Key lock

Opinions expressed whether in general or in both on the performance of individual investments and in a wider economic context represent the views of the contributor at the time of preparation.

Executive summary: More than $55bn is spent annually on cybersecurity. Yet it still yields ineffective defences, with cybercrime having cost the world economy over ten times this figure ($575bn) last year, equivalent to more than 1% of global GDP. There is, however, a solution at hand. A combination of increasing processing power and cheaper storage costs means that ‘next-generation’ cybersecurity businesses are deploying artificial intelligence and machine learning as proactive, predictive and preventive tools, with much higher success rates than legacy systems. The market for next-generation cybersecurity solutions is correspondingly expanding at ten times the rate of general cybersecurity spend and could be worth at least $7bn by the end of the decade. Many new players have entered this sphere creating a range of opportunities for both public and private investors. Our preferred approach for gaining exposure to the theme is via UK-listed Sophos, a holding in the Future Trends Fund.

By the time you have finished reading this document, roughly 150 people will have been a victim of identity theft.1 Since we last wrote on this topic in 2014, the number, scale and complexity of cyberattacks on both individuals and organisations has grown exponentially. The WannaCry and NotPetya attacks have brought the issue firmly into the public domain. High-profile organisations including the UK’s National Health Service, Deutsche Bahn, Renault, WPP and BNP Paribas saw their defences breached and services impeded. More starkly, since the start of this decade, there has been a 60% compound annual growth rate in cybersecurity incidents globally (per PWC), while at least 80% of European companies experienced some form of breach during 2015 (the last year for which the data is available, per the European Commission).

The bad news is that over $55bn is spent annually on cybersecurity software and services, yet it still yields ineffective defences. Furthermore, it is necessary to accept that cyberattacks are inevitable; they are the corollary of living in a world defined by connectivity. Mobile devices, social networks, the burgeoning internet of things and increasingly embedded and interlinked systems have transformed society – it is now possible to be virtually anywhere and connect with almost anyone.

Historically, attackers were largely creatures of opportunity, seeking the path of least resistance in order to achieve their ends. Now, the landscape has changed. With the digitisation of corporate assets (intellectual property, customer records, financial statements etc.) and personal information, there is a growing presence of highly motivated professionals looking to penetrate networks for monetary gain. These are often well-funded by criminal organisations. Moreover, increasingly nation states are leveraging cyber-vulnerabilities to disrupt or gain proprietary information for economic and/or national security purposes.

The scale of the problem is staggering. To give some context, over 1m new malware threats (malicious software or code that typically damages or disables, takes control of, or steals information from a computer system) are released daily, while ransomware attacks (software that is designed to block access to a computer system until a sum of money is paid) have jumped 50% in the last year and 160% over the past two, per data from the Ponemon Institute, a research organisation. Dealing with the problem is also expensive: the median cost of a cybercrime for a US business is $11m (data again courtesy of Ponemon), while the Centre for Strategic and International Studies has calculated that cybercrime costs the world economy some $575bn, equivalent to over 1% of global GDP.

Against this background, there is a clear and pressing need to derive new solutions for dealing with such emerging threats. The traditional – or ‘old world’ – approach simply does not work. Conventional network and security solutions based around firewalls and intrusion prevention systems were never designed to meet the challenges of advanced attacks. Such systems are reactive: they are able to deal with what has already been seen, experienced or known – but not with new threats. By definition, this is highly limiting.

The good news is that there is now an alternative: a new technology paradigm for cybersecurity is emerging based around artificial intelligence and machine learning. Under such an approach, software can make a ‘choice’ about something it has never seen before and therefore be proactive, predictive and preventive in dealing with cyber-threats. The ecosystem is self-sustaining: to learn, it must observe; to observe it must know what to look for; to know what to look for, it must have previously learned. Such approaches have, of course, been tried in the past, but failed for a variety of reasons: either sufficient data samples were lacking, algorithms were too imprecise or costs were too high. Now, with the advance of technology (faster processing power, better memory, cheaper storage), all of this has changed. Cylance, a leading business operating within the field, estimates that using an AI-based approach to cybersecurity can prevent 99% of existing and never-before-seen malware threats. This compares to a c60-70% success rate for traditional cybersecurity approaches (per Frost & Sullivan, a consultancy).

There is no common definition for next-generation cybersecurity given both the complexity of the market and the fact that some of the underlying technologies and techniques have been around for the last decade. Nonetheless, it broadly relates to behaviour detection and threat containment using algorithmic techniques, aiming for accurate and resilient real-time protection in the face of constantly changing threats. The process works using a combination machine and algorithmic science, data sourced from millions of end-points (computers or mobile devices) and a lot of computing power. Artificial intelligence and machine learning can look deeper and faster than is humanly possible, thereby generally avoiding the faults, errors and omissions caused by non-machine based security systems.

With only 7% of organisations ‘extremely confident’ of their IT security protocol (per a 2017 survey by Check Point) and with Chief Information Officers citing cybersecurity as their second highest spending priority (after cloud computing, per a recent study by Morgan Stanley), growth in expenditure on next-generation cybersecurity software is likely to accelerate. The $55bn cybersecurity market is currently expanding at a rate of 6-7% p.a. – implying that the overall market could be worth at least $72bn by the end of the decade – yet Sophos (another leading player in providing new services) estimates that the market for next-generation solutions is growing at ten times this rate, albeit from a much smaller base.

