The world is abuzz with new connections. Cars, fridges, houses, factories—the list of things that can be controlled and monitored remotely grows daily. At the same time, more and more people around the globe have access to these new technologies and depend on them in their daily life. But the mass of interconnected things, referred to as the Internet of Things (or Internet or Everything), and technological innovation comes with a risk: it increases the number of potential targets for malicious cyber activity.
Cyber adversaries are constantly contriving new ways to exploit vulnerable systems and networks, thus forcing organisations—from banks to energy companies, from government agencies to charities—to strengthen their cyber defences. The growing security needs of these organisations are expected to underpin the rapid growth and evolution of the global cyber security industry over the next decade. Global spending on cyber security is expected to almost double by 2026, from around US$126 billion today, as shown in Exhibit 2. This surge in demand provides a substantial growth opportunity for cyber security businesses in Australia and elsewhere.
Over the next decade, the industry will become more diverse and sophisticated, as businesses will continue to refine their product offerings to meet the varying cyber security needs of their customers. However, the outlook for the main product types (hardware, software and services) and security needs is not uniform. It is driven by differences in current size, projected demand, export potential and ability to create more jobs, particularly jobs of high quality.
The Internet of Things, Cloud Computing and the convergence of IT and operational technology (OT), are some of the current important disruptive technological trends that will contribute to the future demand of cyber security solutions. They will increase demand for all forms of cyber security, particularly software. These disruptive technological trends will continue to evolve, and as they do it will bring demand for new cyber security solutions.
The global cyber security market is currently worth around US$126 billion and is projected to roughly double to US$251 billion over the next decade, as shown in Exhibit 2. Roughly three-quarters of the global expenditure on cyber security comes from cyber security ‘users’ (organisations and individuals seeking to defend themselves against malicious cyber activity) who purchase the products and services of external cyber security ‘providers’ (both specialist cyber security firms and IT or telecommunications firms with cyber security offerings). The remaining quarter is the internal expenditure of cyber security users on their in-house capabilities, principally wages of their IT staff who specialise in cyber security.
Analysis based on available market data and expert interviews suggests that this trend will accelerate in the future. While money spent on in-house or internal cyber security functions is expected to grow by around five per cent per cent each year over the decade until 2026, global spending on external cyber security products and services is set to increase by nearly eight per cent per cent annually over the same period.
Several trends are supporting the growth outlook:
- Expanding threat of cyber attacks – Malicious cyber activity is on the rise, as criminals use ever-more sophisticated strategies to infiltrate systems and networks. For example, an average client of technology company IBM Corporation experienced 178 security incidents in 2015, 64 per cent more than in the previous year. Software provider Symantec Corporation discovered more than 430 million new unique pieces of malware in 2015, up 36 per cent from the year before. The frequency of so-called mega breaches, defined as the loss or theft of over ten million personal data records at once, has soared to record highs globally. But official numbers likely only represent the tip of the iceberg, as more and more companies choose not to reveal the full extent of the data breaches they experience. Symantec estimates the true number of lost records to be closer to half a billion. Cyber threats have increased markedly in Australia, too. Between July 2015 and June 2016, CERT Australia—the national Computer Emergency Response Team—responded to 14,804 cyber security incidents in Australian businesses, 34 per cent more than in the twelve months prior, according to recent threat reports by the Australian Cyber Security Centre. Energy and financial services companies were the most affected. Meantime, the Australian Signals Directorate responded to 37 per cent more government cyber security incidents in 2014 compared to previous years.
- Mounting exposure to cyber risk – The rapid expansion of Internet-enabled economic activity and the number of connected devices and systems increase the certainty of widespread malicious cyber activity. People in far corners of the globe are gaining online access, as the world is becoming more digitalised and interconnected. This is partly attributable to smartphone penetration, which has risen remarkably in many countries. Everyday items such as watches, fridges and cars are now Internet connected, as are important customer databases, power plants and government payment systems. This increases the volume and quality of information shared electronically and widens the range of potential targets for perpetrators.
- Growing risk awareness – Recent high-profile cases of malicious cyber activity and media coverage of data breaches have made companies and other organisations increasingly aware of the risks cyber adversaries pose to their businesses. A recent survey by Telstra shows that executives across every business sector in Australia are now concerned about cyber security. A majority of executives are briefed at least quarterly on cyber risks and mitigation strategies. The survey also reveals that cyber security programs are increasingly seen as a “boardroom issue”. In 35 per cent of companies surveyed across Asia, cyber security programs are dealt with by top-level executives and board members, although the number is still significantly lower (at around 19 per cent) in Australia.
