avoid potential fines for exposing personal information. Nonetheless, it should be no surprise then that cyberattacks rank as number-five in the World Economic Forum’s Global Risk Report. The document suggests that cyber could “present a material risk on a global scale” in 2024. When respondents were asked to assess risks on a five-year view, cyber rose to number-four.

No surprise then that cybersecurity is the top priority for enterprise tech spending. It was cited by 83% of respondents in a recent Lightspeed Venture Partners CISO survey, while a similar Gartner study saw cyber ranked highest by 66% of those polled. Correspondingly, cyber spend by businesses is set to rise by 14% year-on-year (according to Gartner’s work), with the industry predicted to grow at an annualised rate of more than 10% through to at least 2027. Over this period, an incremental $100bn could be spent on cyber.

It is hard to disagree with the advocates of AI when they argue that it represents “an opportunity far larger than the Internet” and will bring “productivity gains to nearly every industry” (per Jensen Huang, the founder and Chief Executive of NVIDIA). However, Nikesh Arora is almost certainly right too when he argues that AI will result in “an even faster pace” of cyberattacks. Whether we like it or not, AI is more than just a pioneering innovation; it is being woven deep into the fabric of enterprise life. At the same time, however, AI provides an opportunity for enterprises to build (and buy) solutions that can enable them to gain an edge against an increasingly more sophisticated threat landscape.

Against this background, a significant majority (86%) of CISOs believe that implementing AI tools represents an important strategic priority over the next two years. 58% said that they had already made strategy changes due to the AI revolution (based on information reported in Lightspeed’s latest report). A similar study by Darktrace of 1800 security leaders and professionals found that 74% believed AI-augmented cyber threats were already having a significant impact on their organisation, while 60% were of the opinion that they were unprepared to defend against these attacks. Of potentially greater concern, almost nine-in-ten of the above (89%) agreed that AI-powered threats would remain a major challenge into the foreseeable future.

From the attackers’ perspective, the rise of AI has been a clear enabler, increasing not only the novelty of attacks, but accelerating their evolution and widening their vectors exponentially. The combination of AI and LLMs (large language models) has led to the launch of attacks at machine-speed and scale. Attacks could take the form of novel and highly convincing phishing campaigns, the autonomous creation of malicious code, deepfakes designed to elicit trust and the emergence of autonomous agents (or bots) that are enabled with advanced reasoning and decision-making capabilities, to name but a few examples.

Generative AI could also be deployed maliciously in order to accelerate open-source intelligence-gathering. This could result in the inadvertent leakage of sensitive and confidential data. Over the past year, there have been numerous instances of accidental data leakages or breaches of AI training data from some of the largest AI tool providers. These have left potentially exposed terabytes of customers’ private data. A related risk is the threat of model inversion, whereby attackers use the outputs of an LLM paired with knowledge about its model structure to make inferences about, and eventually extract, its training data.

As threats such as these grow, the cyber security industry is hastening to integrate AI into technologies used across workflows in prevention, detection, response, and recovery. In theory, the defenders should have the upper hand owing to greater resource availability. In our discussions with various stakeholders across the industry, the consensus opinion is that AI needs to be incorporated into defences before large-scale adoption occurs in the hacker community. It is necessary to view AI as an opportunity for the cyber industry – to better identify and respond to threats.

The implementation of generative AI cyber solutions could clearly help businesses in numerous ways by significantly improving the speed and efficiency of prevention, detection, response, and recovery. Practically, this could mean accelerating data retrieval processes and creating rapid incident summaries. AI tools could also be used for simulating phishing emails and other attack tactics as well as automating low-level tasks in security operations.

Over 70% of those polled by Darktrace were confident that AI-powered security solutions would be able to detect and block AI-powered threats (even if there may be a vested interest on the part of Darktrace in showing this response). Nonetheless, it is important to recognise that not all AI-based cyber solutions are created equal and similarly, that not all of them may be able to help drive the risk reduction that CISOs are hoping for.

Data ultimately matters more than anything else. Practically, any novel AI tool must be explainable, transparent and controllable. This calls for robust testing, evaluation, verification and validation. At a practical level, effective tools will likely need to be personalised for each unique organisation. Humans need to see exactly how AI systems operate, in an easily understandable way. ‘Black box’ models can potentially erode trust between humans and AI as well as creating compliance concerns. Equally, security teams should be able to decide on the role humans play in decision-making. They should also be able to customize models and set thresholds to guide how decisions are made.

