The spookiest thing about October isn’t ghosts or goblins, but cybersecurity threats. Recent high-profile hacks have crippled oil pipelines, breached streaming platforms like Twitch, and unsecured millions of social media users from Facebook, Instagram, and LinkedIn. Just as ghosts lead to a need for Ghostbusters, data breaches lead to a demand for cybersecurity.

Recently, ETF Trends’ managing editor Lara Crigger sat down with Ben Jones, a senior index strategist at Nasdaq. In honor of Cybersecurity Awareness Month, the two discussed how cybersecurity is no longer just a narrow slice of the tech sector, but a theme with wide-ranging impacts across a well-diversified portfolio.

Lara Crigger, managing editor, ETF Trends: It seems like we can’t go a single day anymore without some new massive data breach or systems hack. And it’s not just banks or payment processors that are targeted, but schools, hospitals, oil pipelines… So how is the definition of cybersecurity evolving to counter this evolving threat?

Ben Jones, senior index strategist, Nasdaq: I think the definition really hasn’t changed. Cybersecurity is still about protecting computers, networks, programs, and data from unauthorized and unintended access. It’s just the style of the breaches, and how these threat actors and cybercriminals are gaining access to data or computer networks; that’s what’s changing.

One thing that comes to mind is the advent of cloud computing, where all of a sudden, you have these localized networks that became global. Companies that basically stored all their data in their back office on site now have to operate their businesses “up in the cloud,” powered by the internet and massive server space from large corporations. So with everything being connected, the stakes are much higher.

With that, you also have the rise of “endpoints,” which are cellphones, tablets, mobile devices, WiFi, computers, everything that’s connected to these networks. And you have the Internet of Things. So there’s more vulnerabilities because there’s more devices connected to the network, which means more data that is more vulnerable.

Crigger: Does digital waste add to those security vulnerabilities? Old accounts, forgotten accounts, disused accounts — all those can be hacked, too.

Jones: Yes, but one thing economists researching this space have found is that there is information decay. So if your Facebook account is 10 years old; or maybe your cell phone number or bank account number changed,  then that data might not be as valuable as, say, a company’s network. If there’s personal data, it’s going to be more valuable if it’s more timely versus 10 years old.

Still, it’s a vulnerability, which is why many websites make you update your passwords every few months.

Crigger: What do you think are some of the more exciting developments happening in the cybersecurity space? 

Jones: On the technology side, I think two exciting developments include 1. artificial intelligence and machine learning and 2. quantum computing.

With artificial intelligence and machine learning, you’re seeing cybersecurity companies pushing the boundaries to leverage those technologies to help automate the identification of these exponentially growing number of threats where human analysts can’t really see those patterns and trends immediately and in real time. But artificial intelligence can. Also, artificial intelligence could potentially help fill in the workforce gap. There’s a massive shortage of cybersecurity specialists and analysts today, so in the future, cybersecurity companies are going to have to rely on advanced technology, such as AI and machine learning, to fill those voids.

Then there’s quantum computing, which I think is just a massive disrupter in this space. It’s still in its infancy, but  quantum computing could provide for the good and bad side of cybersecurity. On the one hand, all these encryptions and codes could be broken in a few milliseconds, where now it takes maybe a few months for a hacker’s computer to run through it. So hackers will be able to decipher codes really quickly. But on the other hand, you’ll be able to combat that by using quantum computing.

Anyone interested in this topic should definitely look at the World Economic Forum. In November 2020, they published a really interesting piece titled Future Series Cybersecurity: Emerging Technology and Systemic Risk that identified artificial intelligence and quantum computing as two emerging technologies in cybersecurity.

Finally, on the business model/best practices side, we’ve heard a lot about “zero trust,” or the idea of creating strict access protocols. The idea is you can’t trust anyone, neither people outside your network nor people inside it, who are already logged in and have the credentials.

Crigger: Don’t most incidents of phishing and fraud happen internally to a company? Someone clicking on a phishing scam by accident, rather than a shadowy character from a foreign country trying to hack into your account.

Jones: Exactly. We talk about these emerging technologies and new cybersecurity frameworks, but at the end of the day, companies can get the most bang for their buck in education. It’s training your employees to be cyber-aware and practice good cyber hygiene. Some companies are providing those services now, which takes some of the weight off of internal information security teams, because now they can outsource some of that training to the experts, so to speak.

Crigger: I’ve never thought about “cybersecurity-as-a-service” before, in the same vein as “software-as-a-service.”

Jones: We’ve seen this business model elsewhere: Software-as-a-service, accounting-as-a-service, CRM-as-a-service, you name it. Cybersecurity-as-a-service is where smaller companies who don’t have the budget to create their own cybersecurity team or manage a large information security team can outsource it to a standalone, pure-play cybersecurity company providing these solutions.

