With the market in correction mode, investors have the opportunity to buy some of the biggest technology trends at more reasonable valuations. The recent ransomware attack on Colonial Pipeline has one recurrent investment theme back in the spotlight: cybersecurity.
The $162 billion cybersecurity market is expected to grow at a compound annual growth rate (CAGR) of 12.5% through 2028 as cybercrime and cyberattacks affect more individuals, companies and governments than ever before.
It’s a big market with lots of players, and it’s growing fast. With so many moving parts, investing here can be complicated if you’re trying to pick a winner.
But investors don’t need to pick a winner. Instead, there’s a simpler and more effective investment strategy. Invest in a basket of companies that represent the first wave of cybersecurity spending. Called vulnerability management, companies in this space identify, prioritize and resolve security threats.
For businesses, vulnerability management provides the first line of defense and minimizes what’s known as the “attack surface.”
Here are the top three small-cap vulnerability management stocks to buy right now:
The Pipeline hack was the latest call for companies to batten down the hatches. The result? Expect spending on vulnerability management technology to increase sharply this year.
Colonial Pipeline Hack Highlights the Need for Better Alarms
Security stocks had a huge run in 2020. The Global X Cybersecurity ETF (NASDAQ:IBUGT) grew its Net Asset Value (NAV) by 69% over the past year, jolted by the “Sunburst” hack on software company Solarwinds (NYSE:SWI) that left roughly 18,000 customers vulnerable.
Then came the Covid-19 pandemic, leading to a sharp increase in the number of cyber threats and online phishing attacks. Since the start of lockdown, phishing attacks, which hackers use to steal passwords, have increased 220% compared to the yearly average.
Last week, businesses got another reminder to take cybersecurity seriously: the Colonial Pipeline attack. Already, the Biden administration has identified ransomware as the most serious cybersecurity threat to the U.S.
The alarm bells are ringing loud and clear. Most CIO studies confirm that enterprises are shifting more of their financial resources to cybersecurity.
What is Vulnerability Management and Why Does Every Company Need It?
Investors evaluating the cybersecurity market will notice one thing very quickly. There are at least five different technology categories. One area in particular has gotten a lot of headline attention lately, incident response. The star of the show has been high-profile security “fixer” FireEye (NASDAQ:FEYE), one of first companies called in to help fix the Pipeline breach.
I continue to like FEYE and recommend building or adding to positions at present levels. But incident response is just one piece of the overall cybersecurity market.
So which cybersecurity stocks should you invest in first? The answer can be found by studying the December 2020 Solarwinds attack. Here’s the gist: FEYE actually detected the Solarwinds breach while probing its own network, which itself had been hacked.
If even a sophisticated cybersecurity company like FEYE can get hacked, things must look pretty scary for mainstream businesses. And that’s why you should invest in technologies in the most important cybersecurity theme out there right now… vulnerability management.
Targeted attacks are evolving and hackers are getting smarter. They continually refine their methods in order to fly under the radar. Vulnerability management technologies identify, prioritize and resolve potential security breaches in operating systems and enterprise applications. For example, they scan to identify outdated software versions, missing patches, and other misconfigurations.
Vulnerability management is the first step of any company’s disaster playbook. Buy these three small cap stocks NOW to get ahead of the imminent surge in demand.
Small-Cap Cybersecurity Stocks to Buy: Qualys (QLYS)
With a market capitalization just under $4 billion and 2020 sales of $373 million, Qualys offers vulnerability management and compliance solutions. The company’s Qualsys Cloud Platform gives government entities, as well as small and mid-size businesses the tools they need to scan IT assets, analyze security data, prioritize vulnerabilities, and recommend remediation actions.
Qualsys, like the other vulnerability management players we’ll discuss here, has a very attractive business model. These companies generate revenue from subscriptions to their cloud-based services, typically on an annual basis. For tech investors, subscription-based business models tend to earn higher multiples because they are less volatile than hardware-based companies. They also carry higher margins.
In an emerging market like vulnerability management, getting the technology right can make or break a company. Qualys has endorsements from leading cloud providers Amazon (NASDAQ: AMZN), Microsoft (NASDAQ:MSFT) and Alphabet (NASDAQ:GOOG, GOOGL). The company also has relationships with the most important managed service providers and consulting companies.
One thing that could give QLYS a short-term bump is its high short interest, at 17% of the company’s float (there are only 39 million shares outstanding). Any positive surprises could make for near-term short-covering in this stock.
One potential catalyst: higher sales from the company’s expanded endpoint security solution, announced earlier this month. The new feature set adds the ability to detect and block threats in real-time. Also of note, QLYS is the only one of our three picks currently turning a profit.
With a market cap of $4.4 billion and $411 million in 2020 sales, Rapid7 is another interesting vulnerability management play. Like Qualysis, the company provides visibility and analytics via a cloud-based service. Rapid7 made its debut in 2009 by buying Metasploit Project, a computer security research group.
Rapid7 has been on a buying spree, with three acquisitions already under its belt this year. One in particular, Alcide (acquired in February), gives RPD an early start on Kubernetes, or cloud security. Cloud focus positions RPD for partnerships down the line with big tech companies investing in this area. Those include VMWare (NYSE:VMW), which nabbed Kubernetes startup Octarine last May, Cisco (NASDAQ:CSCO) which bought PortShift, and RedHat (NYSE:RHT), which bought StackRox in January.
RPD’s acquisitions are in the right place at the right time, and should very quickly contribute to revenue and earnings. With strong underlying trends and ample market share to grab, RPD raised its 2021 guidance on both the top and bottom lines. The stock has also pulled back by 12% from its January highs.
Making its debut in 1998 with a free security scanner, Tenable, with a market cap of $4.2 billion and $461 million in 2020 sales, was the first contender in the vulnerability management space. The company’s Nessus software was a break-through product over a decade ago, providing real-time vulnerability analysis. Today, Tenable offers Nessus Essentials, a free solution, and Nessus Professional, a paid license subscription.
In February, Tenable got a very important strategic boost to its business by acquiring Alsid SAS. Tenable paid $98 million in cash for the Active Directory (AD) security company. Microsoft’s Azure cloud platform uses AD to grant employee login requests to corporate applications.
With 95% of enterprises using Azure, AD is a hacker’s first target. AD was also the entry point in the Solarwinds attack. Specifically, hackers forged a token that claimed to represent an account in Azure AD. They were then able to use the compromised credentials to get access to administrative privileges.
TENB stock is down 29% from its January highs.
Disclosure: On the date of publication, Joanna Makris did not have (either directly or indirectly) any positions in the securities mentioned in this article.
Joanna Makris is a Market Analyst at InvestorPlace.com. A strategic thinker and fundamental public equity investor, Joanna leverages over 20 years of experience on Wall Street covering various segments of the Technology, Media, and Telecom sectors at several global investment banks, including Mizuho Securities and Canaccord Genuity.