Cybersecurity spending rises. PHOTO: Cybercrime Magazine.

Global Cybersecurity Spending Predicted To Exceed $1 Trillion From 2017-2021

Cybersecurity Ventures’ 2019 Cybersecurity Market Report sponsored by Secure Anchor

Steve Morgan, Editor-in-Chief

Sausalito, Calif. – Jun. 10, 2019

The cybersecurity market is continuing its stratospheric growth and hurtling towards the trillion dollar mark that we originally predicted on May 31, 2017.

In 2004, the global cybersecurity market was worth $3.5 billion — and in 2017 it was expected to be worth more than $120 billion. The cybersecurity market grew by roughly 35X over 13 years entering our most recent prediction cycle.

Cybersecurity Ventures predicts global spending on cybersecurity products and services will exceed $1 trillion cumulatively over the five-year period from 2017 to 2021.

Worldwide spending on information security (a subset of the broader cybersecurity market) products and services exceeded $114 billion in 2018, an increase of 12.4 percent from 2017, according to Gartner, Inc. For 2019, they forecast the market to grow to $124 billion, and $170.4 billion in 2022.

While all other tech sectors are driven by reducing inefficiencies and increasing productivity, cybersecurity spending is driven by cybercrime. The unprecedented cybercriminal activity we are witnessing is generating so much cyber spending, it’s become nearly impossible for analysts to accurately track.

We anticipate 12-15 percent year-over-year cybersecurity market growth through 2021, compared to the 8-10 percent projected by several industry analysts.

IT analyst forecasts are unable to keep pace with the dramatic rise in cybercrime, the ransomware epidemic, the refocusing of malware from PCs and laptops to smartphones and mobile devices, the deployment of billions of under-protected Internet of Things (IoT) devices, the legions of hackers-for-hire, and the more sophisticated cyberattacks launching at businesses, governments, educational institutions, and consumers globally.

It is likely that analyst firms will catch up with our projections by the end of this year — and update the disproportionately low share of total IT spending which security is expected to account for (over the next 5 years) in their current reports. By 2020, we expect IT analysts covering cybersecurity will be predicting five-year spending forecasts (to 2025) at well over $1 trillion.

“With the increase of cyberattacks occurring, organizations continue to spend more money on security; however, they often spend it in the wrong areas,” says Dr. Eric Cole, founder and CEO at Secure Anchor, and one of the nation’s top cybersecurity experts.

Enterprise and security budgets are trending up

Rob Owens, managing director, Equity Research Analyst at KeyBanc Capital Markets, in a research note earlier this year, said fundamentals for cybersecurity companies “remain strong” for 2019 amid an expected slowdown in overall spending on information technology. “The continued prioritization of security, a robust threat landscape, increased compliance requirements and the continued march to cloud all remain promising drivers of sustained momentum for the sector, lending increased resiliency,” he wrote.

The largest cybersecurity budgets belong to Fortune 500 corporations, with financial institutions seemingly having the deepest pockets. In a 2018 letter to its shareholders, Jamie Dimon, chairman and CEO at J.P. Morgan Chase & Co. (NYSE:JPM), states that the financial services giant spends roughly $600 million each year on cybersecurity (up from a projected $500 million in 2016), with a staff of around 3,000 IT security people.

Several media outlets report that Bank of America splurges roughly the same amount on cybersecurity as does its rival, JPM. BoA’s chairman and CEO, Brian Moynihan, once famously said the nation’s second-largest lender had an unlimited cybersecurity budget, the only place in the company that didn’t have a constraint on spending.

Microsoft Corp. will invest more than $1 billion each year in cybersecurity for the foreseeable future. Satya Nadella, CEO at Microsoft, recently wrote that cybersecurity is the central challenge of the digital age.

Not every industry is seeing an uptick in cybersecurity spending. A 2018 report estimates that energy companies, ranging from drillers to pipeline operators to utilities, invest less than 0.2 percent of their revenue in cybersecurity — while the number of hacker groups targeting the energy sector is soaring. Energy networks are vulnerable to cyberattacks — and hackers can cause massive power outages, placing national defense infrastructures at risk, and endangering millions of citizens.

“Just increasing spending won’t solve the problem, if it isn’t properly aligned with the correct threat,” adds Secure Anchor’s Dr. Cole. “The main problem is that companies are doing good things by increasing their budgets, but they aren’t doing the right things that will stop the attacker.”

U.S. Government spending on cybersecurity

The 2019 U.S. President’s budget includes $15 billion for cybersecurity, a $583.4 million (4.1 percent) increase over 2018. The Department of Defense (DoD) was the largest contributor to the budget. The DoD reported $8.5 billion in cybersecurity funding in 2019, a $340 million (4.2 percent) increase over 2018.