- Increasing regulation of cyber risk – Governments of many countries are seeking to bolster their national defences against cyber attacks and other malicious cyber activity, and they are increasingly concerned about the cyber defences of sectors within their economies. Many governments worldwide have begun to issue new laws and regulations to ensure confidential information remains secure. These new regulations challenge organisations to have the right cyber security controls in place and will likely entail further security spending. For example, regulatory oversight has forced banks and insurance firms to be acutely aware of malicious cyber activity threatening their operations. The Australian Prudential Regulation Authority (APRA) obliges board members and executives to fully understand current cyber security risks and expects them to be well-informed in relation to their organisation’s ability to prevent, detect and respond to any attack. The result: 85 per cent of boards or board committees in the Australian financial industry are now receiving periodic updates on cyber security.
1.3 Three basic security needs shape demand for different cyber security product types
Cyber security is no longer just firewalls and off-the-shelf virus software. In recent years, the breadth and depth of cyber security has evolved significantly. Today, it encompasses a sophisticated range of products and services that exist alongside a complex chain of activities used by organisations to build and operate their cyber security systems.
These activities can be grouped into three fundamental security needs that shape demand for cyber security products and services. Combining the different security needs and product types, as shown in Exhibit 3, provides a helpful structure through which to understand the diversity of the global cyber security industry.
Three security needs drive demand for cyber security products and services:
- Building a protection ‘stack’: The protection ‘stack’ is best understood as the basic infrastructure that protects an organisation’s IT networks and computer systems. It includes basic hardware, such as firewalls, routers and sandboxes, and a range of software tools including intrusion prevention systems (IPS). Organisations also need to protect software applications and systems that perform critical network tasks, and they need to ensure that the endpoints of their network (such as user devices) are properly managed and secured.
- Maintaining operational security: Once they have established a basic security infrastructure, organisations need to monitor and maintain their safety networks and systems. Some maintenance tasks are fundamental and ongoing, for example the security assessment and associated analytics to identify risks and detect attacks on their networks. Organisations also need to maintain their identification and access management systems to ensure only authorised staff enter their networks. When cyber security incidents do occur, organisations must have the capability to respond to the incident, fix weaknesses and restore their systems.
- Strengthening underlying structures: An organisation will only be successful in fending off cyber adversaries if it creates a strong culture of risk awareness. It needs clear rules for compliance, governance and risk-management. It also needs to ensure that all staff are well-trained and conscious of common cyber security threats.
The security needs of users vary across sectors and organisational sizes, and evolve over time depending on the maturity of their cyber security strategies, changes in technology and the shifting nature of cyber threats. For most organisations, these needs are met through a combination of their internal capabilities and by sourcing from external cyber security providers.
There are three main product types that are typically sourced to meet an organisation’s cyber security needs: hardware, software and services. The markets for these different product types are generally distinct and display differing characteristics in terms of size and growth, exportability, job-creation potential and job quality (wage level and security of jobs). The three product types are also affected differently by major technological trends.
There are some areas of overlap between product types: for example, software is increasingly delivered as a service rather than a standalone product, and hardware devices are often combined with proprietary software. However, dividing the market into these three basic product types remains meaningful and useful for this analysis.
Hardware manufacturers build the physical devices, such as firewalls and encrypted USB flash drives, that help protect IT networks against malicious cyber activity.
Size: Hardware forms the smallest product type of the cyber security industry, accounting for 11 per cent of the industry’s external revenue—equivalent to US$10 billion of worldwide cyber security spending. It is most heavily concentrated in the protection stack, with the bulk of revenue generated providing clients with core system protection and management. Outside the protection stack, Exhibit 4 shows that spending on hardware is very limited.
Growth: While the global demand for cyber security is projected to increase significantly over the next decade, hardware producers will receive a relatively small share of the industry’s growth. The external global spending on physical IT protection equipment is estimated to increase by
US$5.6 billion over the ten years to 2026, equivalent to an average growth rate of 4.5 per cent per year. This represents only a fraction of the projected total industry external demand growth of more than US$106 billion over the same period.
Exportability: Cyber security hardware manufacturers have ample scope to export their products and compete in a global marketplace with relatively few barriers. The export of some cyber security hardware products with potential use in defence may be limited by the Wassenaar Arrangement, a multilateral export control regime comprised of 41 states including Australia. It promotes transparency and information exchange to ensure that the transfer of certain goods and technologies, particularly those with dual-use, does not enhance military capabilities that undermine international and regional security and stability.
