Morgan Stanley
  • Research
  • May 17, 2018

The Rising Debate on Security in the Cloud

Enterprises are increasingly shifting data and processes to the public cloud, where walled-off network security alone won't suffice. For third-party cybersecurity firms, is this new landscape a threat—or an opportunity?

Corporate cybersecurity has classically centered on wall-building, with enterprises enlisting network security firms to establish private networks and keep intruders away from sensitive company data.

Public cloud security spending could reach about $18 billion by 2020. How will that revenue be split among third-party security firms and cloud vendors?

But as more enterprises reduce their on-site data center footprint in favor of public cloud adoption, guarding both cloud and onsite data against sophisticated attacks becomes complicated. On-site network security has traditionally been the domain of third-party cybersecurity firms, but many public cloud providers are large, well-funded and have developed their own cloud security infrastructure.

While the investor debate around key winners and losers during this transition is not new, the issue is reaching an inflection point as higher-tiered production apps move to the cloud. This, coupled with an increasingly malicious threat environment and a current security paradigm that is under pressure, is heightening investors' concerns that the third-party cybersecurity universe will see headwinds in coming years.

Now, a new report from Morgan Stanley Research is examining the role public cloud providers will play in this new environment and how third-party security companies could actually see topline growth despite the transition.

Taking to the Cloud

Underpinning this debate is the increasing optimism of IT decision makers on pubic cloud adoption trends. A recent poll conducted by AlphaWise, Morgan Stanley’s evidence-based research group that leverages big datasets and surveys, found that chief information officers (CIOs) have already migrated 21% of application workloads to the cloud. The CIOs expect this to increase to 44% by the end of 2021.


% of App Workloads Shifting to the Public Cloud Moving Higher

Source: Alphawise, Morgan Stanley Research, April 2018 CIO Survey. n=100 (U.S. and EU data)

“As high-profile breaches continue to occur with an increasingly malicious threat environment, conversations about cybersecurity become a C-Suite discussion, as opposed to only IT,” says equity analyst Melissa Franchi, who covers small and midcap enterprise security firms.

Public cloud security will likely draw far more attention and corporate spending in the next few years. According to Franchi, public cloud security spending could reach about $18 billion by 2020. How that revenue will be split among third-party security firms and public cloud vendors depends on the structures businesses build to protect their data.

Guarding the Fortress

Enterprises have historically used “defense-in-depth” perimeter security, which blocks non-approved users or functions from accessing networks via a system of firewalls and other roadblocks. The cloud erases the notion of a solid perimeter, and therefore the cloud security provider must play a part in securing the company's technological assets. However, even in a cloud-based environment, the responsibility for protecting the data and applications remains in the hands of the enterprises.

“Even when companies shift their IT infrastructure to the cloud, the enterprise still needs to keep watch on the security of the data and application in the cloud,” says Franchi. “The cloud provider provides secure infrastructure while the enterprise secures the software and data on top of the infrastructure.”

The large public cloud providers are enhancing their security offerings with web application firewalls, identity and access management services and distributed denial of service attack protection. But this model also enables the inclusion of third-party cybersecurity vendors, who generally offer more rich security domain expertise and a wider purview of security visibility.

Security spending for cloud deployments is generally additive to enterprise security spending since enterprises’ are generally adopting hybrid computing architectures (mixture of multi-cloud and on-premises data centers). Most cybersecurity vendors offer a virtual form of their solutions which can be deployed in the major public cloud platforms, but cloud adoption is also spurring new market opportunities around encryption, web security, and identity management, amongst others.

Finding Opportunity

The report notes that only about 3% of total network security spending today is dedicated to public cloud security. But as that level increases over the next few years, a key question for investors is whether the rapid movement of enterprises to the public cloud will disrupt the third-party cybersecurity market.

Stock prices indicate investors very well may think it does—the average cybersecurity firm's stock price has increased about 34% since 2015, compared with about 80% for the average software firm. But Franchi doesn't share that view, noting that the rapid migration of businesses to the cloud and the continued relevance of third-party security options, even within the cloud, will allow those vendors to capture about 80% of the spending on public cloud security.

“This is conservative for a number of reasons,” she said, “including historical analogies that suggest the shift to cloud solutions drives higher market spending over time.”

In line with this thinking, Morgan Stanley projects 9% topline growth for the security market through 2020.  This is higher than the 5% growth valuation models and current trading levels of security stocks suggest—and a possible opportunity for investors with their eye on the cloud.

For Morgan Stanley Research on opportunities in public cloud security, ask your Morgan Stanley representative or Financial Advisor for the full report, “Cloud Security: Sizing the Silver Lining,” (April 10, 2018). Plus, more Ideas.