The problem, of course, is how to prioritise IT spend, especially in the context of structurally growing demand for AI overall (and corresponding GPU shortages) and the ongoing structural shift from on-premise data storage to cloud-based solutions. The latter trend is still in an early innings, with fewer than 25% of corporate workloads currently migrated to cloud environments, based on most estimates. CISOs face multiple choices and competing options as well as the question of how well different tools may work. With regard to AI specifically, there also remains a strong need for education across the industry. Unsurprisingly, the more attention generative AI has received, the high expectations around it tend to be. Proof of concept matters.

Anecdotally, a typical industry approach currently requires 12-15 principal IT products and up to 75 dedicated cyber tools in order to monitor and manage their data assets. Clearly there is a strong case for vendor consolidation, but it is no surprise when some cyber executives have recently cited ‘buyer fatigue’ as a concern.

An additional structural concern is the lack of trained IT professionals. The World Economic Forum notes that 4m professionals are needed to plug the talent gap in the global cyber industry. Its report also notes that two-thirds of organisations face additional cyber risks owing to skills shortages, yet only 15% of firms expect this hole to be filled within the next two years. These observations are corroborated by data from CyberSeek (an information provider) which show that the US cyber industry is missing an estimated 225,000 security professionals in order to close its talent gap. Only 85% of the economy’s available cyber jobs are currently filled. As a result, 53% of CISOs admitted to burnout compared to last year, while 66% feel they face excessive expectations, per a recent study from Proofpoint, a cyber business.

It may then be necessary to learn to live with cyber threats. Just as a human can never be free from illnesses, so any organisation may never be immune to cyber risks. This dynamic is exacerbated by the fact that human error remains the number one reason why cyberattacks occur, typically a combination of laziness and gullibility. 74% of CISOs identify this as their most significant vulnerability (per Proofpoint), reinforcing the logic for ongoing training and cultural buy-in. As Heptagon’s own Chief Technology Officer puts it, “creating a culture of paranoia” (via simulated phishing incidents, for example) should be paramount.

From an investment perspective, there are multiple ways of playing the cybersecurity theme in both the public and private arena. However, by definition, cyber remains a highly competitive market and owing to both the evolving technology and threat landscape, it may not always be easy to predict future winners. Further, given the asymmetric nature of cyber incidents, credibility can quickly be lost should breaches occur.

These dynamics have helped to ensure that M&A activity continues to feature heavily within the cyber industry. Three of the publicly listed businesses that we cited as strongly positioned in our 2017 theme piece – Carbon Black, Cylance and Sophos – have been taken over in the intervening period. More recently, Darktrace (which only listed in 2021) agreed earlier this year to a takeover from US private equity group, Thoma Bravo. Other recent major deals in the space have included the acquisitions of Imperva, Splunk and Veritas. Per Verdict Consultants, in Q1 2024, alone, there was more than $23bn of global cyber-M&A.

Expect more of the same, particularly given the significant number of cyber start-ups (many of whom have a dedicated focus on AI solutions) active across the US, UK, Israel and the rest of mainland Europe. China also has a separate tech ecosystem.

Our perspective has typically been to seek to gain exposure to the cyber theme through niche businesses such as Sophos and Darktrace historically. Other smaller listed companies that operate in the space include CyberArk, Rapid7, Rubrik, Tenable, Varonis, Zscaler. An alternative perspective would be to embrace the logic of platformisation and recognise that there is a growing logic for organisation with scaled operations that are able to offer a complete suite of (AI-enabled) cyber tools to organisations, reducing complexity and diminishing the risk of buyer fatigue.

Palo Alto Networks stands out as one potential beneficiary. Founded in 2005, it is a leading next-generation global cybersecurity provider with a full platform of cloud-native applications. It has over 85,000 customers across more than 150 different countries and has seen a roughly fourfold increase in its market capitalisation over the last five years. For the industry as a whole, we expect the cyber opportunity only to grow.

17 September 2024

The above does not constitute investment advice and is the sole opinion of the author at the time of publication. Heptagon Capital is an investor in Palo Alto Networks. The author of this piece has no personal direct investment in the business. Past performance is no guide to future performance and the value of investments and income from them can fall as well as rise.

Alex Gunz, Fund Manager, Heptagon Capital