Job creation and quality: Hardware production supports an average of 4.6 full-time jobs per US$1 million of annual revenue generated, representing a labour intensity that ranks between that of software and services, as seen in Exhibit 5. The quality of jobs in hardware varies widely from design, with high-skilled, high-wage jobs that are unlikely to be automated, to manufacturing, with lower skills required and higher susceptibility to automation.
Software companies within the cyber security industry create the applications that help organisations defend their computer systems and IT networks against intrusion and unauthorised use. Typical examples are applications for secure messaging, anti-malware, anti-spyware, identity management and network access control.
Size: Software represents the cyber security industry’s second-biggest product type. In 2016, it accounted for over US$28 billion of the world’s total external cyber security spending, or 30 per cent of the industry’s revenue, as shown in Exhibit 4. The use of software is currently concentrated around the protection stack: providing application protection, protection of endpoints and data at rest, and offering programs for the core system protection and management. It is also used in operational security, particularly for identity and access management.
Growth: The growth outlook for cyber security software is strong. In the decade to 2026, external demand for cyber security software is expected to increase at an average annual rate of 6.4 per cent. This demand growth is forecast to be strongest in security operations, as users seek more effective solutions for security assessment and analytics, and identity and access management. Application protection, currently the largest security need in software, is expected to remain an area of focus.
Exportability: The market for cyber security software is strongly globalised, with relatively few barriers to trade. This has led to a concentration of market share in a small number of countries: firms domiciled in the US control 61 per cent of the global market, while Israeli firms dominate around 18 per cent. Country-specific rules protecting intellectual property could act as a barrier to export software, however.
Job creation and quality: Exhibit 5 shows that software tends to be less labour intensive than hardware or services, supporting an average of 4.0 full-time jobs per US$1 million of annual revenue. The quality of jobs in software is generally very high: the jobs are high-skilled and well paid, and there is low risk of automation impacting job security.
Cyber security service providers meet a broad array of organisations’ security needs. For example, they may help manage a company’s core computer system defences, assess network vulnerabilities or provide a security strategy plan. Some act as ‘first responders’ when an organisation has suffered a security incident, while others offer specialised advice on risk and compliance issues.
Size: Services form the largest product type in the cyber security market, generating around 60 per cent, or US$56.1 billion, of the industry’s global external revenue, as shown in Exhibit 4. Demand is highest in security operations, and specifically in security management, assessment and analytics. This includes, for example, setting up real-time monitoring systems for servers, endpoints and network traffic to rapidly detect any potential malware or data loss. Firms in this one segment attract more than a quarter, or US$15.6 billion, of the entire global spending on external cyber security services.
Growth: Services enjoy the strongest growth outlook within the global industry. Over the next decade, the global spending on external cyber security services is expected to increase by 8.8 per cent per year. Growth is expected to be strongest for security operations, with an additional US$43.6 billion in demand forecast over the next decade.
Exportability: Cyber security services are exportable, but country-specific regulation and IT infrastructure can make services trade more challenging. For example, firms that help configure and manage a client’s firewall may be limited in their reach by existing cross-border data regulations. Similarly, firms offering security management, assessment and analytics worldwide may require local offices to effectively service customers abroad. The assessment in Exhibit 6 shows that the exportability of incident recovery and response services is most limited by such factors, while application protection services and awareness, training and oversight are the least affected.
Job creation and quality: Exhibit 5 shows that, on average, services support 6.4 full-time jobs per US$1 million of annual revenue, marking the highest rate of job creation among the three product types. However, the quality of services jobs is less consistent and tends to be lower than that of cyber security jobs in the hard- and software segment of the industry. Services jobs in identity and access management, for example, typically require lower skills and pay lower wages than others. Automation is also more likely to impact services than other areas of cyber security, as advanced machine learning and artificial-intelligence (AI) software will continue to take over an increasing number of tasks previously done by people. This trend is particularly acute in the area of monitoring threats.
1.4 Technology is reshaping the industry
While every industry is affected by technological change, perhaps none is impacted more than the cyber security industry. Several major trends are likely to unfold in coming years, which will shape the structure of cyber security markets. For some organisations, many of the looming technological changes will be disruptive. For others, they could work as a tailwind. Analysis suggests that software firms generally appear best positioned to benefit from the following five major technological trends:
- Convergence of Information Technology and Operational Technology: Historically, technologies used to control production plants and machines (operational technology, or OT) have differed from computer hardware and software technologies used to manage the general data flow of an organisation. Over the last few years, however, operational technologies, such as sensors to monitor the temperature or water pressure during production, have become increasingly computerised. More and more firms are now equipping their machine-monitoring devices with IT-like features to integrate computer systems, save cost and speed up production. This convergence of OT and IT leads to increasingly complex networks, whose multiplying endpoints and data types call for more sophisticated cyber defences. The vulnerability of these merged systems generates fresh demand for most security product types.
