Cybersecurity performance in public markets & 2022 economic downturn
Sharing a document that tracks the performance of cybersecurity companies in public markets (updated automatically every few minutes)
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Thanks for supporting Venture in Security!
Cybersecurity performance in public markets tracker
There is a lot of talk about declining markets, companies cutting costs, and laying off employees.
To understand the performance of cybersecurity companies, I put together a document that pulls the latest performance of the 7 ETFs and 64 stocks. Note that some numbers are interrelated as cybersecurity ETFs consist of the stocks aggregated on the same list.
The sheet is set up so that the most current data for the past 52 weeks is being pulled from Google Finance. The numbers on the sheet are updated automatically. Mistakes are possible — please double-check before using the data for any decision-making.
A usual disclaimer — this is not meant as investment advice, an endorsement, or an encouragement to buy or not to buy publicly listed securities. I am not an investment or a financial advisor. The document and this article are created for informational use only, and no liability is assumed.
With these disclaimers in mind, you can access to cybersecurity performance tracker here.
As the data on the sheet is changing in real-time, below is the snapshot as of May 26, 2022, 12:00ish PM PST.
2022 economic downturn and cybersecurity
There are a few factors that impact spending on cybersecurity. I have recently read an article on Yahoo! Finance suggesting that “cybersecurity is recession-proof”. Let’s look at the first principles and briefly discuss several things to consider when thinking about this question.
This is not meant to be a comprehensive analysis but rather a mental framework outlining the inputs that can be used when thinking about the problem in 2022.
Timing is everything
Timing matters. The referenced above Yahoo! Finance article published in March 2022 used the CrowdStrike stock to illustrate that cybersecurity is a stable market not generally subject to recessions. Two months later, the company stock fell to the lowest level since the end of 2020. It has been going up since but the morale of the story is that any claims that a business is recession-proof have to be taken critically.
Cybersecurity is essential
Cybersecurity function is essential for protecting business continuity, especially in the world where organizations can be forced into bankruptcy after a ransomware attack. With the number of cyber breaches on the news and the continued efforts of the governments to promote security, more and more companies are starting to see it as a cost of doing business. Mindset shifts take time, but they are, in this case, irreversible.
The number of people working remotely or in hybrid mode has grown dramatically since 2019 due to the pandemic. With that came the challenges of security, and with many companies offering flexible work arrangements in 2022, this is unlikely to change.
Cybersecurity is seen as a cost center
The work of security professionals is often invisible to people from other departments, which even in the time of economic highs makes them ask “why do we need security anyway?”.
Cybersecurity is indeed seen as a so-called “cost center” unlike functions such as product or sales that are responsible for bringing revenue. While securing the revenue end preventing organizations from incurring additional legal and other expenses that stem from cyber attacks is critical for business continuity, it is easy to dismiss these concerns when times get tough and companies are looking to implement cost-saving measures.
Cybersecurity spans different industry verticals
Cybersecurity is a support area of the business that enables companies in different verticals. As recessions generally lead to a decline in some fields and growth in others, demand for security will likely remain high. This has proven to be the case during the COVID 19 pandemic when those who worked in service industries such as hospitality experienced a decline in revenue while those serving healthcare, financial, and governmental institutions have seen a rise in demand.
2022 is different than 2020
2020 has been a tough year for many businesses. In March 2020, the market dipped and thousands of businesses had to lay off their workers — some temporarily, and others permanently. Many cybersecurity professionals lost their job during the first months of the pandemic, but many bounced off pretty quickly as the start of the lock-down coincided with the need for companies to adopt new work from home routines.
Most organizations were unprepared to securely transition their workers to the new environment, which has increased the demand for cybersecurity professionals. By now, businesses have established stable work from home routines and associated with them security policies, so there is less demand for immediate professional help in this area.
War in Ukraine is driving the demand for security professionals
That spike reflects a continuing trend but also reflecting the global tension of the past several weeks. The most prominent recent cyberattacks have been focused on Ukraine as part of the Russian invasion, but countless other threats have been leveled at targets around the world. For example, a cyberattack on a supplier shut down Toyota’s entire Japanese production line last week.
The war in Ukraine is simultaneously causing an economic downturn and driving the demand for security professionals. The joint advisory issued by CISA, FBI, NSA, and allied cybersecurity authorities emphasizes the increased threat of Russian cyber groups targeting critical infrastructure that could impact organizations around the globe. The threat is real, and businesses are taking note.
As of May 26, 2022, there were 597,767 cybersecurity job openings. With a large number of companies on a hiring freeze, it is hard to assess how many of these are active.
Companies need to stay compliant with regulations
While undertaking new IT initiatives is not something that companies are generally looking to do during the recession, most organizations must do the work to stay compliant and meet various legal and regulatory requirements.
The above business, societal and political factors are reflected in public market financials.
On average, across 7 ETFs and 64 stocks, as of May 26 2022, I see that the average price is 24.9% above their 52-Week Low price and 40.2% below their 52-Week High price. Aggregates are often misleading as while some companies lost 1–5%, others are 90%+ below their 52-week highest price. This reflects a dramatic decrease of value.
You can access the cybersecurity performance tracker here. Below are some screenshots from Google Finance to illustrate that the outcomes have not been distributed evenly.
Conclusion: resilient but not proof
Cybersecurity is one of the essential fields that help companies to keep the lights on. I think it is not reasonable to analyze if an industry is recession-proof as the answer is almost always going to be “no”. Instead, we should look at the nature of the factors that are causing the 2022 economic downturn, and try to understand the potential consequences for the industry.
It has become apparent that Putin has no desire to stop his invasion of Ukraine. As more sanctions are being implemented, the threats from Russian hacktivists against the NATO countries’ governments, businesses, and critical infrastructure can start materializing. State-sponsored retaliatory cyber attacks on the US, the EU, and their allies, based on reports of professionals, are very likely.
War in Ukraine, combined with the high levels of technological adoption and hybrid work arrangements are driving the demand for security professionals. The continuous addition of new attack vectors, poor cyber hygiene, and increasingly complex IT environments along with a multitude of other factors have led to a large number of cyber breaches, and that number is only going to go up, at least in the short term.
While not recession-proof per se, the cybersecurity industry is well-positioned to not only withstand, but also to financially benefit from the global uncertainty and the threat of mass attacks in 2022.
Any predictions about the market tend to age badly, so it remains to be seen what will happen. I hope that the war is going to end soon.