Cyberattacks Are Certain; Cybersecurity Business Is Not

(Bloomberg Gadfly) -- It’s now clear that cyberattacks are a fact of life for corporations and governments. What’s less clear are the winners and losers among companies focused on stopping the digital break-ins. 

News about the WannaCry digital extortion attack that crippled hundreds of thousands computers worldwide caused predictable stock market euphoria on Monday. As tends to happen when there is a highly public cyberattack, share prices of cybersecurity technology specialists such as Palo Alto Networks, Proofpoint and Fortinet climbed. 

Many prominent digital attacks -- such as those on Target, J.P. Morgan Chase and Sony’s movie studio -- lift hopes of ringing cash registers at tech companies that make money from companies’ fear they’ll be the next victim. But even as computer attacks become more prevalent and damaging, they haven’t been a universal triumph for the cybersecurity industry.

It is true that corporate executives, boards of directors and governments are taking digital threats seriously . Research firm IDC expects spending on information-technology security to increase 8.7 percent each year through 2020 to nearly $105 billion, nearly three times the forecasted growth rate of all corporate and government technology spending. In a recent Morgan Stanley survey of big company information technology executives, digital security software was cited as the top 2017 spending priority by the second-highest number of respondents, trailing cloud computing technology. 

But there are no sure bets in the cyber world. Securing companies from computer intrusions is growing more competitive. A glut of options from from old-guard tech companies such as Cisco and from money-rich Silicon Valley startups is making it harder for all cybersecurity technology to stand out to prospective customers. The industry didn't do itself any favors, either. It has grown difficult to tell which companies are selling effective security safeguards and which ones are overpromising.

As a result, valuations of many onetime cybersecurity highfliers have come back from the stratosphere as investors started to rethink their indiscriminate bets. The First Trust Nasdaq cybersecurity ETF, composed of companies such as Cisco, Palo Alto Networks and Check Point Software, has underperformed the S&P 500 stock index. The security ETF has risen 11 percent since its inception two years ago while the S&P 500 has climbed 15 percent over the same period.

It's understandable for fretful companies to hunt for technology silver bullets to protect themselves from digital bad guys. But companies' fear of hackers doesn't erase the insecurity for the cybersecurity business.

This column does not necessarily reflect the opinion of Bloomberg LP and its owners.

Shira Ovide is a Bloomberg Gadfly columnist covering technology. She previously was a reporter for the Wall Street Journal.

1. Fortinet is also likely getting a lift from the disclosure of a new investor, activist firm Starboard.

2. It's worth noting that some companies didn't take digital security seriously enough to patch known vulnerabilities in Windows software, which opened the door to the WannaCry ransomware. 

To contact the author of this story: Shira Ovide in New York at sovide@bloomberg.net.

To contact the editor responsible for this story: Daniel Niemi at dniemi1@bloomberg.net.