17 Feb 2018 Cybersecurity Market Report
Cybersecurity Ventures predicts global cybersecurity spending will exceed $1 trillion from 2017 to 2021
The Cybersecurity Market Report is published quarterly by Cybersecurity Ventures. We cover the business of cybersecurity, including market sizing and industry forecasts from consolidated research by IT analyst firms, emerging trends, cybercrime, employment, the federal sector, notable M&A, venture capital and corporate investments, IPO activity, and more.
– Steve Morgan, Editor-in-Chief
Menlo Park, Calif. – May 31, 2017
Cybersecurity Ventures predicts global spending on cybersecurity products and services will exceed $1 trillion cumulatively over the next five years, from 2017 to 2021.
In 2004, the global cybersecurity market was worth $3.5 billion — and in 2017 we expect it to be worth more than $120 billion. The cybersecurity market grew by roughly 35X over 13 years.
While all other tech sectors are driven by reducing inefficiencies and increasing productivity, cybersecurity spending is driven by cybercrime. The unprecedented cybercriminal activity we are witnessing is generating so much cyber spending, it’s become nearly impossible for analysts to accurately track.
We anticipate 12-15 percent year-over-year cybersecurity market growth through 2021, compared to the 8-10 percent projected over the next five years by several industry analysts.
IT analyst forecasts are unable to keep pace with the dramatic rise in cybercrime, the ransomware epidemic, the refocusing of malware from PCs and laptops to smartphones and mobile devices, the deployment of billions of under-protected Internet of Things (IoT) devices, the legions of hackers-for-hire, and the more sophisticated cyber-attacks launching at businesses, governments, educational institutions, and consumers globally.
It is likely that analyst firms will catch up with our projections in 2017 — and update the disproportionately low share of total IT spending which security is expected to account for (over the next 5 years) in their current reports. By 2020, we expect IT analysts covering cybersecurity will be predicting five-year spending forecasts (to 2025) at well over $1 trillion.
Enterprise security budgets are trending up
Many corporations are hesitant to announce breaches they’ve suffered — and the amounts of their increased security budgets — for fears of reputational damage and of antagonizing cybercriminals.
Rob Owens, Senior Research Analyst for Security and Infrastructure Software at Pacific Crest Securities, recently told Investor’s Business Daily that he sees pent-up demand for cybersecurity spending. He says companies still aren’t spending enough on security. “I think security has been an under-spend area for decades. You’re spending about 3% of your capex (capital expenditures) that’s focused on IT on security. That’s relatively low.”
There are some corporations who have come forward with increased cybersecurity budgets. J.P. Morgan Chase & Co. doubled its annual cybersecurity budget from $250 million to $500 million. Bank of America has gone on the record stating it has an unlimited budget when it comes to combating cybercrime.
Microsoft Corp. will continue to invest over $1 billion annually on cybersecurity research and development in the coming years, according to a senior executive at the tech giant.
The White House states the U.S. Government will invest over $19 billion for cybersecurity as part of the President’s Fiscal Year (FY) 2017 Budget. That is up from the $14 billion budgeted in 2016. This represents a more than 35 percent increase from FY 2016 in overall Federal resources for cybersecurity, a necessary investment to secure our Nation in the future.
IT security spending has become more difficult to track
Historic analyst reports are rooted in ‘IT security’ (servers, networking gear, data centers and IT infrastructure, PCs, laptops, tablets, and smartphones) and not fully evolved to ‘cybersecurity’ which includes non-computer devices and non-IT centric platforms and environments — which covers entire sub-markets i.e. aviation security, automotive security, IoT security, and IIoT (Industrial Internet of Things) security. All of those market segments combined make up the cybersecurity market.
Even IT security services are difficult to fully size. Tech is a cottage industry which includes tens of thousands of VARs (value-added-resellers), IT solution providers, and SIs (systems integrators) who wrap IT security services around the IT infrastructures they implement and support — but (most of) these firms don’t break out and report cybersecurity revenues as a separate bucket.
“A large portion of information security related spending is not accounted for as being information-security related” writes Joseph Steinberg, an Inc. Magazine columnist covering cybersecurity. “Consider, for example, that an organization developing a software package for internal use might spend money from its development budget on technology to scan code for vulnerabilities – the expenditure, however, may never be tracked back to an information-security budget” adds Steinberg.
Big branded tech companies with sizable professional services organizations providing cybersecurity services have yet to set up specific divisions or revenue reporting which analysts need in order to capture accurate market figures.
There’s also many new players getting into cybersecurity. CPAs and attorneys who used to answer their clients’ what-if and what-now questions around data breaches — are now starting up lucrative cyber consulting divisions.
