The Potential of Australia’s Cyber Security Industry

The Potential of Australia’s Cyber Security Industry

by acsgn_admin

2.1 Overview

Cyber security in Australia is a small but fast-growing industry. It is estimated to employ approximately 19,000 people, either as part of an organisation’s internal cyber security workforce or through external cyber security providers, as shown in Exhibit 10. Total expenditure on cyber security amounts to approximately A$4.3 billion, equivalent to around five per cent of the entire Australian information technology sector. Australian demand and employment is dominated by outsourced cyber security services, and more than three-quarters of this market is controlled by foreign firms—mostly operating from local bases and employing Australians. Software and hardware markets are also dominated by imports.

Despite this, there are already a number of Australian cyber security success stories. Australian cyber security providers have developed strong offerings in software and service niches. A number of our software firms have also joined global value chains and established a worldwide reputation for their products (see Boxes 1, 6, 8 and 9 for examples). Firms offering cyber security services, however, still lag behind their export potential. This is at odds with evidence that businesses in Australia generally earn much more revenue (relative to national GDP) from services than their peers elsewhere in the world, indicating that Australia has a fundamental country-specific advantage in services that cyber security firms have yet to use.

Given the small scale of our domestic market, Australia will struggle to become globally competitive in all segments of the cyber security industry. The Australian Government has selected priority sectors through the establishment of Industry Growth Centres; Australia should also concentrate its limited resources on parts of the cyber security industry that are both attractive and where Australia can compete most effectively. Analysis suggests that this includes software in areas of distinctive research capability, and services in the protection stack and in underlying processes. While these segments will be the initial focus of industry development, many of the actions of Government and ACSGN will also support the competitiveness of the industry as whole.

Australia should also consider the opportunity in cyber security to build on our other national sector strengths, such as resources and financial services. By building products and services that address the specific cyber security needs of these sectors, Australian firms can develop distinctive, competitive offerings for global marketplace.

2.2 Local demand is strong, especially for services

In 2016, total external spending on cyber security by Australians and Australian organisations reached A$3.46 billion, and it is estimated that organisations spent a further A$919 million on their internal cyber security functions. To put that in context, Australia’s external IT spending in 2016 was around A$85 billion.

However, while external IT spending is forecast to grow by 2.8 per cent in 2017, Australian cyber security external spend is expected to grow by 7.5 per cent annually over the next decade. The growing risk awareness has led companies to invest more heavily in the safety of their networks and IT systems. According to a recent survey by the Australian Government’s Computer Emergency Response Team (CERT Australia), 56 per cent of Australian companies increased their expenditure on cyber security in 2014. That’s more than twice as many as in 2013, when 27 per cent said they had increased their investment.

The demand for cyber security products and services in Australia is comparable to global demand trends, but with a larger emphasis on services. Exhibit 8 shows that 70 per cent of the local industry’s external demand is for cyber security services, compared with around 60 per cent globally.

Exhibit 8:

Australian organisations, more than their global peers, rely on outsourced cyber security services. Almost three-quarters, around A$2.5 billion, of external Australian cyber security spending in 2016 flowed into services. Exhibit 8 reveals that demand is particularly strong for services that strengthen the operational security of a business or other organisation. The dominance of the services segment in Australia may be partly explained by the particular structure of the local economy, where around 95 per cent of all Australian businesses comprise of small and medium-sized enterprises that may lack the scale and resources to run in-house cyber security management teams.

Over the next decade, the current demand pattern is set to intensify as organisations are expected to make even greater use of outsourced services to manage growing security needs and a proliferation of security breaches. It means that cyber security services will likely experience a much stronger growth in demand than cyber security hardware and software. This basic trend applies to both Australia and the world, but in Australia the additional demand is expected to bolster a broad spectrum of different security services—from the protection stack to underlying processes—whereas globally demand is expected to strengthen most notably for security operations services.

2.3 Supply is dominated by imports

Much of the existing domestic demand for cyber security products and services is currently met by foreign providers. For example, there is currently not a single local firm among the 15 largest software providers by value in the Australian cyber security market. The combined market share of Australian firms is estimated to be less than five per cent. This is similar in hardware, with no major Australian hardware providers.

Exhibit 9:

The representation of Australian firms is stronger in services—noting that the market data is not strong, interviews and other sources suggest that the market share of Australian home-grown services firms is about 25 per cent, while around half of the market is served by foreign-owned firms with core personnel in Australia (excludes foreign firms with only a sales presence in Australia).