- Mobile Internet: The number of people owning a smartphone and using the internet continues to climb. A survey by U.S. research organisation Pew Research Center found that across eleven industrialized countries, a median of 68 per cent of adults owned a smartphone in 2015, with even higher rates of smartphone ownership in Australia (77 per cent) and South Korea (88 per cent). Smartphones are also on the rise in emerging and developing countries, where their penetration rate increased to 54 per cent in 2015, from 45 per cent two years earlier. Two thirds of adults worldwide use the internet, according to the research, and a growing share of them now use their mobile phones to go online. This rapid increase in smartphone usage worldwide is multiplying the number of endpoints in networks and propelling demand for cyber security products. It is especially likely to drive investment in identity and access management.
- Artificial intelligence and big data: Rapid improvements in artificial intelligence and advanced machine learning are changing the modern workplace. Increasingly, computers are used to perform tasks that rely on complex analyses, subtle judgments, and creative problem solving—a trend coined as “automation of knowledge work”. McKinsey estimates that today’s available technologies could automate 45 per cent of activities that people are currently paid to perform. In cyber security, these advances are already starting to change the way threats can be identified by reducing reliance on human network monitoring activities. This will benefit software developers, as firms increase their demand for applications to identify, analyse and manage cyber security threats. In the medium to long term, service providers will be disadvantaged but the transition to greater automation will likely increase the demand for services in the short term.
- Cloud computing: The evolution of cloud computing technologies is becoming a major driver of business efficiency. The ability to store huge amounts of data and bundle an array of IT solutions in one location is a powerful tool for firms to save costs and simplify their IT infrastructure. The growing adoption of this technology has moved the potential area of malicious cyber activity from the corporate network to cloud computers managed by third parties. This is prompting firms to think differently about how to secure their operations. Several cloud computing providers are already offering an array of network protection products and services through the cloud itself. This reduces the need for firms to purchase their own cyber security infrastructure and dampens the outlook for hardware producers, while generating more demand for security operations to manage and monitor access to the cloud.
- Internet of Things: The world of consumer products is turning into a network of interconnected things. Cars, buildings, fridges and a myriad of other devices of everyday use are increasingly equipped with sensors, voice-control systems, internet access and data-processing features. Today, a smartphone can communicate with wearable devices to monitor a patient’s health, while smart cars can sync with a user’s calendar to monitor petrol needs or plan routes. The growing number of interconnected devices and the expansion in data types and volume will increase the risks of malicious cyber activity, and generate new sources of opportunity for providers of cyber security solutions. This is likely to benefit software developers, as new types of endpoints need to be secured and threats identified.
Exhibit 7 summarises how these five major technological trends may impact the cyber security industry and its products.
Several other important technologies could also have profound implications on the structure of the cyber security industry. Two that garner attention right now are blockchain and quantum computing.
Quantum computing is considered a breakthrough technology that is still in development but, if made a reality, would spark a major upheaval in the current cyber security industry. Australian researchers are currently among the leaders in a global race to develop quantum computers, and home-grown startups like QuintessenceLabs are at the forefront of offering new quantum-safe encryption technologies (see Box 6).
Similarly, the disruptive power of blockchain technologies may bode well for Australia with its well-established financial services industry. It is difficult to predict how these trends will end up impacting different segments of the cyber security industry, but the potential for Australia to seize its competitive edge in both bitcoin and quantum computing is significant.
Any analysis of potentially disruptive technological trends needs to factor in a high degree of uncertainty, but this uncertainty is particularly stark in cyber security. Unlike other industries in the ICT sector, cyber security evolves around the existence of an adversary: it has to constantly respond to highly unpredictable, destructive activities. Despite our best predictions and preparations, we never know where future attacks will come from and how the industry will be forced to reshape in response.
Table of Contents
- 1. The Global Outlook for Cyber Security
- 2. The Potential of Australia’s Cyber Security Industry
- 3. Challenges to Australia’s Cyber Security Industry
- 4. Building a Competitive Australian Industry
- 5. The Role of ACSGN
- Appendix A: Industry Knowledge Priorities
- Appendix B: Methodologies and Assumptions