Episode 4: Investing in Secular Themes – Cybersecurity

• Disclosures (00:00 to 00:34)
• Episode introduction (00:35 to 01:22)
• Introduction to the episode’s guest: Aristotle Atlantic’s Nicholas Daft (01:23 to 02:35)
• Aristotle Atlantic’s unique investment approach (02:36 to 04:11)
• Why Cybersecurity represents an investible secular theme (04:12 to 06:30)
• Changes in the digital landscape and the evolution of cybersecurity (06:31 to 09:39)
• The Internet of Things (IoT) explained (09:40 to 11:55)
• Common cyberattack techniques and their consequences (11:56 to 14:20)
• Why cybercrime is a national security concern (14:21 to 17:32)
• The costs of cyberattacks (17:33 to 20:13)
• Opportunities for growth in the cybersecurity industry (20:14 to 22:14)
• Areas of the market that may benefit from the growth of cybersecurity (22:15 to 24:08)
• Conclusion (24:09 to 24:40)

Alex Warren: The term Aristotle is used to represent a family of affiliates, which is comprised of Aristotle Capital Management, Aristotle Capital Boston, Aristotle Credit Partners, Aristotle Atlantic Partners, and Aristotle Pacific Capital, which collectively operate under a unified platform known as Aristotle. Each firm is an independent investment advisor registered under the Investment Advisors Act of 1940, as amended.

Welcome to the Power of Patience, Aristotle’s podcast, where we share our views on topics actively explored by our investment teams and across our organization. I’m Alex Warren, Product Specialist at Aristotle, and I’ll be your host today.

Coming up on today’s episode, we’ll be speaking with Nick Daft, Director and Senior Research Analyst at Aristotle Atlantic Partners. Nick’s coverage includes the information technology, energy, and material sectors.

If you enjoy this podcast, please like and share it on LinkedIn to help spread the word.

Today on the show we’ll discuss how the digital transformation of the past decade has led to network vulnerabilities, the growth of cyberattacks and techniques used, the impact of cybercrime and national security and cybersecurity market growth and investment opportunities. Without further ado, let’s get started.

Nick, thank you so much for joining me today. To lead off the discussion, can you introduce yourself and provide a brief history of your role at Aristotle Atlantic?

Nicholas Daft: Absolutely. Thank you, Alex. And hello to everyone listening to the Power of Patience podcast. Let me go ahead and introduce myself.

My name is Nick Daft and I’m a member of the five-person investment team here at Aristotle Atlantic Partners. I have worked in financial services for almost two decades in various roles over the years, but for the past 16 years, I have worked as an investment research analyst with my current team. The team and I, we joined Aristotle Atlantic in 2016 when we made the move from the asset management group of a large bank. Here at Aristotle Atlantic, we manage equity funds across both core and the growth strategies.

Now in my role as a senior research analyst on the team, as you mentioned, my areas of investment focus are the information technology sector, the energy sector and the materials sector, but with my primary focus being the technology sector. And this includes investing in leading companies in the software, semiconductor, and the hardware industries.

Alex Warren: Wonderful. Thank you, Nick.

Now, what do you believe makes Aristotle Atlantic unique?

Nicholas Daft: I would highlight two features that I think make Aristotle Atlantic unique.

One is the industry experience and longevity of the team. The five of us on the team have an average of 26 years of industry experience, and the average tenure of the members of the team is 17 years. We’ve worked together through many different economic cycles and events, and so we have had the benefit of experiencing a wide variety of market conditions, which we leverage as part of our investment process.

Another area of focus I would highlight, it’s the three pillars of our investing process. Those three pillars are secular themes, product cycles, and cyclical trends. We use these three pillars as the foundation for our specific company research. Within these three secular themes is the largest driver of our research process that underpins the portfolio investments.

What we’re looking for is themes, these secular themes that we believe represent significant longer-term shifts in spending across either the public or the private sector. And then within that theme, we use our bottom-up fundamental research to identify specific company investments that we believe will see out-sized returns from those secular theme-driven spending shifts.