Putting these findings together provides a view of Australia’s cyber security industry revenue—defined as the sales turnover of businesses employing cyber security professionals in Australia. Estimating industry revenue requires subtracting imports (defined in this context as cyber security products and services provided from abroad without having core personnel in Australia), and adding exports (defined as revenue obtained from serving foreign customers from Australia). This definition captures all the revenues that contribute to Australian cyber security employment. Exhibit 9 shows that Australia’s cyber security industry revenue is around A$2.2 billion.

The varying presence of different types of imports in each of the product types explains much of the current mix of employment in the Australian industry, which is shown in Exhibit 10. Hardware and software are typically directly imported to Australia and create very little permanent local employment. The total number of jobs in these two product types in Australia is probably less than 1,000.

Exhibit 10:

There is a much greater presence of local cyber security providers in services. Paired with the generally higher labour intensity of services, it is estimated that local cyber security services firms are supporting around 3,000 jobs in Australia. Still, foreign service providers with local operations remain the largest employer in Australia’s market for external cyber security. These multinational corporations currently employ almost 7,000 cyber security workers. Since many services are difficult to import directly (for reasons discussed in the previous chapter) and need to be provided through local operations, these firms make a very significant contribution to the overall workforce—only exceeded by employment of in-house cyber security teams, which is estimated to be around 9,000 workers.

Exhibit 10

There is a much greater presence of local cyber security providers in services. Paired with the generally higher labour intensity of services, it is estimated that local cyber security services firms are supporting around 3,000 jobs in Australia. Still, foreign service providers with local operations remain the largest employer in Australia’s market for external cyber security. These multinational corporations currently employ almost 7,000 cyber security workers. Since many services are difficult to import directly (for reasons discussed in the previous chapter) and need to be provided through local operations, these firms make a very significant contribution to the overall workforce—only exceeded by employment of in-house cyber security teams, which is estimated to be around 9,000 workers.

2.4 Australian firms have existing strengths in software and services

There are areas of both software and services where Australian firms have been successful in both domestic and international markets. In software, there is a strong ‘beachhead’ of Australian firms in the area of security operations.

Box 1: Making Sense of the Data EXPLOSION

The world is amassing data like never before. But how much of it do we really use? Vast amounts of the growing stockpile of information that’s crowding server centres across the globe has long lost its immediate business value. Such “dark data”, as it is commonly known, comprises a jumble of information that time has rendered irrelevant: expired customer files, records of previous employees, old emails, notes and presentations, historic financial statements or outdated accounts.

Hoarding masses of obsolete data poses a security risk, however, especially if they contain sensitive information. Many organisations have thus begun to tidy up their electronic storage rooms to avert cyber criminals, and Australian IT firm Nuix is among the most powerful to help them master this task.

Nuix is one of Australia’s leading cyber security firms. Founded in 2000 by a team of computer scientists, it has developed a powerful forensic software to collect, process and analyse huge amounts of digital data. Its ability to sift through terabytes of large and complex files at high speed has made it a go-to address for leading organisations around the world who need fast and accurate answers—including the United Nations, the U.S. Secret Service, Interpol and the Department of Defence.

Nuix’s software helps clean up unknown, messy and risky data that’s hidden in dark corners of corporate networks. It helps detect and respond to cybercrime, manage insider threats and find rapid evidence in a law suit or audit. Most recently, a global group of investigative journalists used Nuix’s optical-character recognition technology to review 11.5 million documents leaked from a Panama-based law firm.

The investigation, in which Nuix’s electronic discovery software was able to digest 2.6 terabytes of data in just 1.5 days, unveiled a web of hidden offshore accounts entangling several country leaders and other high-profile public personalities. Today, Nuix remains headquartered in Sydney, with additional offices in the U.S., England, Ireland and Germany.

Firms such as Covata, StratoKey, Airlock Digital and Huntsman Security have developed successful software products and established market presence both in Australia and international markets. Nuix, an Australian data analytics and security firm, was the platform chosen by the International Consortium of Investigative Journalists to analyse the files in the Panama Papers (see Box 1).

Box 2: game changing high-grade encryption for the field

Penten is a new cyber security company, located in Canberra ACT, that is revolutionising the use of deployable high grade encryption technologies for mobile solutions. Penten also specialises in cyber deception methods and operational integration of cyber security strategies. 

Increasingly users need access to data from remote locations and when data is mobile, it has more utility. To address this need, Penten has developed the AltoCryptTM family of solutions to allow mobile access to highly sensitive information from anywhere, without compromising security.

