Making money in the war against hackers

In bad cyber-breach environment: Pro
In bad cyber-breach environment: Pro   

Bigger and bolder cybersecurity attacks, from JPMorgan Chase to the Sony Entertainment fiasco, are piling up, terrorizing corporations and their customers. People and businesses worldwide are seeking every measure to protect themselves against risk.

Which means booming business for cybersecurity stocks and their investors.

Cybersecurity stocks have been an underinvested tech theme relative to other tech trends, and analysts say it runs counter to the sales opportunity for these companies.

To avoid being a high-profile victim, businesses and government agencies are aggressively scouting out new, next-generation cybersecurity tools made by upstarts like Palo Alto Networks and FireEye. The best news of all is that most companies still have woefully outdated cybersecurity infrastructure. That means the next-gen cybersecurity boom is still in its early innings.

"Some investors have compared it to a Y2K-like spending situation, but the difference here is that it's a Y2K that doesn't end," said Daniel Ives, senior analyst at FBR Capital Markets. "The enterprise and government are throwing billions after this," he said. "It's the nightmare of every CEO to see the headline on the front of the Wall Street Journal that their enterprise was attacked."

(L-R) General Keith Alexander, former director of the NSA; FireEye COO Kevin Mandia; Lookout founder and executive chairman John Hering and moderator Andrew Ross Sorkin of CNBC's "Squawk Box" speak onstage during 'Cyber-Security/Cyber-Insecurity' at the Vanity Fair New Establishment Summit at Yerba Buena Center for the Arts on October 8, 2014, in San Francisco.
Getty Images
(L-R) General Keith Alexander, former director of the NSA; FireEye COO Kevin Mandia; Lookout founder and executive chairman John Hering and moderator Andrew Ross Sorkin of CNBC's "Squawk Box" speak onstage during 'Cyber-Security/Cyber-Insecurity' at the Vanity Fair New Establishment Summit at Yerba Buena Center for the Arts on October 8, 2014, in San Francisco.
"Cybersecurity is criminally underinvested in. Meanwhile, the threat environment is increasing." -Gur Talpaz, Stifel Nicolaus analyst

This fast-growing niche within the $25 billion cybersecurity market is slated to triple within the next three years from $7 billion to $20 billion in sales, according to FBR estimates. That would represent roughly half of the cybersecurity market's estimated $40 billion in annual sales three years from now. "It's a massive land grab opportunity," Ives said.

It was the standout earnings performer in tech last quarter, and even though many investors have done a 180—from being skeptical a few years ago to having an insatiable appetite for these stocks today—as a rule, tech investors are still missing the opportunity, analysts said.

"Cybersecurity is criminally underinvested in," said Gur Talpaz, an analyst at Stifel Nicolaus. "Meanwhile, the threat environment is increasing." Mobile work devices used outside company networks and a reliance on last-generation security tools are fueling more attacks. "The threat plane has gotten so much bigger," Talpaz said.

The end of the old enterprise

"Good enough" enterprise-level tools aren't good enough anymore—large corporations are now seeking out best-of-breed cybersecurity offerings rather than buying an enterprise suite. That shift in buying habits is playing into the hands of the newer companies. All of the market-share gains predicted for these companies imply share losses for legacy players, such as Intel, Cisco, Symantec and Juniper Networks.

"What those guys focused on was the endpoint of the enterprise, but that's the legacy stuff," Ives said. "Now it's all about proactively protecting firewalls, and that's why the next-gen firewall market has exploded," he said, adding, "The enterprise needs to spend on all these next-gen tools."

Read MoreThe Nasdaq: 15 years after the bubble

As an example, Ives pointed to the $20 billion sales opportunity versus the combined sales today of roughly $2 billion for some of the most popular new names in the next-gen space: Palo Alto Networks, FireEye, Fortinet and Cyberark.

"It's becoming a market of haves and have nots," Talpaz said, adding, "There's lots of opportunity for new players, so you want to pick your spots." That means a choice of highfliers—more conservative stocks, small-caps targeting specific cyber hot spots, turnaround stories among the old guard and funds that offer broader exposure to the sector without having to bet on any one company.

Palo Alto Networks, which makes next-generation firewalls, is one of Talpaz's favorite cybersecurity plays. "The company sells a unique product," he said, and "has strong recurring revenues," he added. That translates into improving profitability and revenue, up 50 percent in the first quarter of 2015. He said the company can sustain its high growth rate.

FBR has a price target of $160 on Palo Alto Networks, and Ives cited the company's management team as a strength—it includes former top officials of Juniper Networks, Verisign and from within the U.S. military. Palo Alto Networks has a 52-week-high stock price of $149.

