While experts often disagree about the total size of the cybersecurity market – that is, how much money is spent on cybersecurity worldwide each year – one thing seems clear: many figures grossly underestimate actual spending.
Here are eight reasons, based on a conversation that I had with Steve Morgan, CEO and Editor-in-Chief at the cybersecurity research firm, Cybersecurity Ventures:
1. A large portion of information-security-related spending it not accounted for as being information-security related. Many organizations developing software packages for internal use, for example, spend money from their development budgets on technology to scan code for vulnerabilities – but, in many cases, the related expenditures, as well as any others incurred for ensuring that the software being developed is secure, are never tracked back to an information-security budget.
2. Similarly, Value Added Resellers (VARs) and consultants doing security work don’t always define products and services as “security.” Many networking projects, for example, include the purchase of security components that are not classified as such within formal budgets. Sometimes, even when products are attributed to a security need and budget, the associated services are not. For example, if networking consultants install and configure a firewall (which occurs regularly, even if such an arrangement is not recommended), their work may never be categorized as a security expenditure.
3. Smaller businesses do not report revenue to analysts, and there are many such businesses in the information-security space. It is hard to know how much is being spent by smaller businesses on security technology and services – especially if they purchase from smaller cybersecurity providers (as is often the case). This phenomenon is especially true when it comes to services; small businesses frequently utilize the security services of individuals or local boutique consulting companies rather than larger, national, or even regional, firms.
4. Consumer spending on information-security is often impossible to track. How can analysts possibly know, for example, when, after a malware infection, someone pays an independent consultant to wipe and restore-to-factory-settings his or her computer or smartphone. Likewise, does anyone track as part of security spending the money that people use to purchase dedicated laptops or specialized devices to securely store cryptocurrency key rings (AKA wallets)?
5. In today’s world, lawyers, accountants, insurance agents, and other professionals not directly involved in the information security profession often provide advice related to information security and privacy concerns. In some cases they may bill for time spent on information-security-related matters – but, they rarely categorize the related charges as being for information security. Furthermore, accounting practices, insurance agencies, and law firms typically do not report revenue information to cybersecurity analysts. Consider how many people whose primary professional focus is not information security have been involved with GDPR-related matters over the past year – and how many of their salaries have actually been allocated to information-security budgets?
6. Because information security changes so rapidly there are many startups and younger firms displacing older firms in specific deals, areas, and markets, as well as bigger firms trying to cash in on the action. The downward pressure that FireEye discussed a couple years back, for example, could have stemmed from the actions of firms like IBM and Cisco, or from those of any one or more of the many startups that enter the cybersecurity market each year.
7. Cybersecurity professionals shifting focus may divert some revenues from older, more-established firms to newer, smaller firms which are less likely to report sales figures to analysts. Older firms tend to sell products that improve on areas of security for which customers already have some solution, and many startups introduce products that address risks for which customers have no defense at all. As I discussed in an interview in Forbes, this is one of the reasons that I chose to create SecureMySocial rather than pursue various other product ideas that I had contemplated. Once prospects understand that they have unaddressed risks they may divert resources from “improvement projects” to “get something in place projects” – thereby extending sales cycles and delaying or reducing other purchases. Such actions may give older firms the impression that there is a downtrend in spending, when all that is truly happening is a redirection of spending.
8. Some large information security providers don’t break out information security revenues from their consulting revenues. Some big technology firms, for example, still consider security to be a part of everything that they do, and do not separate it into its own category.
The bottom line – It is possible, if not likely, that many measurements of the cybersecurity market size significantly underestimate actual spending.