Looking ahead, it is conceivable that within the coming years, artificial intelligence and machine learning will be the sine qua non of cybersecurity software provision. In other words, their presence will be so integral and ubiquitous that the term ‘next-generation’ may no longer exist. A valid analogy might perhaps be with Satnav in cars: historically, customers used to pay extra for this service, yet it is now commonplace and broadly accepted. For the cybersecurity industry, there is a clear opportunity cost attached to not participating in the provision of next-generation services – namely, increasing irrelevance as a vendor. Such a view is endorsed by BTIG (a research house), which estimates that corporates’ expenditure of next-generation services will account for at least 75% of overall security spending before the end of the decade.

While the prospect of a world free (or freer) from cybersecurity threats is a tantalising one, there are a number of important challenges that need consideration. The first relates to proof of concept: next-generation services can only be good as the data they get given. In other words, large data sets are required. More fundamentally, software code is inherently vulnerable – there is no silver bullet for all threats. Even if 99% protection is provided, 1% of threats will still get through. Furthermore, a global network that is approaching the complexity of a human’s biology may, ultimately, not be securable because of its very nature – just as a human can never be free of all illnesses. Next there is the issue of human capital (or available, metaphorical doctors): with close to 0% unemployment for security professionals and a projected 37% increase in demand for information security analysts over the next decade (per the US Bureau of Labour Statistics), skilled professionals will remain a scarce resource. Not all organisations will be able to afford them.

In addition, most investors lack a clear understanding of how the market will evolve. The increasing prioritisation of cybersecurity expenditure for businesses and individuals is evident, given the well-publicised threat environment. What is less evident, however, is how the threat environment impacts the size, strength and vendor footprint of the security technology and services market, and also markets beyond technology. Chief Information Officers need to increase the cybersecurity budgets, but they also need to spend effectively.

From an investment perspective, we would highlight the following three crucial observations: it is not always obvious which vendors have the most effective technologies/tools/solutions – one size does not fit all; the rate of change within the industry is very rapid, so today’s leading technologies may not be tomorrow’s; and, just because companies have leading technologies, it does not mean that they are always good investments.

What does at least seem evident, however, is that there will be more industry consolidation. There were 137 cybersecurity M&A transactions in 2016 totalling $20bn, while an additional $10bn was invested by private equity in the field in the past year (per Momentum Partners, a VC firm). Furthermore, at present there are at least 30 players active within the next-generation market (per AGC Partners, another VC player), with the vast majority of these businesses still unlisted. Leading private players include Carbon Black (founded in 2002), Tanium (2007), CrowdStrike (2011), Cylance (2012) and SentinelOne (2013). In addition, Sophos provides a listed way for investors to gain exposure to the next-generation theme. Capitalised at £2.3bn ($3.0bn), Sophos offers its customers a single and consistent cloud-based platform with next-generation end-point solutions. The recent acquisition of Invincea should also boost further its AI capabilities. Given the importance for all businesses to secure themselves, expect more growth (and further deals) within the field.


Alexander Gunz, Fund Manager, Heptagon Capital

Disclaimers

The document is provided for information purposes only and does not constitute investment advice or any recommendation to buy, or sell or otherwise transact in any investments. The document is not intended to be construed as investment research. The contents of this document are based upon sources of information which Heptagon Capital LLP believes to be reliable. However, except to the extent required by applicable law or regulations, no guarantee, warranty or representation (express or implied) is given as to the accuracy or completeness of this document or its contents and, Heptagon Capital LLP, its affiliate companies and its members, officers, employees, agents and advisors do not accept any liability or responsibility in respect of the information or any views expressed herein. Opinions expressed whether in general or in both on the performance of individual investments and in a wider economic context represent the views of the contributor at the time of preparation. Where this document provides forward-looking statements which are based on relevant reports, current opinions, expectations and projections, actual results could differ materially from those anticipated in such statements. All opinions and estimates included in the document are subject to change without notice and Heptagon Capital LLP is under no obligation to update or revise information contained in the document. Furthermore, Heptagon Capital LLP disclaims any liability for any loss, damage, costs or expenses (including direct, indirect, special and consequential) howsoever arising which any person may suffer or incur as a result of viewing or utilising any information included in this document. 

The document is protected by copyright. The use of any trademarks and logos displayed in the document without Heptagon Capital LLP’s prior written consent is strictly prohibited. Information in the document must not be published or redistributed without Heptagon Capital LLP’s prior written consent. 

Heptagon Capital LLP, 63 Brook Street, Mayfair, London W1K 4HS
tel +44 20 7070 1800
email [email protected] 

Partnership No: OC307355 Registered in England and Wales Authorised & Regulated by the Financial Conduct Authority 

Heptagon Capital Limited is licenced to conduct investment services by the Malta Financial Services Authority.

Related Insights

Key Themes for 2025 and Beyond
  • Heptagon Theme Pieces

Key Themes for 2025 and Beyond

Cybersecurity: The more things change…
  • Heptagon Theme Pieces

Cybersecurity: The more things change…

Warehouses: Unsung heroes of the modern world
  • Heptagon Theme Pieces

Warehouses: Unsung heroes of the modern world

GET THE UPDATES

Sign up to our monthly email newsletter for the latest fund updates, webcasts and insights.