Driven by the federal government’s desire to enhance agency cybersecurity posture at every possible level, Deltek forecasts the demand for vendor-furnished information security products and services by the U.S. federal government will increase from $10.9 billion in FY 2018 to over $14.1 billion in FY 2023 at a compound annual growth rate (CAGR) of 5.3 percent.


68 percent of U.S. businesses have not purchased any form of cyber liability or data-breach coverage, showing that businesses are not adopting cyberinsurance at a rate that matches the risks they face, according to a Cisco paper. However, a majority of the 25 most populous U.S. cities now have cyberinsurance or are looking into buying it, according to a Wall Street Journal survey.

Legislation such as 2018’s EU General Data Protection Regulation (GDPR) is helping drive the demand for cyber insurance as healthcare providers, financial services firms, and companies in all industries are tasked with keeping user data safe — and recovering from data breaches and ransomware attacks. Market forecasts for cyber insurance policies range from $14 billion by 2022 to $20 billion by 2025, up from less than $1.5 billion in 2016.

Singapore announced the launch of the world’s first commercial cyber risk pool, a facility for providing cyber insurance to corporate buyers, as cyberattacks in the Asia Pacific region become more pervasive. The pool will commit up to $1 billion (USD) in risk capacity and will be backed by capital from traditional insurance and insurance-linked securities markets to provide bespoke coverage.

IT security spending has become more difficult to track

Historic analyst reports are rooted in ‘IT security’ (servers, networking gear, data centers and IT infrastructure, PCs, laptops, tablets, and smartphones) and not fully evolved to ‘cybersecurity’ which includes non-computer devices and non-IT centric platforms and environments — which covers entire sub-markets i.e. aviation security, automotive security, IoT security, and IIoT (Industrial Internet of Things) security. All of those market segments combined make up the cybersecurity market.

Even IT security services are difficult to fully size. Tech is a cottage industry which includes tens of thousands of VARs (value-added-resellers), IT solution providers, and SIs (systems integrators) who wrap IT security services around the IT infrastructures they implement and support — but (most of) these firms don’t break out and report cybersecurity revenues as a separate bucket.

“A large portion of information security related spending is not accounted for as being information-security related,” according to an Inc. Magazine article. “Consider, for example, that an organization developing a software package for internal use might spend money from its development budget on technology to scan code for vulnerabilities — the expenditure, however, may never be tracked back to an information-security budget.”

Big branded tech companies with sizable professional services organizations providing cybersecurity services have yet to set up specific divisions or revenue reporting which analysts need in order to capture accurate market figures.

There’s also many new players getting into cybersecurity. CPAs and attorneys who used to answer their clients’ what-if and what-now questions around data breaches are now starting up lucrative cyber consulting divisions.

The IT Security Spending Survey — published by SANS Institute in 2016 — states, “Tracking security-related budget and cost line items to justify expenditures or document trends can be difficult because security activities cut across many business areas, including human resources, training and help desk. This commentary remains true in 2019.

SANS states that most organizations fold their security budgets and spending into another cost center, whether IT (48%), general operations (19%) or compliance (4%), where security budget and cost line items are combined with other related factors. Only 23 percent track security budgets and costs as its own cost center. SANS makes an astute observation which may account for the shortfall in IT spending projections by some researchers and analysts.

When asked if companies are spending enough on security, Dr. Cole, previously director of research, architecture director of Cyber Defense Curriculum at SANS Institute for 20 years, and dean of faculty at SANS Technology Institute for 10 years, said, “You cannot always spend more on security, but my real answer is — it depends. Fix the real problems, prioritize what isn’t being done and make a business decision whether it’s better to accept the risk or increase the budget to deal with the risk.”
Dr. Cole asserts that it’s not about how much an organization spends, but what they spend it on. “If a company has un-patched servers, data not properly encrypted and data visible from the Internet without proper classification, and they’re spending all of their security budget solely on these top priority items and not able to fix it, then companies aren’t spending enough on security. However, if you aren’t doing these foundation items but spending millions on the latest and greatest because they’re cool, you’re potentially spending enough, just in the wrong area.”

Consumer cybersecurity spending is not fully accounted for

Consumer spending on information security is often impossible to track, according to an Inc. Magazine article. How can analysts possibly know, for example, when, after a malware infection, someone pays a consultant to wipe and restore-to-factory-settings his or her computer or smartphone.

Spending in the consumer category includes personal identity theft protection services, computer and mobile phone repair services specific to malware and virus removal, installation of antivirus and malware protection software, post-breach services including data recovery and user education on best practices for personal cyber defense.

The consumer cybersecurity market is much bigger than just the antivirus and malware defense apps that are purchased or come preinstalled. Much like corporations, consumers are spending time and money as a result of cyberattacks.