And so today’s podcast subject, cybersecurity, it’s one of those secular themes, one of those 20 secular themes in fact that we’ve identified as part of our investment outlook, and we see it as a key beneficiary of increased spending by both business and governments over a multi-year period.

Alex Warren: Wonderful. Thank you, Nick. That leads to my next question.

Can you provide an overview of why you believe cybersecurity represents an investible secular theme?

Nicholas Daft: Absolutely. Happy to. In my research over the past few years, I’ve identified cybersecurity as a leading share gainer in IT budgets, and this has been happening as the digital world continues to transform and evolve at a rapid pace. If you look at companies that are investing in the digital capabilities, these enhance internal efficiencies, and they improve customer experiences and interactions.

As an example, let’s think about team members at companies around the world. They collaborate on work presentations with their colleagues who are also around the world. They’re doing this in real time using software tools such as Microsoft Teams. Or think about how easy it is to bank and shop online through your smartphone, or order groceries through your Alexa speaker, things like that. All of these they’re simple but powerful examples of the role of digital transformation in our everyday lives. But while these investments in digital technologies make our lives easier and more productive, we also have to realize the increased risks that come from this connectivity, and that’s the increased risks from cyber criminals.

The reliance on technology by businesses and consumers, it means more data is created. It’s estimated to be about two megabytes per second per person. And much of this data, it’s stored online in the cloud, which means more areas where data is exposed to attacks and vulnerabilities. And unfortunately, just as you and I benefit from this new technology in our daily lives, there are estimated to be 2000 hacking groups and cyber criminals around the world, and they’re using the same technology, the same technological advancements to increase the frequency and sophistication of their attacks.

So what this means is that businesses, they need to invest in cybersecurity to protect themselves as well as their customers, and they have to continue to invest each year to stay ahead of these cyber criminals, because an obsolete or an ineffective cyber defense, it leaves everyone vulnerable. So that’s why I see so much value investing in cybersecurity, in this secular theme. It’s finding those companies which offer the leading technology that is mission critical in cyber defenses that will ultimately reward investors through attractive, long-term profitable growth.

Alex Warren: Absolutely. That makes sense.

Nick, can you discuss how the digital landscape has changed over the past decade, and how has the cybersecurity market evolved with the rest of the digital market?

Nicholas Daft: Over the past decade, as businesses have shifted spending within their IT budgets as they implement these digital transformation initiatives, so the objective is ultimately to drive better business outcomes, and that’s through improving productivity and efficiency metrics. A study that was done in 2021 by a tech research firm showed the clear financial benefits from digital transformation. Companies that were far along in these initiatives have about twice the revenue growth of those that are early or haven’t even started on a digital transformation journey. It’s real tangible benefits.

So if you look at the Gartner data for worldwide IT spending from 2017 to 2022, it’s increased from about $3.5 trillion to about $4.5 trillion a year. That’s a cumulative 28% increase over those five years. But digging deeper, according to IDC, over that same time period, we see that global spending on digital transformation technologies and services, that spending has increased from just under $1 trillion to almost $1.9 trillion, and that’s cumulative spending growth of over 90%.

Alex Warren: Wow. Those are some big numbers.

Nicholas Daft: Yeah. For sure. For sure.

And so what does that mean? And what have companies done with those dollars to implement that digital transformation?

Well, we’ve seen companies shift from on-premise servers and remote networking access that was done solely through those clunky VPNs – very slow, very unwieldy types of technology, which I think it almost felt like dial up versus what we have now. Now we’ve shifted to this idea of cloud computing and the ability to access from anywhere using any device. Businesses are investing in efficiency tools provided by these infrastructure and platforms-as-a-service vendors, such as Microsoft, Azure, and Amazon’s AWS, and software-as-a-service vendors such as Salesforce.com or Adobe. Businesses have also shifted from using mail and telephone calls as contact points with customers and consumers. And now they’re spending on the engagement platforms that leverage multi-channel communication strategies like Facebook or TikTok or Instagram and Google.