"If there's a high-profile hack, the first phone call is to FireEye." -Daniel Ives, FBR Capital Markets analyst

Talpaz and Ives both also like FireEye, even though they don't expect it to be profitable for another few years. "It's becoming an important part of the security stack," Talpaz said, as bookings and product offerings grow. He expects revenue to increase 45 percent in 2015.

Ives said FireEye has a number of ways to grow, including expanding internationally and offering cloud-based products. "If there's a high-profile hack," Ives said, "the first phone call is to FireEye."

The key to FireEye is that it's built for future profits. It has focused on investing today to develop the scale to grab as much of the land grab opportunity as possible in the years to come. But according to Ives, its pedal-to-the-medal approach in terms of spending has created an overhang on the stock. "Investors are well aware of it," he said.

The stock is up only 7 percent since going public in 2013 and has lost 38 percent in the past one year period through March 25. Palo Alto, by comparison, is up 159 percent since its 2012 IPO. There's more room to grow in FireEye's stock price though, even if Palo Alto is the No. 1 play among next-gen cyberstocks. FBR's $160 price target on Palo Alto is only 7 percent above its current share price.

"FireEye came out like a rocket and is now transitioning to develop the scale of a broader company. ... It will start to show profits in 18 to 24 months. Palo Alto has already gone through the transition," Ives said. "They have one of the best technologies out there," he added.

Read More10 key investing points about Apple's car plans

Ives also likes Fortinet, which has been around longer than Palo Alto and FireEye (it went public in 2010), but after some fits and starts has turned into a consistent, if not explosive, growth story. "Revenue growth is 20 percent-plus" in recent years, he said, "and the company is very profitable."

A cyber basket attack

Stocking up on cybersecurity
Stocking up on cybersecurity   

The fact that FireEye and Palo Alto are coming at the market from different strategic angles shows there is no one solution that investors can tap into that covers the theme. It's a market big enough for six to 10 vendors, and Ives said investors should consider a basket approach.

Its revenue growth and operating margins in the mid-teens make Fortinet a more conservative counterpoint to a highflier like Palo Alto or FireEye, where investors are still making a bet on future profitability. Investors need the slow-and-steady names to balance out the fast-growers, and they also should consider small-cap names targeting specific cybersecurity protocols, such as email-security firm Proofpoint and Israel-based Cyberark (outside of the U.S., Israel is the leader in next-generation cybersecurity technology). Proofpoint revenue doubled in 2014. "The company is really the only game in that town," Ives said, adding, "It has one of the best small-cap management teams."

Cybersecurity spending may only represent 10 percent of all IT spending, but it is a massive secular theme, and the next-generation players are growing the most quickly. If picking the stock winners during this land grab seems too risky a bet, though, there is an ETF to target the opportunity: The PureFunds ISE Cyber Security ETF has a basket of 30 cybersecurity stocks.

"Picking one company can be extremely volatile," said Andrew Chanin, CEO at PureFunds. "So this ETF gives investors diversification."

The ETF, which had a timely launch shortly before the Sony hacks and blowout earnings for the sector, already has near-$500 million in assets and, since inception in November 2014, a gain of more than 16 percent. Palo Alto, FireEye, Fortinet, Proofpoint and Cyberark are among the ETF's top 10 holdings, with each representing between 4 percent and 5 percent of the ETF. Cisco and Juniper Networks had been among the top 10 holdings last year, but no longer.

Solutions can change on a dime, Chanin said, adding, "There's a war on to produce the best product."

Legacy hacks

The old-guard firms like Symantec have been lagging. Despite offering the profitable antivirus software Norton, the company has been losing market share, according to Morningstar analyst Andrew Lange. He said the company was poorly managed for over a decade, and even though a turnaround effort is under way, "Symantec won't be growing quickly anytime soon."

Ives was less severe in his analysis, but not much more optimistic: "Symantec is going 45 miles an hour in the right lane, and the next-gen companies are going 80 in the left lane in their Ferraris."

Investors had warmed to the turnaround, sending share up by 23 percent in the most recent one-year period, and from a March 2014 52-week low. But year-to-date Symantec shares have declined by 9 percent, while all of the next-gen cyber names have made significant stock gains.

Symantec's consumer business represents one-quarter to one-third of its sales, and that makes it a cash cow, Ives said, but the enterprise is still the biggest piece, and he said the best way for the legacy players to stay competitive in this market is through aggressive consolidation in the space—a trend that would theoretically bode well for stock premiums among the new entrants. Cisco acquired SourceFire, for example, in 2013.

"The cherry on top of the sundae will be M&A," Ives said.

By Constance Gustke, special to CNBC.com