Cybercrime damages will cost the world $6 trillion annually by 2021

Cybersecurity Ventures predicts cybercrime will continue rising and cost businesses globally more than $6 trillion annually by 2021. The estimate is based on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation state sponsored and organized crime gang hacking activities, a cyberattack surface which will be an order of magnitude greater than it is today, and the cyber defenses expected to be pitted against hackers and cybercriminals over that time.

The cybercrime cost prediction includes damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.

The worldwide cyber damage estimates do not include unreported cybercrimes, legal and public relations fees, declines in stock and public company valuations directly and indirectly related to security breaches, negative impact on post-hack ability to raise capital for start-ups, interruptions to e-commerce and other digital business transactions, loss of competitive advantage, departure of staff and recruiting replacement employees in connection with cyberattacks and resulting losses, ongoing investigations to trace stolen data and money, and other.

The Ransomware Effect

Ransomware damage costs are predicted to be 57X more in 2021 than they were in 2015. This makes ransomware the fastest growing type of cybercrime. The U.S. Department of Justice (DOJ) has described ransomware as a new business model for cybercrime, and a global phenomenon.

It’s widely reported that more than 90 percent of successful hacks and data breaches stem from phishing scams, emails crafted to lure their recipients to click a link, open a document or forward information to someone they shouldn’t. Training users how to detect and react to these threats is a critical ransomware deterrent.

Global ransomware damage costs are predicted to hit $20 billion in 2021, up from $11.5 billion in 2019, $5 billion in 2017, and just $325 million in 2015, according to Cybersecurity Ventures.

Ransomware attacks saw a 350 percent increase in 2018, according to one estimate. Cybersecurity Ventures expects that businesses will fall victim to a ransomware attack every 11 seconds by 2021, up from every 14 seconds in 2019, and every 40 seconds in 2016.

Global spending on security awareness training and phishing simulation programs for employees — one of the fastest growing categories in the cybersecurity industry — is predicted to reach $10 billion by 2027, up from around $1 billion in 2014. Much of this training is centered on combating phishing scams and ransomware attacks.

One of the most frequently asked questions concerning ransomware is — Should we pay a ransom? Dr. Cole explains that there’s no easy answer for this one. “People have to remember that cybersecurity is a business decision, just like every other decision an executive makes. It’s important to let data drive those decisions, not emotions. It’s easy to say ‘never pay a ransom’ but is that a smart business decision? Ideally, it’s best to be prepared so you have reliable backups and don’t have to pay the ransom, but if you aren’t prepared and the ransom is $50,000, but without paying it you take 3 days to recover the data and every day you lose $1 million, it’s an easy decision — pay the ransom. However, if you do pay the ransom, then be proactive and make sure you’ll never have to pay it again.”

Worth Noting

Cybersecurity Ventures predicts that the global blockchain market will exceed $40 billion by 2025. Results from one survey indicate institutional investors from hedge funds, pension funds, and private equity believe that blockchain technology will have the biggest impact on healthcare, financial services and banking. The study reveals that 39 percent of the investors believe blockchain will do to banking what the Internet did to media.

In 2019, Cybersecurity Ventures expects that Fortune 500 and Global 2000 chief information security officers (CISOs) will reduce the number of point security products/solutions in use at their corporations by 15-18 percent.

Total venture capital funding in the cybersecurity space totaled more than $5 billion in 2018, up 20 percent from nearly $4.5 billion in 2017. In 2018, the total amount of funding for Israeli cybersecurity companies grew 22 percent year-over-year to more than $1 billion. According to these figures, Israel, the world’s second-largest exporter of cyber technology (behind the U.S.), accounted for roughly 20 percent of all cybersecurity VC funding.

Based on venture capital dollars invested in cybersecurity, the top 4 countries are (in this order): U.S., Israel, U.K., and Canada.

There will be 3.5 million unfilled cybersecurity jobs by 2021 — enough to fill 50 NFL stadiums — according to Cybersecurity Ventures. This is up from Cisco’s previous estimation of 1 million cybersecurity openings in 2014. The cybersecurity unemployment rate is at zero percent in 2019, where it’s been since 2011.

Stay tuned for the 2020 Cybersecurity Market Report coming in Q1 2020.

Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.

Sponsored by Secure Anchor

Secure Anchor is founded and directed by Dr. Eric Cole, Ph.D. With more than 30 years of network security experience, Dr. Eric Cole is a distinguished cybersecurity expert and keynote speaker who helps organizations curtail the risk of cyber threats. Dr. Cole has worked with a variety of clients ranging from Fortune 500 companies, to top international banks to the CIA. He has been the featured speaker at many security events and has been interviewed by several chief media outlets such as CNN, CBS News, FOX News and 60 Minutes.