Cybersecurity Has Never Been this Important…but 2022 Returns May Be Challenged

Global Head of Research

01/25/2022

As we begin 2022, the initial case has been clear: cutting-edge tech companies that have exhibited strong revenue growth but that might have low or even negative net income have been challenged. Many cybersecurity companies that are focused on the future—things like cloud security rather than on-premise security, for instance—have been no exception.

However, many of us may also recall that 2021 was a year of some major hacks, like the Colonial pipeline. It would be difficult to imagine any business today of any size with zero spending on, or investment in, cybersecurity.

There are few megatrends like cybersecurity in this sense: with artificial intelligence, for example, there may be many reasons to use it or many benefits to be derived, but it’s still a choice. Not doing anything in cybersecurity really isn’t a choice anymore, so it’s more a question of the specific services to use and specific companies to work with.

Massive Growth Potential

It is estimated that in 2020, spending on cloud computing, specifically infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) was $106.4 billion, expected to grow to $217.7 billion by 2023¹.

Now, cloud workloads need to be protected—but how much spending is estimated on the cybersecurity element? In 2020, it was roughly $1.2 billion, and in 2023, it is estimated to be $2 billion. That means that in 2023, it’s possible that spending on cloud security will be less than 1% of spending on cloud services².

It is estimated that ‘security spend’ should be closer to a figure between 5% and 10% of a given information technology budget. This means it would be more reasonable to see a figure of $12.4 billion of spending on cloud security in 2023. That would be a magnitude of growth of about 10 times relative to the aforementioned estimate for the 2020 spending². There is no guarantee that spending will ever reach this level, but the concept that firms need to take the topic more seriously is clearly being discussed.

What’s More Expensive—Dealing with a Cybersecurity Issue or Spending on Preventative Efforts?

This is one of the critical questions in cybersecurity, because if it is less expensive to just deal with issues after they occur, there would be no market for preventative measures. Toward the end of December 2021, we saw one example of a company needing to settle a particular case³:

A hacker stole the personal data of more than 100 million people in 2019 from Capital One and its cloud services provider, Amazon Web Services, in 2019.

Capital One agreed, in 2021, to pay $190 million to settle a class action lawsuit filed by these customers.

In 2020, Capital One agreed to pay $80 million to settle regulators’ claims that it lacked proper cybersecurity procedures as it began to use cloud storage technology.

The settlements make the headlines, but think of the costs of time, the costs of legal fees, the turnover in certain employees that may happen…while it may never be possible to have 100% protection from all hackers, the case is clear for a focus on preventative measures.

Governments Are Taking Action

The government angle on cybersecurity seems to have, at least presently, two major avenues:

Data protection: Citizens have become much more aware of their data being used and stored in different ways and governments want to take action to ‘protect’ peoples’ personal data when and where possible.
Infrastructure protection: The Colonial pipeline, which led to many difficulties for consumers getting gasoline in May 2021 up and down the eastern seaboard of the U.S.

In July 2021, the U.S. Senate confirmed Chris Inglis as the first national cyber director. In May 2021, President Biden issued an executive order that dramatically shifted the general regulatory stance, which had formerly been much more voluntary and hands-off⁴.

Conclusion: The Demand for Cybersecurity Solutions Should Be Relatively Constant

We must remember that certain trends are already in place that may not be very sensitive to changes in interest rate policy. One is a shift from ‘on-premise’ hardware to cloud computing, where many companies can realize efficiencies and cost benefits. These shifts require different, updated security packages, and they are expected to continue through 2022. The key risk, as we see it, is that many cloud-focused cybersecurity companies delivered unbelievable share price returns in recent years and these firms may see their valuations adjust as interest rates rise—even if their revenue growth continues. Thinking beyond simply the returns of 2022 could be important when thinking about the cybersecurity megatrend.

¹ Source: Crowdstrike Corporate Overview, December 2021 version, using International Data Corporation Estimates.

² Source: Crowdstrike, December 2021.

³ Source for bullets: Nguyen, Lananh. “Capital One Settles a Class-Action Lawsuit for $190 Million in a 2019 Hacking.” The New York Times. 12/23/21.

⁴Source: Rundle, James. “Companies Face Stricter Cyber Rules in 2022.” Wall Street Journal. 1/3/22.