Forward-thinking companies are increasingly using data to improve many aspects of their businesses. As malicious actors realize the value of this data, the need for enhanced IT security has dramatically increased, creating investment opportunities in the cybersecurity sector.

In this two-part series, I will review the history of IT security, explain changes we are seeing to address more sophisticated threat vectors, and discuss my view of the investment landscape.

More Data = More Security

Innovative companies are increasingly using data to improve their businesses. For example, data collection and analysis can:

  • Boost customer loyalty by using sensors embedded in products to increase the mean time between failure;
  • Reveal sales opportunities with more precise marketing segmentation; and
  • Increase profits by optimizing the product characteristics that customers most value.

Harvesting these data sets positions companies to create formidable competitive advantages.

Unfortunately, malicious actors including nation states, organized crime, underground operations, and even competing enterprises, realize the value of this data and have developed increasingly sophisticated tools to hack corporate networks to use the information for nefarious purposes. In addition, governments and consumers continue to advocate for greater privacy protections, intensifying the need to harden corporate networks.

Combined, these factors create an ever-increasing need for IT security, generating attractive investment opportunities.

IT Security: Then

While securing networks was never easy, the complexity has escalated exponentially in recent years.

Two generations ago, the majority of a corporation’s data resided within its own walls, with limited access from the outside. Security focused on physical access and identity management—for example, who could enter the data center or who could log onto the network from terminals within the company.

In the late 1980s and early 1990s, the expansion of the internet and the proliferation of email changed the IT security landscape. Networks could be accessed from anywhere in the world, and malicious payloads could be delivered into those networks with little more than a user’s email address.

In this environment, physical security and identity management remained important, but the focus of data protection shifted to locking down open ports (the doors and windows of a network, so to speak), restricting applications that contained previously identified malicious code, and monitoring the data packets coming into and out of a network.

These developments have led to the widespread adoption of firewalls and antivirus programs, which significantly improved the overall security posture. However, firewalls and antivirus programs bore their own inherent weaknesses: specifically, they were most effective in networks with clear perimeters, and worked best at stopping previously identified—as opposed to newly developing—threats.

IT Security: Now

In the past few years, a rapid increase in the use of mobile devices, the adoption of software as a service (SaaS, or cloud-based applications), and a shift toward cloud computing have greatly increased the risk profile of organizational networks, forcing chief information security officers (CISOs) and network administrators to rethink and, in many cases, restructure how they protect data.

Traditional offices have given way to a mobile workforce; today, many employees do not commute to a centralized office location.  And as storage capacity has ballooned, employees’ laptops, tablets, and mobile phones can now accumulate an increasing amount of corporate data. Securing and controlling access to these devices has increased from important to absolutely critical.

In addition, the adoption of SaaS applications and cloud computing has moved mission-critical corporate data sets outside the traditional perimeter. Data and workloads often reside not only in house but also with multiple third-party vendors, such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform Services, not to mention within all of the SaaS vendors an organization may use (which often number in the hundreds).

As an example, customer or employee data, which was previously stored on in-house databases, may now reside in the cloud via Salesforce and Workday, respectively. This has forced CISOs to evaluate and secure not only their own data centers and colocations (data center facilities in which a business can rent space for servers and other computing hardware), but also those of their vendors.

IT Security: Future

In the future, while some companies will bypass traditional approaches altogether, most will continue to employ traditional IT security technologies, such as firewalls and antivirus programs. You don’t stop locking the door just because you installed an alarm. However, the functionality of these technologies must expand, and their approach must morph to meet evolving threats. New types of assets like containers, workspaces, workloads, virtual machines, and shared services will be subject to attack, as will other nontraditional IT assets, such as control systems, payment terminals, home IoT devices, and cars.

You don’t stop locking the door just because you installed an alarm.

For example, prior attacks centered on stealing data, then using it for competitive purposes or selling it to other interested parties. Today, threats also involve hijacking networks for ransom payment (i.e., a ransomware attack) or stealing network compute power to mine cryptocurrencies.

Often these attacks take place using “clean” code that is not clearly malware but can be executed in a malicious fashion. This is driving the need for security focused on the code and its behavior when executed. Even scarier are attacks that use artificial intelligence to determine the stealthiest manner to bypass safeguards, then switch from dormant into attack mode with minimal trace. Lastly, with a more transient workforce and the ability to copy mass amounts of data on small devices more easily, potential threats from disgruntled insiders who have legitimate access to data but choose to use it in a rogue fashion are becoming more acute.

Given these trends, a greater percentage of corporate budgets will likely shift from existing protection approaches toward practices and technologies that can handle the borderless network and automatically learn to adapt to the changing threat landscape.

