The Case for Consolidation Among Cybersecurity Stocks

A recent survey by PwC of nearly 4,000 business and tech executives representing some of the largest global companies suggests that in 2024, 79% of organizations intended to increase their cybersecurity budgets from 2023. The survey also notes that the cost of security breaches, as well as the number of high-dollar breaches, continues to increase. And although cyber attacks are the top concerns cited, only half the organizations surveyed indicate they are ‘very satisfied’ with their technology capabilities in key cybersecurity areas.

If you couple those findings with the U.S. Securities and Exchange Commission’s (SEC) recent rollout of new rules requiring public companies to disclose material cybersecurity incidents to shareholders, you get the business case for why the cybersecurity sector is ripe for both growth and consolidation over the next few years and why investors might want to pay attention. 

To subscribe to the MalcolmOnMoney newsletter and receive more content like this, click here.

Cybersecurity providers now have a federally mandated tailwind at their backs that can last for several years. Not to mention, President Biden’s Fiscal Year 2024 Budget includes $10.9 billion for “civilian cybersecurity-related activities”—which itself is a drop in the bucket—considering worldwide spending on security and risk management is projected to total $215 billion in 2024, up 14% from 2023 according to Gartner Research.

With that in mind, cybersecurity companies face several challenges. Foremost, on its most recent earnings call, CrowdStrike’s chief executive officer, George Kurtz, highlighted the ongoing talent shortage within the cybersecurity industry. According to the Cyber Workforce Study by the Import Control System 2 (ICS2), there are an estimated five million people currently working in cybersecurity related roles with approximately 3.5 million positions left unfilled.

As the demand for cybersecurity expertise continues to outpace supply, companies must invest in training, development, and innovative recruitment strategies to attract and retain top talent, all while navigating the financial pressures of operating in an increasingly competitive market. To combat this shortage, some companies—along with the federal government—are partnering with educational institutions to create specialized training programs and internships, designed to assist qualified candidates in meeting their growing needs.

These sorts of initiatives, however, take time. Smaller cybersecurity providers are getting into bidding wars and are forced to offer substantial signing bonuses to lure top talent away from competitors, driving up salary expectations for the entire industry. Ironically, this makes it even more difficult for smaller firms to secure the expertise they need.

For smaller companies especially, it can be challenging to offer the type of compensation packages that new entrants in the field expect. This talent gap not only strains resources but also puts smaller firms at a disadvantage when competing with larger, more established entities that can afford to provide higher salaries, comprehensive benefits, and better career development opportunities.

As the industry reckons with its staffing challenges, recent enhancements in artificial intelligence (AI) have made it even more complicated for large-scale organizations and the cybersecurity companies who protect them to keep up. The variety and complexity of the more common threats like ransomware and phishing, to advanced persistent threats and zero-day vulnerabilities, require constant vigilance and innovation.

Unfortunately, in an industry as fragmented as cybersecurity, companies are typically forced to rely on a multitude of vendors and solutions to cover different aspects of their security needs. Companies employ solutions from an average of 40-70 security vendors each, which is both costly and time consuming to maintain. This can lead to significant costs from breaches, fines for non-compliance, and a loss of customer trust.

This fragmented approach is no longer sufficient to detect and prevent more sophisticated attacks and can also lead to integration challenges, inconsistent security policies, and gaps in protection. As each solution often operates in isolation, organizations may struggle to achieve comprehensive visibility and coordination across their security landscape, ultimately increasing the risk of vulnerabilities being exploited by cybercriminals.

At the forefront of the minds of chief information and security officers is how to prepare for attacks that use AI and whether the existing generation of security vendors can evolve to prevent and protect against more sophisticated attacks.

Palo Alto Networks’ CEO Nikesh Arora shed some light on the fact that customers are reluctant to adopt isolated point products from cybersecurity vendors, thus underpinning the necessity of consolidation. It will take several mergers and acquisitions for companies to turn themselves into the platform companies that Palo Alto Networks aspires to be and that CrowdStrike already is. Customers want all-in-one solutions that offer one login and a single point of truth—otherwise known as platformization.

As the trend towards platformization grows in popularity, large enterprises are showing an increased preference for integrated solutions from one singular provider. It’s the reason shares of CrowdStrike, the only purely cloud-native cybersecurity provider on the market, saw its stock price skyrocket by more than 50% until recently.

For smaller cybersecurity providers especially, merging with larger firms or other complementary providers is likely the best path forward. Through consolidation, smaller companies can pool resources, expertise, and technologies, leading to the development of more unified and interoperable security solutions.

And the clock is ticking. Of all the mega-cap technology companies that dominate the cloud computing landscape, Amazon is the only one who has yet to announce plans to offer its own endpoint security services, opting to work with partners such as CrowdStrike and Palo Alto Networks instead—for now.

Together, Microsoft and Google control about one-third of the global market for cloud services and will likely seek to increase revenues and differentiate their service offerings by bundling more advanced security features into their flagship benefits. And with the levels of cash and cash-like equivalents that these companies maintain on their respective balance sheets, it will be far easier to reach the scale they desire by acquiring a small or mid-sized player than to build a comparable tool internally.

For investors, this trend presents an opportunity to get ahead of the curve by positioning themselves in cybersecurity stocks before consolidation becomes widespread. While larger technology firms eye smaller cybersecurity providers for acquisition, those early investments can conceivably benefit significantly from potential buyout premiums, as M&A activity often leads to increased valuations for the acquired companies. By investing now, investors stand to capitalize on the momentum that these acquisitions can generate, rather than waiting until after the deals are announced and the stocks have already surged.

Moreover, early investments in companies that are pioneering these technologies can yield substantial returns as their solutions become indispensable. In a market where only the most adaptable and technologically advanced firms are likely to thrive, identifying and investing in these companies before the broader market recognizes their potential can offer investors a significant advantage.

Rather than trying to predict the one stock that’s most ripe for a merger or acquisition, the safer, more sensible way to position a portfolio to take advantage of this theme is through an exchange-traded fund (ETF) focusing on cyber security, such as the First Trust NASDAQ Cybersecurity ETF or the Global X Cybersecurity ETF (BUG). These ETFs contain a concentrated number of stocks that generate a substantial percentage of their revenues from cybersecurity-related operations.

Consolidation within the industry will foster collaboration and standardization, ensuring that different solutions work harmoniously together. This not only improves overall security but also simplifies management and enhances the ability to quickly detect and respond to threats. Ultimately, merging offers smaller cybersecurity providers the opportunity to enhance their capabilities, expand their market reach, and deliver stronger, more resilient cybersecurity solutions to their clients. Stock investors would be smart to get ahead of the curve.

***********************************

Malcolm Ethridge, CFP® is the Managing Partner of Capital Area Planning Group based in Washington, DC. He is also the Managing Partner of Capital Area Tax Consultants. 

Malcolm’s areas of expertise include retirement planning, investment portfolio development, tax planning, insurance, equity compensation and other executive benefits. 

 Disclosures:

The information provided is for educational and informational purposes only, does not constitute investment advice, and should not be relied upon as such. Be sure to consult with your legal advisors before taking any action that could have tax and legal consequences.

Investments in securities and insurance products are:

NOT FDIC-INSURED | NOT BANK-GUARANTEED | MAY LOSE VALUE

Malcolm Ethridge