The spiraling growth of the Internet has helped companies strengthen their relations with customers and vendors. It has also provided a haven for criminal hackers seeking new ways to steal customer credit card numbers, bank account numbers and other sensitive data.
Recent breaches at big-name retailers have only scratched the surface of the problem, says Frederick Ziegel, an analyst for Topeka Capital Markets.
"You can't pick up a newspaper these days and not see a story about some security-related issue, whether it's Target or Neiman Marcus, and you have the whole mobile market ahead of you," he said, "They have not even begun to figure out what they need to do to protect their critical infrastructure.
Analyst Daniel Ives with FBR Capital Markets & Co. puts it in even starker terms. The Internet is a battleground, he says, and security software is no longer a luxury item.
"The threat level facing networks is nothing like we have ever seen before," he said. "It's an accelerating market opportunity where the total addressable market continues to expand.
A set of young companies is growing fast in the sector, offering better ways to address security gaps. Long-standing players are hustling to re-invent themselves in order to meet the changing environment.
Everyone is trying to stay ahead of the crooks, says Mark McCaffrey, lead global software analyst for PricewaterhouseCoopers.
"The more adept security systems become, the more that people figure out ways to get around it," he said.
Security software comes in several varieties. And not everyone is chasing the same portion of the market.
NQ Mobile (NQ) sells mobile security and mobile device management products. AVG Technologies (AVG) extends its security products to PCs, mobile devices and small businesses.
Zix (ZIXI) sells an email encryption service in cloud-based computing, a system for storing and accessing data over the Internet. Qualys (QLYS) sells vulnerability management software for managing data threats. Symantec (SYMC), one of the larger players, sells software that protects data networks as well as devices such as PCs.
Palo Alto Networks (PANW) is focused on protecting company firewalls, while FireEye (FEYE)specifically detects new types of threats to a company's website, email and data base systems.
"Every security vendor has their own blueprint of attacking the threat environment," Ives said.
They also show widely varying fundamentals. Some smaller new issues, including NQ Mobile and Palo Alto, are growing fast on both the sales and revenue lines.
FireEye has shown explosive revenue growth, but hasn't turned a profit.
Symantec has struggled to maintain revenue growth, with declines in the past two quarters.
Facing The BYOD Challenge
By 2016, global spending on security software will reach $25.3 billion, up 32.2% from the $19.1 billion spent in 2012, says market-tracker Gartner.
Increasing amounts of data pushed through cloud-based computing, mobile devices, social media and Big Data are primary drivers, says Ruggero Contu, an analyst for Gartner.
"All of those trends are pushing vendor positions in security," he said.
Mobile is especially critical as sales escalate.
Worldwide smartphone shipments are expected to reach 1.68 billion by 2017, reflecting an annual growth rate of 18.4% from 2013 to 2017, says research firm IDC.
Many companies allow employees to use their personal smartphones at work. But the bring-your-own-device policy opens the door to potential threats, says Contu.
"Mobile security is a big problem," he said. "Organizations are still struggling to find the right approach around how to deal with the BYOD problem and what level of security policy to deploy.
End Of The Anti-Virus Era?
Security markets are changing fast, requiring some of the most well-known players — Symantec, Intel's (INTC) McAfee and Trend Micro — to reinvent themselves, Ziegel says.
"The antivirus market, which is 40% of Symantec's business, and which is a good chunk of McAfee's business — those technologies which have been around for a long time just don't work any longer, so the Symantecs, McAfees and Trend Micros of the world should be going back to the drawing board," he said.
Symantec is working through a restructuring program. But there is no guarantee it can re-ignite revenue growth that has languished for nearly two years, says analyst Ives.
"They have a great brand, a large customer base, but there is not that much fuel in the engine," he said.
Another security stalwart, Check Point Software Technologies (CHKP), reported solid Q4 numbers on Jan. 28. The results beat views in spite of a quarterly revenue growth locked in single digits for nearly two years.
On the flip side, newer players including FireEye, Barracuda Networks (CUDA) and Palo Alto Networks have all posted consistent double-digit revenue growth, Ives says.
"They have been major market-share gainers and have really helped redefine the market," he said.
Last year, venture investment in security software companies reached $856 million, up 26.8% from 2012 and up 321.8% from 2002, says PwC and the National Venture Capital Association.
The increase in funding isn't surprising, McCaffrey says.
"You are seeing more companies come up with more innovative technology around security and there is competition in the space," he said.
M&A activity is also growing, partly from inside the security software industry, but also as large companies move into the space via acquisitions.
In early January, FireEye announced plans to acquire Mandiant, a privately held cybersecurity consulting firm best known for detecting a group of Chinese hackers last year.
On Jan. 22 VMware (VMW), the leading provider of virtualization software, said it plans to acquire AirWatch, a closely held maker of mobile security and mobile management software for about $1.54 billion.
In October, Cisco Systems (CSCO) spent $2.7 billion to acquire Sourcefire, a maker of cybersecurity software to boost the networking equipment company's growing security business.
Security Drives Spending
In 2013 the average cost of cybercrime per organization worldwide was $11.56 million, up 26% from 2012, says a study completed by Ponemon Institute, a research company, and sponsored by Hewlett-Packard (HPQ).
Spending is dictated by more sophisticated and ruthless cyberattacks, Ziegel says.
"The price of poker is going up because the rate of change is accelerating, which means you have to stay on top of that stuff. So you will continue to see 15% or 20% of every dollar going to R&D," he said.
Companies such as Imperva (IMPV) and Qualys are also built to protect companies from attacks designed to steal massive amounts of data at once, says Ives.
"What has popped up in the last few years is more security products directed at protecting data centers — that was not a market three or four years ago," he said.
Sorting Out The Security Picture Cybersecurity issues are getting worse, and companies have no choice but continue to address the problem, says McCaffrey.
"The more we are touching consumers in every industry via mobile, the cloud, advertising, the more security is going to come into play," he said.
Finding the best solution might be the biggest problem, Ziegel says, in an environment where huge market opportunities are still unaddressed.
"It will be a lot bigger over time just because security problems continue to extend across every industry sector," he said.
Skilled labor is also a critical challenge, as schools turn out far too few qualified programmers.
"So there is going to be a land grab for what is a very scarce skill set," Ziegel said.
Investors face two key challenges, Ives says. One is to determine which security software companies respond best to new, sophisticated cyberthreats. The other is to monitor larger companies acquiring their way into the trade.
"The biggest risk is you have a lot of companies playing in the same sandbox," he said. "There (are) going to be clear winners and losers, so finding the right vendors to bet on is key."