So businesses have benefited with real tangible benefits. They have more data, they have better analytics, automation of workflows, improved work-from-anywhere capabilities and more efficient customer acquisition and retention strategies. But as these businesses have rushed to modernize their network and software infrastructure to capitalize on these benefits, cybersecurity has often lagged behind. And as a result, IT executives… There was a recent study where they disclosed that they have seen an increase in cyberattacks and breach rates because they haven’t kept up. So businesses, they’re tempting to use legacy solutions to protect their new cloud-based infrastructure, and because of that, there are these gaps in defenses, which creates security issues.

Alex Warren: Gotcha. That makes sense. It’s like putting old parts on a new car.

Away from some of the examples that you just shared, software is a service and that, I understand the digital transformation has made its way to industrial companies as well. Can you talk about internet of things?

Nicholas Daft: Yes. I think it’s fascinating to see the transformation taking place in industrial companies specifically. We’re seeing these companies, they’re digitizing their technology stacks and they’re leveraging 5G technology and internet of things (IOT), which just to abbreviated as IOT, they’re using these IOT devices to enhance their operations. These industrial companies, they’re using IOT for automation, remote monitoring of tools, predictive maintenance or supply chain optimization.

Another area where we see growth of IOT devices is also actually in healthcare, where hospitals use IOT for remote patient monitoring. Or in the energy space, where oil and gas producers are using them for monitoring well performance and flow rates or to predict or abnormalities that could be occurring because of pressure changes.

So these are examples of businesses using IOT to drive efficiencies and positive outcomes. And as a result, we’re seeing hyperbolic growth in the number of connected IOT devices around the world. In 2015, there were about 4 billion connected devices. That grew to 13 billion in 2022. And conservative estimates have this growing to almost 30 billion by 2030. So that’s the good news, but here’s the bad news. All these billions of devices they represent billions of new entry points for cyber criminals.

To demonstrate this, a statistic from a 2020 survey that I recently read, it was a survey of global IT professionals, and it showed 84% of organizations have IOT devices on their corporate networks. Of this group, 70%, (seven zero), 70% have had attempted or successful hacks, yet still more than 50% of these organizations are not using security measures beyond the default password. Just astounding to me.

Alex Warren: Yeah. Oh my goodness. I’m thinking about those numbers that you’re mentioning and trying to visualize the chart in my head about how big of a growth in internet of things and connected devices, what that chart must look like. And that brings me into my next question.

What are some of the common cyberattack techniques that companies are trying to protect against, and what are the consequences of these attacks?

Nicholas Daft: The most common attack threats continue to be malware, ransomware, phishing, identity-based attacks, and then denial of service (DDoS) attacks. And the objective with all these attacks is to infiltrate a company’s network and gain access to sensitive data or effectively hold the company’s network ransom for a payment.

So cyber criminals are capitalizing on the larger tax surface and the proliferation of endpoints like smartphones and IOT devices and laptops, and based on current trends, they’re successful most of the time due to the unfortunate fact of human error. There was a Stanford University study that estimated that almost 90% of all data breaches are due to human error and employee mistakes.

Alex Warren: Wow.

Nicholas Daft: Yeah. And these errors, they have massive and far-reaching implications. In 2022, the Uber network was breached when a contractor did not follow security protocols and accepted a malicious email request for two-factor authentication log on. And because of that breach or because of that acceptance, the hackers they gained access to sensitive customer data.

On a much larger national scale, there was the May 2021 Colonial Pipeline ransomware attack by a Russia-based cybercriminal group. This, too, was accomplished due to human error. They used a former employee’s password to access a VPN that wasn’t adequately secured by multi-factor authentication. I’m sure you remember, Alex, from the news stories and the photos, as a result, this attack forced the company to shut down the entire pipeline, and this pipeline supplies almost half of the US east coast supply of gasoline.

