Investing Insights



As the COVID-19 outbreak intensifies and market volatility increases, get our latest insights.

Read More

Featured White Papers

Our Journey to a Sustainable Future

As investors and advisors who focus on our clients' long-term success, sustainability is central to how we assess the risks and opportunities facing our clients. Read More (PDF)

The Changing IT Security Landscape

September 11, 2018 | U.S. Equity

author image

Forward-thinking companies are increasingly using data to improve many aspects of their businesses. As malicious actors realize the value of this data, the need for enhanced IT security has dramatically increased, creating investment opportunities in the cybersecurity sector.

In this two-part series, I will review the history of IT security, explain changes we are seeing to address more sophisticated threat vectors, and discuss my view of the investment landscape.

More Data = More Security

Innovative companies are increasingly using data to improve their businesses. For example, data collection and analysis can:

  • Boost customer loyalty by using sensors embedded in products to increase the mean time between failure;
  • Reveal sales opportunities with more precise marketing segmentation; and
  • Increase profits by optimizing the product characteristics that customers most value.

Harvesting these data sets positions companies to create formidable competitive advantages.

Unfortunately, malicious actors including nation states, organized crime, underground operations, and even competing enterprises, realize the value of this data and have developed increasingly sophisticated tools to hack corporate networks to use the information for nefarious purposes. In addition, governments and consumers continue to advocate for greater privacy protections, intensifying the need to harden corporate networks.

Combined, these factors create an ever-increasing need for IT security, generating attractive investment opportunities.

IT Security: Then

While securing networks was never easy, the complexity has escalated exponentially in recent years.

Two generations ago, the majority of a corporation's data resided within its own walls, with limited access from the outside. Security focused on physical access and identity management—for example, who could enter the data center or who could log onto the network from terminals within the company.

In the late 1980s and early 1990s, the expansion of the internet and the proliferation of email changed the IT security landscape. Networks could be accessed from anywhere in the world, and malicious payloads could be delivered into those networks with little more than a user's email address.

In this environment, physical security and identity management remained important, but the focus of data protection shifted to locking down open ports (the doors and windows of a network, so to speak), restricting applications that contained previously identified malicious code, and monitoring the data packets coming into and out of a network.

These developments have led to the widespread adoption of firewalls and antivirus programs, which significantly improved the overall security posture. However, firewalls and antivirus programs bore their own inherent weaknesses: specifically, they were most effective in networks with clear perimeters, and worked best at stopping previously identified—as opposed to newly developing—threats.

IT Security: Now

In the past few years, a rapid increase in the use of mobile devices, the adoption of software as a service (SaaS, or cloud-based applications), and a shift toward cloud computing have greatly increased the risk profile of organizational networks, forcing chief information security officers (CISOs) and network administrators to rethink and, in many cases, restructure how they protect data.

Traditional offices have given way to a mobile workforce; today, many employees do not commute to a centralized office location.  And as storage capacity has ballooned, employees' laptops, tablets, and mobile phones can now accumulate an increasing amount of corporate data. Securing and controlling access to these devices has increased from important to absolutely critical.

In addition, the adoption of SaaS applications and cloud computing has moved mission-critical corporate data sets outside the traditional perimeter. Data and workloads often reside not only in house but also with multiple third-party vendors, such as Amazon Web Services, Microsoft Azure, and Google Cloud Platform Services, not to mention within all of the SaaS vendors an organization may use (which often number in the hundreds).

As an example, customer or employee data, which was previously stored on in-house databases, may now reside in the cloud via Salesforce and Workday, respectively. This has forced CISOs to evaluate and secure not only their own data centers and colocations (data center facilities in which a business can rent space for servers and other computing hardware), but also those of their vendors.

IT Security: Future

In the future, while some companies will bypass traditional approaches altogether, most will continue to employ traditional IT security technologies, such as firewalls and antivirus programs. You don't stop locking the door just because you installed an alarm. However, the functionality of these technologies must expand, and their approach must morph to meet evolving threats. New types of assets like containers, workspaces, workloads, virtual machines, and shared services will be subject to attack, as will other nontraditional IT assets, such as control systems, payment terminals, home IoT devices, and cars.

You don't stop locking the door just because you installed an alarm.

For example, prior attacks centered on stealing data, then using it for competitive purposes or selling it to other interested parties. Today, threats also involve hijacking networks for ransom payment (i.e., a ransomware attack) or stealing network compute power to mine cryptocurrencies.

Often these attacks take place using “clean” code that is not clearly malware but can be executed in a malicious fashion. This is driving the need for security focused on the code and its behavior when executed. Even scarier are attacks that use artificial intelligence to determine the stealthiest manner to bypass safeguards, then switch from dormant into attack mode with minimal trace. Lastly, with a more transient workforce and the ability to copy mass amounts of data on small devices more easily, potential threats from disgruntled insiders who have legitimate access to data but choose to use it in a rogue fashion are becoming more acute.

Given these trends, a greater percentage of corporate budgets will likely shift from existing protection approaches toward practices and technologies that can handle the borderless network and automatically learn to adapt to the changing threat landscape.

I'll discuss some of these technologies, along with the IT security investment opportunity, in part two of this series.

IT Security: What We're Reading

References to specific companies are for illustrative purposes only and are not intended as recommendations to purchase or sell securities. William Blair may or may not own any securities of the companies referenced and, if such securities are owned, no representation is being made that such securities will continue to be held. It should not be assumed that any investment in the securities of the companies referenced was or will be profitable.

Corey Tobin, partner, is a research analyst and co-director of research on William Blair's U.S. Growth Equity team.