I’ll discuss some of these technologies, along with the IT security investment opportunity, in part two of this series.

IT Security: What We’re Reading

References to specific companies are for illustrative purposes only and are not intended as recommendations to purchase or sell securities. William Blair may or may not own any securities of the companies referenced and, if such securities are owned, no representation is being made that such securities will continue to be held. It should not be assumed that any investment in the securities of the companies referenced was or will be profitable.

Corey Tobin, partner, is a research analyst and co-director of research on William Blair’s U.S. Growth Equity team.

RELATED POSTS

SUBSCRIBE NOW

Gain insights on macro market events, the economy, and investing strategies.
Receive our latest blog posts in your Inbox with headlines like:

SIGN UP

FOLLOW US

twitterfooterlinkedinfooteryoutubefooterfacebookfooter

RSS FEED

Please carefully consider the Funds’ investment objective, risks, charges, and expenses before investing. This and other information is contained in the Funds’ prospectus and summary prospectus, which you may obtain by calling +1 800 742 7272. Read the prospectus and summary prospectus carefully before investing. Investing includes the risk of loss.

Any statements or opinions expressed are those of the author as of the date of publication, are subject to change without notice as economic and markets conditions dictate, and may not reflect the opinions of other investment teams within William Blair Investment Management, LLC or the Investment Management Division of William Blair & Company, L.L.C.

This content is for informational and educational purposes only and not intended as investment advice or a recommendation to buy or sell any security. Investment advice and recommendations can be provided only after careful consideration of an investor’s objectives, guidelines, and restrictions.

Factual information has been taken from sources we believe to be reliable, but its accuracy, completeness or interpretation cannot be guaranteed. Investments are subject to market risk. Forecasts, estimates, and certain information contained herein are based upon proprietary research and should not be interpreted as investment advice, as an offer or solicitation, nor as the purchase or sale of any financial instrument. Statements concerning financial market trends are based on current market conditions, which will fluctuate.

William Blair does not provide legal or tax advice. Please consult your tax and/or legal counsel for specific tax questions and concerns.

Distributed by William Blair & Company, L.L.C., member FINRA/SIPC.

Copyright © 2019 William Blair & Company, L.L.C. "William Blair” is a registered trademark of William Blair & Company, L.L.C. No part of this material may be reproduced in any form, or referred to in any other publication, without express written consent.

Statement of Financial Condition | NMS Rule 605 & 606 | Business Continuity Plan | UK Stewardship Code
Cookie Policy | Social Media Disclaimer | Privacy & Security | FINRA’s BrokerCheck

FOLLOW US

twitterfooterlinkedinfooteryoutubefooterfacebookfooter

RSS FEED

Please carefully consider the Funds’ investment objective, risks, charges, and expenses before investing. This and other information is contained in the Funds’ prospectus and summary prospectus, which you may obtain by calling +1 800 742 7272. Read the prospectus and summary prospectus carefully before investing. Investing includes the risk of loss.

Any statements or opinions expressed are those of the author as of the date of publication, are subject to change without notice as economic and markets conditions dictate, and may not reflect the opinions of other investment teams within William Blair Investment Management, LLC or the Investment Management Division of William Blair & Company, L.L.C.

This content is for informational and educational purposes only and not intended as investment advice or a recommendation to buy or sell any security. Investment advice and recommendations can be provided only after careful consideration of an investor’s objectives, guidelines, and restrictions.

Factual information has been taken from sources we believe to be reliable, but its accuracy, completeness or interpretation cannot be guaranteed. Investments are subject to market risk. Forecasts, estimates, and certain information contained herein are based upon proprietary research and should not be interpreted as investment advice, as an offer or solicitation, nor as the purchase or sale of any financial instrument. Statements concerning financial market trends are based on current market conditions, which will fluctuate.

William Blair does not provide legal or tax advice. Please consult your tax and/or legal counsel for specific tax questions and concerns.

Distributed by William Blair & Company, L.L.C., member FINRA/SIPC.

Copyright © 2019 William Blair & Company, L.L.C. "William Blair” is a registered trademark of William Blair & Company, L.L.C. No part of this material may be reproduced in any form, or referred to in any other publication, without express written consent.

Statement of Financial Condition | NMS Rule 605 & 606 | Business Continuity Plan | UK Stewardship Code
Cookie Policy | Social Media Disclaimer | Privacy & Security | FINRA’s BrokerCheck

Subscribe Now

Gain insights on macro market events, the economy, and investing strategies. Receive our latest blog posts in your Inbox with headlines like:

SIGN UP

Send this to friend