And so as a result of shutting down the pipeline, there were fuel shortages and traffic jams for people trying to get gas at gas stations because there was a shortage of gas. And this continued until the company paid a ransom to the hackers. It was about $4.5 billion, and they paid it in Bitcoin. Cyber criminals are leveraging Bitcoin. It’s a frictionless and anonymous payment method, and they’re leveraging Bitcoin, which emboldens them further to do more ransomware attacks.

Alex Warren: Absolutely. That makes sense. I can only imagine what the process is for a pipeline operator to go out and try to find or buy Bitcoin. I personally don’t know myself. So that example you gave about the pipeline leads into our next question well.

Why is cybercrime a national security concern?

Nicholas Daft: Yeah, that’s a very prominent issue, and it feels like it’s always in the headlines. It’s really over the past decade that we’ve seen a dramatic increase in state-sponsored cybercriminal activity by groups from China, Russia, North Korea, and Iran. These actions are often tied to economic incentive, but now, more often ,there’s an adversarial nature to the threats; corporate espionage, or the attempted theft of national intelligence.

If we go back to 2015, a pretty prominent hack, a group of hackers broke into the Office of Personnel Management (OPM), and they stole records associated with all 21 million civilian employees of the U.S. government. These stolen records they had the potential to be used for malicious purposes with a potential threat to state security.

If we look at corporate espionage, an example over a multi-year period, it was a Chinese state-sponsored hacker group known as APT41, and it’s reported that they have successfully stolen hundreds of gigabytes of technical documents and intellectual property. And the data that was stolen, is associated with manufacturing, energy and pharmaceutical companies. And digging even deeper, some of this data relates to fighter jets and missiles, so that is a real national security threat there. And in fact, cybersecurity experts believe that there is evidence that Chinese state hackers, many years ago, began a hacking campaign to steal sensitive data on the U.S. Air Force’s F-35 stealth fighter program. And then this data that was stolen was used to accelerate the Chinese development of their own stealth fighter.

So there’s national security implications, and there’s also a significant economic cost to the country. The FBI has estimated that this type of cyber theft leads to annual losses to the U.S. economy of between $225 billion and $600 billion – so, some real significant numbers.

What this shows, it shows that businesses and governments need to work together to defend against these cyber threats across their daily operations. And that includes critical business operations and national infrastructure. Just thinking about the implications, if you think about state-sponsored cybercriminal groups shutting down regional electrical grids or the US air traffic control system or the New York Stock Exchange, these would have massive negative impacts on the safety and economic life of all Americans.

Fortunately, in good news, the U.S. government is getting more proactive in addressing these increasing threats. And just recently, on March 2nd of this year, the Biden administration released a national cybersecurity strategy, and this will create a more focused plan on defending against cyberattack groups. And based on what I’ve read so far, I think it’s truly a step in the right direction.

Alex Warren: That’s good news. Good news. You gave some great… I guess not great, but more staggering examples or headlines of breaches that have taken place over the years.

What are some of the costs of these cyberattacks?

Nicholas Daft: Sure, sure. Yeah. And as you just said, none of these examples are great, and they’re all unfortunately damaging. The three different types of costs are financial, operational, and reputational, of course.

If we look at the financial side, to put a dollar figure on it: the average cost of a data breach globally in 2022 was $4.35 million. But in the U.S. that went up to %9.44 million. So the U.S. was the highest area in terms of the cost of a breach. And these costs were up over 12% versus 2020.

There are, of course, many examples where costs have been significantly higher. Taking that Uber example that I mentioned earlier: that breach required the company to pay $100,000 to delete the stolen data, but then the company was required to pay $148 million to settle a legal dispute that the company had covered up the breach.

Another attack that has garnered significant headlines recently or in the past few years was the SolarWinds breach. That one impacted an estimated 18,000 customers that used this software. And many of those customers were Fortune 500 companies. The cost of repairing the damage done by that breach, the SolarWinds breach, it’s expected to be in the tens of billions of dollars.