The IT Security Spending Survey — published by SANS Institute in 2016 — states “Tracking security-related budget and cost line items to justify expenditures or document trends can be difficult because security activities cut across many business areas, including human resources, training and help desk.
SANS states that most organizations fold their security budgets and spending into another cost center, whether IT (48%), general operations (19%) or compliance (4%), where security budget and cost line items are combined with other related factors. Only 23% track security budgets and costs as its own cost center. SANS makes an astute observation which may account for the shortfall in IT spending projections by some researchers and analysts.
Consumer cybersecurity spending is not fully accounted for
Consumer spending on information-security is often impossible to track, according to an Inc. Magazine article. How can analysts possibly know, for example, when, after a malware infection, someone pays a consultant to wipe and restore-to-factory-settings his or her computer or smartphone.
Spending in the consumer category includes personal identity theft protection services, computer and mobile phone repair services specific to malware and virus removal, installation of anti-virus and malware protection software, post-breach services including data recovery and user education on best practices for personal cyber defense.
The consumer cybersecurity market is much bigger than just the anti-virus and malware defense apps that are purchased or come pre-installed. Much like corporations, consumers are spending time and money as a result of cyber-attacks.
Cybercrime damages will cost the world $6 trillion annually by 2021
Cybersecurity Ventures predicts cybercrime will continue rising and cost businesses globally more than $6 trillion annually by 2021. The estimate is based on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation state sponsored and organized crime gang hacking activities, a cyber attack surface which will be an order of magnitude greater than it is today, and the cyber defenses expected to be pitted against hackers and cybercriminals over that time.
The cybercrime cost prediction includes damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
The worldwide cyber damage estimates do not include unreported cybercrimes, legal and public relations fees, declines in stock and public company valuations directly and indirectly related to security breaches, negative impact on post-hack ability to raise capital for start-ups, interruptions to e-commerce and other digital business transactions, loss of competitive advantage, departure of staff and recruiting replacement employees in connection with cyber-attacks and resulting losses, ongoing investigations to trace stolen data and money, and other.
Market researchers size information security spending
A Gartner report projected global spending on “IT security” products and services would top $81 billion in 2016, an increase of 7.9% over the prior year (this is not a “cybersecurity” projection that would include all aspects of cyber defense i.e. consumers, IoT devices, automobiles, etc.). The largest areas of information security spending are consulting and IT outsourcing, according to the report.
A 2016 report from BI Intelligence — Business Insider’s research service — estimated $655 billion will be spent on cybersecurity initiatives to protect PCs, mobile devices, and Internet of Things (IoT) devices between 2015 and 2020. BI breaks down the forecasted spending as follows: $386 billion spent on securing PCs; $172 billion spent on securing IoT devices; and $113 billion spent on securing mobile devices.
A Morgan Stanley Blue Paper published this past summer — “Cybersecurity: Rethinking Security” — examines why and how digital security could evolve in the next several years—and what these changes mean for investors.. and asserts the cybersecurity market could grow by more than four times overall IT spend.
North America and Europe are the leading cybersecurity revenue contributors, according to a report from TechSci Research. Asia-Pacific is rapidly emerging as a potential market for cyber security solution providers, driven by emerging economies such as China, India and South-East Asian countries, wherein, rising cyber espionage by foreign countries is inducing the need for safeguarding cyber space.
India should see huge cybersecurity market growth over the next decade. According to Data Security Council of India (DSCI), India’s cybersecurity market is expected to grow nine-fold to $35 billion by 2025, from about $4 billion. This would mainly be driven by an ecosystem to promote the growth of indigenous security product and services start-up companies.
According to IDC, the hot areas for growth are security analytics / SIEM (10 percent); threat intelligence (10 percent +); mobile security (18 percent); and cloud security (50 percent). A Tech Republic story states the cloud security market is expected to be worth $12 billion by 2020, according to a report from Transparency Market Research.
Government spending on cybersecurity has increased at an average annual rate of 14.5% between FY 2006 and FY 2017, outpacing procurement in every other type of major government program, according to Scott Homa, Senior Vice President for Mid-Atlantic Research at Jones Lang LaSalle IP, Inc. (JLL), a financial and professional services firm specializing in commercial real estate services and investment management with 60,000 employees across 280 corporate offices worldwide.
Demand for vendor-furnished information security products and services by the U.S. federal government will increase from $8.6 billion in FY 2015 to $11 billion in 2020 at a compound annual growth rate (CAGR) of 5.2 percent, according to “Deltek’s Federal Information Security Market Report”. Deltek states that as federal agencies struggle to stay ahead of the cybersecurity threats, more and more of their IT spend is being devoted to cybersecurity, reaching over 10 percent of IT spend by 2020.
Stay tuned for the 2018 Cybersecurity Market Report coming in Jun. 2018.
– Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.