Today, no company can reach a certain size or public visibility without becoming a target for hackers. Companies, government agencies, and high-profile individuals are subject to a constant barrage of attempts to access their most sensitive data. These attacks can be used to damage reputations, exploit data for financial gain, or simply to create chaos within an organization. As we’ve seen in the historic SolarWinds hack, cyber-attacks impose a mounting cost on society. As a result, there is a growing demand for protection, with the cybersecurity sector valued at $173 billion globally.

Cybersecurity: A Fluid, High-Growth Market

The cybersecurity sector is one of the highest-growth markets, often lying at the frontier of disruptive new technologies. The innovative firms that operate in this space must constantly anticipate and react to new security threats, ranging from low-level criminals to state-sponsored, highly advanced adversaries. As the threats grow in number and sophistication, so too does the money that firms will spend to protect themselves.  

Where We Are, Where We’re Going

The cybersecurity sector has enjoyed robust growth over the last three years. In the graph below, we use an S&P 500 Index and the First Trust CyberSecurity ETF as barometers for the condition of the cybersecurity sector. As we can see, the cybersecurity sector has mostly tracked the market over the last three years, including its dramatic correction in early 2020 as pandemic fears sent stocks cratering. However, the sector’s recovery in 2020 has been stronger than the S&P 500’s, which recently reached a record high in its own right.

Cybersecurity Stocks Outperform S&P

We expect the sector to continue to outperform the stock market in the years to come. Our confidence in the sector’s future growth, as well as its resilience to broader economic shocks, comes from some key observations about the economics of cybersecurity.

cybersecurity stocks outperform S&P

One critical, if seemingly obvious point is that the economy will continue to move online. The pandemic has accelerated a pre-existing trend toward a digital life, which means more online shopping, work, and entertainment. As each of these realms becomes more connected to the internet, so do our identities, transactions, and personal data. The potential for security breaches grows, as does the possible payout and breadth of targets for hackers.

This lucrative opportunity is enough to ensure a growing supply of malicious events. The chart below illustrates this idea; the monetary damage reported to the IC3 has roughly doubled every two years since 2001. The real global cost, according to the Center for Strategic and International Studies, is closer to $600 billion a year.

Amount of Monetary Damage Caused by Reported Cyber Crime to the IC3 from 2001 to 2019

While some spending on cybersecurity has been proactive, many companies have unfortunately needed to feel the sting of a major breach before beefing up their investment. With each high-profile attack, we’ve seen organizations respond with greater spending. Moving forward, growth in cybersecurity spending will likely be punctuated by sudden upward spikes, following a significant breach. In other words, the demand for cybersecurity reliably responds to the supply of malicious events. There is no reason to expect the growing sophistication and volume of cyberattacks to reverse the trend, and so companies will keep pace with higher spending to protect their assets and reputation.

Amount of Monetary Damage Caused by Reported Cyber Crime to the IC3 from 2001 to 2019

In a fast-changing economy, there are few goods whose demand is guaranteed to see exponential growth in the coming decades. Cybersecurity is one such good. For this fact alone, the sector warrants special attention from Economic Development professionals. While the industry is certain to thrive in the coming decade, the technologies employed will likely continue to change, and the fates of individual firms remain unknown.  

What Cybersecurity segments are growing? 

While the broader sector is a safe bet, naturally some firms in the space will thrive while others fail. Certain segments will also see increased demand while others lose relevance amid a changing technological landscape. There are a number of specific companies and market segments to focus on in the years to come. December’s SolarWinds hack, one of the most momentous cyberattacks in history, is a pivotal part of any near-term prediction. 

The recent security breach, likely the largest of public record, exposed a number of federal and local agencies, as well as major companies around the world. We still do not know the full extent of the damage caused by malware embedded in SolarWinds’ software, but there are a number of high-profile victims. Over months, hackers obtained sensitive data from the Homeland Security and Treasury Departments, among others. Casualties also include fellow tech companies, such as Cisco and Microsoft. 

In the wake of the hack, UBS analyst Fatima Boolani identified some key companies that are likely to outperform. These include CrowdStrike, Palo Alto Networks, and CyberArk. Crowdstrike, which tends to be one of the largest holdings in cybersecurity index funds, has been tasked with helping SolarWinds mitigate damage. In keeping with a known pattern, Boolani also predicted a sharp uptick in cybersecurity spending in 2021, in response to the breach.

Two major segments to watch are the encryption software and cloud security markets. Both markets are expected to grow at a CAGR of over 15% over the next five years, according to Global Market Insights. These services are uniquely poised to tackle the challenge of remote work. Employees require greater remote access to company files, and they need to work from anywhere, often using public networks.

Cybersecurity in the US

Many InfoSec companies are young and not yet profitable, but enjoy substantial financial backing due to their expected growth. Crowdstrike, for example, enjoys a valuation of 60 times sales, even though it’s lost $100 million over the last twelve months. This competitive, deep-pocketed sector has a reputation for high spending on employee compensation, as well as on Research and Development.

Historically, the leading states in the field have been California, home to Silicon Valley, and New York, with demand coming from financial giants like JP Morgan. Virginia and Maryland have also seeded several companies in response to public sector demand from Washington, DC. Texas, however, has recently garnered attention, where Austin is emerging as a major tech hub. Leading tech companies, such as Oracle, Tesla and Dropbox, have moved operations to Austin this year, and cybersecurity providers are setting up shop as well.

Cybersecurity Hotspots: Where are the fastest-growing companies located?

Cybersecurity activity tends to aggregate wherever their services are needed, there is plenty of talent, and tax treatment is favorable. A large number of companies in the financial and tech spaces have always made New York and California focal points. As costs have risen in these states, activity is shifting elsewhere, with the tax-friendly, highly skilled Texas market a prime example.

An opportunity for Economic Developers?

The cybersecurity sector is poised for a meteoric rise over the next decade. As the annual cost of cyber-attacks continues to pile up, defense spending in both the public and private sectors will increase as well. The unique economics of cybersecurity, coupled with its position at the forefront of virtually all emerging technologies, guarantees robust growth in the years to come, as well as a volatile space for individual companies. The geographic flexibility of this sector makes companies likely to move into more favorable regions if properly incentivized.