This article will differ from ones I wrote before. You may get used to my pieces of content which usually cover in-depth aspects of cyber-security and especially SAP Cybersecurity . I’m pretty sure you’ve learned a lot about different technologies and hacking techniques and are keen to use them in practice. Now it’s time to take a short break and to look at the cyber-security market in general, to see what it looks like, which way it is evolving, and which career path to choose.
The cyber-security market is growing rapidly, and now it is estimated at $75-100 billion a year [1]. What does “a market is estimated” mean? Simply put, $75 billion is the amount all companies spend on solutions and services related to cyber-security. So, it is a kind of a big pie shared by different cybersecurity companies.This is what the “Cybersecurity pie” looks like
On the one hand, this amount is rather big. On the other hand, many large companies don’t take note of it. When a company enters the cyber-security market, in the mid-term perspective, it may gain 10 percent in several years, that is $7,5 billion. Not all big IT players find such piece of the “pie” interesting. Just to compare: the e-learning market is also developing and is estimated at $100 billion a year. If we compare the cyber-security market, for example, with the automotive industry, it is hardly anything. All automakers earn about nine trillion dollars per year in total. So if, say, Apple decide to enter a new market, they are unlikely to introduce a kind of iFirewall. What’s the use if it is more profitable to go in for self-driving or electric cars? So, we will rather ride an iCar soon.
However, it seems reasonable that cyber-security can be considered not as a separate market but as a part of security in general, which includes state military spending. Just think, who needs all those tanks, rockets, and other scary things when it is possible to perform a cyber-attack on Oil tank or electrical grid. And if we look at the cyber-security market as a part of the defense industry, it looks much more attractive because it estimates a trillion dollars a year.
Short overviewJust 10-15 years ago, there were about a couple dozens of product-based companies on the cyber-security market. They were developers of antivirus software, firewalls, and a couple of vulnerability scanners. The whole market was estimated to be worth a few billions which is next to nothing in comparison with the current state. And if we went back 20 years ago, there was not even a term like “cyber-security market.”
Now, there are about 1300 software companies that are fully or partially engaged in info security; [2] 250 of them appeared just last year, and their number will exceed 1500 by the end of this year, according to conservative estimates. However, in my opinion, this number is likely to overcome a two-thousand mark. The growth is significant, to say the least, in ten times within ten years.Most of the cyber-security companies are located in the USA, and only Israel tries to beat them in this game.
What companies share the cyber-security market? Of course, it is impossible to list all of them. In this article, I’ll focus on the most noteworthy and influential market players.
The cyber-security market can be divided into two big groups software vendors and solution providers. Let’s look at them more closely.
Software vendorsThe software vendors in their turn can also be divided into several groups. The first one develops security software along with other solutions; the second group focuses on the security only. Among the second segment, there are big enterprises as well as small companies. Together they constitute one-third of the cyber-security market that is about $25 billion.
Big software companies which are engaged in cyber-security are estimated to be worth about 10 billion, or 15% of the market. These companies, (e.g. Microsoft, IBM, HP Enterprise, Cisco, Dell/EMC, Intel and some others) have one thing in common rather small share of income from security products. Exact estimates are hard to get; it’s only my opinion, security business plays an important role in the annual reports only for Cisco and HPE.
Not all big software vendors are interested in having a slice of the “cybersecurity pie.”
Another fact worth mentioningis thatmost of such companies rarely invent something innovative and brand-new in the field of information security. Their business strategy is rather simple: if they see a budding startup, they buy it and its developers and continue to use an existing process and distribution channels. In general, regarding innovative developments, the large enterprises are not the most interesting job for a security wannabe. Anyway, there are some advantages of working there.
The second subgroup is large companies that work in the cyber-security area only. They make up 15% of the market or 10$ billion per year.
Below is the listing of such companies with their approximate turnover (in billions of dollars).
Here comes the third subcategory, namely small cyber-security companies with annual revenue less than 100$ million. Their combined income is less than $5 billion a year; it is only about 3% of the overall market.
It makes no sense to list them, as while their number is growing continually, many of them disappear some are sold to big vendors, others cannot survive in the highly-competitive market. If you need an example of such companies, just take a glance at the list of RSA exhibitors, there you can find at least 30% of them.
Cybersecurity start-ups have a small, but weighty piece of the pie
Anyway, it is such companies that invent promising solutions which tend to form new product categories, remember that SIEM and Vulnerability Management solutions were new disruptive product categories some years ago before becoming a common tool.
Not so long ago, all the companies listed in the previous chart were start-ups with fifty employees or even less. It will not take long, when, for example, a Rapid7 will outperform a Fortinet and a company we have never heard about will be a next Rapid7. This process is now faster than ever: the way from start-up to a 100$-million revenue company took fifteen years before, and now a company can reach this point within 7-8 years. With external investments, of course.
Anyway, those small companies are the places where you can quickly learn a lot and invent something that can change the history.
Service ProvidersThe second large part of the market is companies that outsource cyber-security or sell products by a subscription model. The service market amounts to about 60% of the “cybersecurity pie.” It can be roughly divided into Consulting, Implementation, and Outsourcing.
OutsourcingOutsourcing is estimated at $15 billion, where 9 of them is MSSP or Managed Security Service Providers.
According to Gartner, 40% of all security technology acquisitions will be directly influenced by MSSP and on-premises security outsourcing providers by 2020.
In fact, most o