Is 'Zero Trust' the next investment opportunity in Cybersecurity?
David Milroy, Partner at Maven, introduces the latest cybersecurity buzzword 'Zero Trust', and discusses the opportunities for investing in that vibrant sector.
Corporate data breaches, election security and ongoing discussions around data privacy ensure that cybersecurity continues to make the headlines. Protecting sensitive information including intellectual property and customer data are top priorities in today's digital age and a breach in security can lead to lost trust, lost credibility, and ultimately lost business. It’s no wonder then that global spending on cybersecurity in 2019 is predicted to top $124 billion according to research firm Gartner.
However, despite this significant and growing spend cyberattacks are becoming more regular and more disruptive, with security breaches thought to have cost the global economy $1.5 trillion last year! Recent attacks making the headlines include a breach at blood testing group Quest Diagnostics involving the personal data of almost 12 million patients. Similarly, in September food-delivery service DoorDash revealed that a breach exposed the personal data of 4.9 million customers, merchants and delivery workers.
The threat isn’t limited to corporates, with the insurance broker Gallagher reporting that the UK’s local authorities are facing an unprecedented barrage of cyber-threats, amounting to almost 800 every hour in the first half of 2019. The scale and sophistication of attacks is alarming, as is the increasing use by hackers of ransomware - the NotPetya ransomware attack on Merck & Co. reportedly cost this leading pharma company close to $1 billion.
Big data breaches suggest that existing cybersecurity solutions are inadequate and are being increasingly stretched by the changing security environment and most notably the move to the Cloud and an API (application programming interface) economy. With APIs allowing various applications to talk to each other, vast amounts of data now being hosted within public clouds, and mobile users accessing networks from a variety of devices, hackers have a bigger target to go after and placing an effective firewall around an entire enterprise is now very challenging. In response cybersecurity vendors are developing a myriad of technologies and products addressing different points of vulnerability in a constant battle to out-smart hackers. Private equity investors face a daunting challenge in deciding which of the protective technologies in the ever-growing ecosystem to back. They also have to decide whether to support cyber-security start-ups that could disrupt the market or focus on larger more diversified public companies.
Identity and Access Management (IAM) has become a key area with hackers often accessing networks via employees with administrative access. Maven has invested in Edinburgh IAM business, Symphonic Software, which enables organisations to manage ever increasing and more complex digital access by employees, customers and partners to sensitive data and key digital services. Symphonic clients can react quickly to new threats whilst lowering costs by defining their access control policies in a centralised location.
Companies like Symphonic illustrate the opportunity for investing in the UK’s thriving cybersecurity ecosystem. According to the Cybersecurity 500 list, London is one of the leading cities for cybersecurity ventures (ranked 7th globally) with some notable players such as Darktrace. Similarly, Edinburgh is home to a number of successful cybersecurity businesses, including Bloxx (now part of Akamai), ZoneFox (now part of Fortinet) and Corero, all of which have received venture funding. Like London, Scotland’s capital is a major financial centre providing both the market pull and the expertise required to grow these businesses. Edinburgh is also fortunate in having world-leading cybersecurity research groups such as Professor Bill Buchanan’s at Edinburgh Napier University which has an enviable track-record of spinning out companies including Symphonic.
IAM technologies are a key enabler for the latest cybersecurity strategy, Zero Trust. To date the security focus for most corporates has been erecting firewalls around the perimeter of their network. However, this model has increasingly come under attack, calling for a new paradigm wherein the concept of trust in a security context is dramatically altered.
In a Zero Trust framework, trust is viewed as a vulnerability with all users treated equally, in contrast to traditional security where users inside a network are deemed to be more trustworthy than those outside of the corporate firewall. The traditional approach has led to a tendency to overlook internal threats and the implications were once again highlighted earlier this year when Citrix disclosed a data breach where hackers went undetected for months after an initial break-in. What matters in a Zero Trust framework is who you are, not where you are and in this 'zero-trust' cybersecurity era everything will be authenticated, authorised and tracked. Put simply, IAM becomes the new perimeter and the aim is to stop intruders from causing significant damage by severely limiting a user’s access within the network, permitting access to only those specific apps and data aligned to the user’s role. There have been a number of significant transactions in this space during 2019 including Cisco’s acquisition of Duo Security for $2.35 billion, Proofpoint’s $120 million acquisition of Meta Networks and Symantec’s acquisition of Luminate Security.
Whilst cybersecurity, as a sector, clearly represents a huge opportunity for the investment community, there is also significant transactional risk in assessing each investment opportunity. Investors are increasingly incorporating cybersecurity diligence into their investment decision-making process so as to avoid investing in businesses that go on to suffer costly breaches or inherit another organisation’s security vulnerabilities by way of M&A.
Interestingly, recent research conducted by Forescout Technologies found that 53% of business decision makers reported that their organisations uncovered a material cybersecurity incident that put at risk an M&A deal. The merger of Marriott International and Starwood Hotels & Resorts provides a good example of the dangers. Prior to the deal, hackers stole roughly 500 million Starwood customer records, including payment information. Without conducting a thorough due diligence process, Marriott unknowingly inherited Starwood’s vulnerabilities. Subsequent reporting of the attack resulted in reputational harm, a new legal liability and a fall in share price.
SMEs are just as vulnerable as larger corporates and, whilst resources and priorities may limit their ability to tackle the threat, it is imperative that investors understand the threat faced by the companies they are considering backing. It is also likely that as larger businesses step-up their protection they will begin to push their own security requirements down the supply chain, increasing the pressure on smaller businesses to ensure that they are not the weak link.
Faced with the spectre of ever more sophisticated attacks, businesses will continue to invest in preventative measures that fuel the cybersecurity ecosystem and, as a result, will create attractive opportunities for investors.