Also, because it’s such a dynamic theme, some companies can specialize in certain technologies or certain types of threats. You’ve seen a lot of large corporations bolt those services into their cybersecurity teams. Where they might be able to manage their own internal data, they might subscribe to some solutions to help manage their external data, and so on.

Crigger: What do you think investors still misunderstand about the investability of cybersecurity as a theme?

Jones: Good question. I think they might still think that it’s too focused, too niche. They might use the classic valuation or financial analysis to understand this theme, but it’s constantly changing, and the business models are constantly changing. So you have to be really thought-forward and view it as a complement to existing sector exposure, or even growth exposure.

Advisors can view cybersecurity from a classic portfolio allocation standpoint in a couple different ways. First, as a way to enhance their exposure to the technology industry. Two, to enhance their exposure to the growth style box. Third, as a tactical allocation. We know many advisors are using tactical base models with various inputs. Cybersecurity can complement other themes that are out there. We also know that it can be very event-driven. If advisors are trading off of macroeconomic or other events, they may want to consider reviewing cybersecurity events. Historically, we have seen share prices of cybersecurity companies rise on average after major breaches and hacks. Something to keep in mind.

Crigger: When investing thematically, it’s of the utmost importance to accurately capture exposure to that theme in a pure-play way. Most advisors want to know that if they’re investing in a cybersecurity ETF, then they’re actually investing in cybersecurity companies. So as an indexer, how do you go about evaluating pure-plays?

Jones: It’s a good question, and anyone on an index team or portfolio team is always looking at how to represent that investable space. From our standpoint at Nasdaq, we have three cybersecurity indexes we manage that are tracked by ETPs around the world. The first is the NASDAQ CTA Cybersecurity Index, which looks at tech companies engaged in cybersecurity, using CTA classifications. They look at revenue attribution, M&A activity, product coverage, and other factors.

The other two indexes that we run are part of our ISE family. We have the ISE Cybersecurity Index and the ISE Cybersecurity UCITS Index. That’s based off the Index Security Selection Committee’s work to classify cybersecurity companies based off of what they do. The basic eligibility determinant for inclusion in the ISE Cyber Security Index is that prospective companies are either those which work to develop hardware and/or software that safeguards access to files, websites, and networks from external origins or those that utilize these tools to provide consulting and/or secure cyber-based services to their clients according to the ISE Cyber Security Industry Classification.

[To decide pure play status,] you have to look at industry-wide classifications, you need to look at their business model and how they generate revenue. You have to look at corporate actions, too, because many traditional tech companies are beginning to provide cybersecurity services as well, and they may do it inorganically, through acquisitions. We need to keep track of that.

Then you also have to look at large companies, too. Cybersecurity emerged as a function of the broader information tech sector. Companies like Cisco, IBM, and Microsoft were providing services internally, then launched spin-offs and internal initiatives. And the large companies are selling and generating revenue from the cybersecurity products and solutions. Cisco is a good example. As a massive large blue chip technology company, you might not think of them as a cybersecurity company, but they are one of the major players in this space. If you compare their cybersecurity revenue to their other initiatives, it might be small; but if you look at their cybersecurity revenue relative to other companies, it’s quite large. So we’ve got to account for that as well.

Crigger: What do you think investors are still overlooking when it comes to the cybersecurity companies inside their ETFs?

Jones: I guess that if they look underneath the hood of their ETF, they’ll notice that there might be some companies that they don’t really think of as cybersecurity. A good example of that is defense contractors: Many of these companies are classified as industrials. But there’s a connection, a gray area between the private and public sphere of cybersecurity. One of the largest spenders on cybersecurity technology solutions is the U.S. government. It’s all the civilian agencies and also the Department of Defense. If you look around the world you’re seeing a rise in government cybersecurity spending. A good portion of that is going back to the private sector, because they’re providing the services, so companies like Booz Allen, Accenture, Telos, and SAIC — some of those companies are providing solutions to government and military organizations to provide cybersecurity capabilities, either for offense or defense, to enable their operations to run. I think that’s something important that we can’t forget about.

Going forward, I think that’s an interesting trend to watch, that evolving gray area between the public and private sphere. With President Biden’s executive order back in May on improving the nation’s cybersecurity, he hit upon that subject, and how the public and private sector need to come together. Then there’s also the infrastructure bill, where you’re seeing a good portion of that — over $2 billion — going to cybersecurity, especially cybersecurity agencies, as well as some local and state agencies around the country.

For more news, information, and strategy, visit the Nasdaq Portfolio Solutions Channel.