As hackers continue to refine their techniques and gain more advanced technology themselves, and that includes artificial intelligence (AI, there has been a noticeable uptick in ransomware attacks that require companies to pay to unlock their systems that are being held hostage. As we discussed earlier, Colonial Pipeline, they paid $4.5 million to restore their operations. And in the same year, in 2021, can Financial, which is a large insurance company, they paid $40 million to hackers to have their data unlocked after they suffered from a ransomware attack.

Alex, putting this all together, it’s very clear that the economic costs of cybercrime are large and growing. If we look at it on a global scale, a publication from Cybersecurity Ventures, estimated global costs from cybercriminal activity to be $6 trillion. That’s up from $3 trillion in 2015 and growing to over $10 trillion by 2025. And these numbers they shouldn’t leave any doubt that there’s a huge economic cost from cybercrime.

Alex Warren: Absolutely. And those are some massive numbers. I want you to put on your investor hat for a second here.

Where do you see opportunities for growth within the cybersecurity industry?

Nicholas Daft: Yeah. As the global digital transformation has accelerated, the complexity of securing the technology stack across multiple clouds and vendors has also increased. And the cybersecurity industry has, until recently, been quite fragmented with vendors being relatively siloed in their product offerings.

What I mean by this is they’re focused on one area of expertise, and IT departments at companies, they relied on multiple different vendors for the full suite of cybersecurity products. But this status quo, it’s not suitable given the rapid evolutions in cloud computing and network structures that we’re seeing, and particularly when considering the current threat environment. The increased economics of cybercrime means more R&D being spent by criminal groups, as I mentioned in one of the prior answers. This includes the use of artificial intelligence to enhance the effectiveness of their threats.

So businesses and governments they need to respond. And the key areas of investment going forward need to be in four areas of cybersecurity. That’s (1) cloud network and workload security, (2) endpoint security, (3) access management security, and (4) application security. The good news is that the focus on cybersecurity is happening at the board and C-suite level, and businesses are now prioritizing cybersecurity within their IT budgets.

A recent study by Gartner estimates that spending on cybersecurity in total will grow by low-to-mid double digits over the next few years from the 2022 level of $175 billion. And this is while IT budgets themselves will only grow in the low single digits. But within the four key areas of focus that I just highlighted; those four key areas will represent almost two thirds of this total cybersecurity spending growth.

Alex Warren: Nick, this has been a great conversation. We have time for one final question.

What companies or areas of the market do you believe can benefit most from the growth of cybersecurity?

Nicholas Daft: Yeah. In my opinion, the key beneficiaries of this increasing cybersecurity spend are next-generation cloud native companies that are exposed to the four key areas that I mentioned earlier. And these next-gen cybersecurity firms will provide a modular approach to security and integrate AI. This modular approach allows the cybersecurity companies to efficiently innovate and then deploy new defensive products to their customers, and then their customers can seamlessly integrate these new product modules into their network security stack. This facilitates the consolidation of vendors onto fewer platforms. This provides a stronger defense posture for the customer due to the reduction in breach gaps, and it also improves the ROI.

Finally, the best cybersecurity companies will be those that use artificial intelligence and machine learning to detect and prevent threats in real time. One issue that businesses and IT departments face is a shortage of trained cybersecurity experts. And so, while IT security departments will always have human oversight in some form, it is my opinion that it will be imperative for these next-gen cybersecurity providers to integrate advanced AI into their software technology. Using AI will allow for more efficient monitoring of threat signals and proactive threat hunting so businesses can identify and respond to advanced threats before they can cause damage.

So in conclusion, as the digital transformation journey continues, I believe that next-generation cloud native cybersecurity companies will be the key to defending businesses and governments from the increasing threats from malicious cybercriminals and state-sponsored hackers.

Alex Warren: That brings us to the end of this episode. Thank you so much, Nick, for joining us today. We hope you enjoyed it and learned more about Aristotle. Thanks for listening to the Power of Patience.

To learn more about Aristotle, please visit www.aristotlecap.com, or follow the link to the show notes. If you enjoyed the show, please rate and review us on Spotify and Apple Podcasts. And come back next time for a discussion on Aristotle Pacific Capital. Until then, this is Alex Warren, and thank you for listening.