The AltoCryptTM Stik is an ‘all in one’ deployable high grade encryption device that gives organisations operating senstive and classified networks an easy to carry and simple to use secure access solution. AltoCryptTM Stik supports mobility both inside and out of the workplace by replacing a large briefcase based system with a small USB-sized stick. AltoCryptTM Stik is small, lightweight, powered by USB, operates anywhere and is low cost. AltoCryptTM Stik delivers a very low network and physical signature.

AltoCryptTM Stik is designed, manufactured and assembled across Australia and the United Kingdom through partnerships with other Australian based companies.

The founders of Penten are experienced cyber security entrepreneurs, who have already successfully developed and sold an award winning cyber security firm to a major US defence contractor.  With a track record of scientific invention, commercialisation and export success of cyber security technology from Australia, the Penten team is now focused on innovating in secure mobility and the emerging field of cyber deception.

Partnerships and collaboration are key to their success. AltoCryptTM solutions were developed in partnership with the UK cyber security firm Amiosec Ltd. Penten have now also partnered with Downer Group, a leading Australian provider of engineering services, to improve the cyber resilience of critical infrastructure providers.

Australian cyber security software firms are also exporting their products in the protection stack security need (e.g. Mailguard) and in underlying processes (e.g. Secure Code Warrior). The representation of local firms in hardware is weaker, though the innovative work of penten (see Box 2) and QuintessenceLabs (see Box 6) demonstrates that Australian firms can still play in niche areas of hardware.

The services segment in Australia contains a large number of local firms. In the protection stack, Australian firms such as archTIS and Shearwater Solutions provide services in security architecture and penetration testing. Security operations, while dominated by the large multinational managed services providers, includes some smaller Australian firms and Telstra. It is in the third security need, underlying processes, that Australian firms are strongest, with a range local providers active such as Hivint, Cogito Group and Enosys. In addition, Australia’s universities are increasingly active in the training aspect of underlying processes, offering a range of cyber security courses (see Box 11 for details).

Yet, very few of these firms are currently exporting their services. Among those that do have a significant presence abroad is Bugcrowd. The company was founded in Australia in 2012, but has since shifted its headquarters to San Francisco, partly to get better access to venture capital. Telecommunications company Telstra has ventured into South-East Asia, through a partnership with Telkom Indonesia comprising a jointly managed data network and security services. Other examples for cyber service providers with large international operations include risk-analysis firm UpGuard and endpoint-protection firm Dtex Systems. Both were founded in Australia but, similar to Bugcrowd, are now headquartered in the US. Some Australian universities also ‘export’ education by offering cyber security courses to international students.

The concept of revealed comparative advantage (RCA) can help identify country-specific strengths by measuring an economy’s current supply of a product or service against the backdrop of global supply. How much more or less successful than the world average is a country when supplying a particular good or service? The RCA index tries to answer that question: values above 1 signal that a country enjoys a comparative advantage in the supply of a certain product or service. In contrast, index values below 1 indicate a disadvantage relative to other suppliers globally.

The analysis in Exhibit 11 reveals that Australian firms and foreign firms with core operations in Australia already earn a much higher revenue (relative to national GDP) in services than their average peers worldwide, highlighting a substantial comparative advantage in the services segment of the cyber security industry. The situation, however, is reversed in the hardware and software segments of the market, where the current revenues (relative to national GDP) of Australian firms and foreign firms with core operations in Australia are significantly lower than the equivalent world average, signalling a comparative disadvantage.

Exhibit 11:

2.5 Australia’s opportunity: focus initially on a limited number of segments

Australian cyber security firms have proven that they can be successful abroad, even in highly competitive markets such as the US and Europe. To emulate the success of these local ‘pioneer’ firms across the wider Australian cyber security industry will require Australia to identify and focus on its country-specific competitive advantages. It also requires developing the talent base and resources to turn its strengths into a competitive edge. While the role of ACSGN is to promote and improve the competitiveness of the entire industry, it will also work to support the development of a number of initial focus segments.

A rigorous framework of analysis has been used to identify several segments within the Australian cyber security industry that promise to generate the largest opportunities for the Australian economy over the next decade. Seven segments appear most noteworthy: three types of software and three types of services meeting the basic security needs (protection stack, security operations and underlying processes), and one segment for hardware. To understand which of these segments warrant the greatest initial focus, they were analysed according to their attractiveness and competitiveness.

  • Attractiveness: Based on the segment’s size and growth internationally and in Australia, its exportability, its potential to create jobs and the quality of those jobs, and its fit with technological trends.
  • Australia’s ability to compete: Based on Australia’s existing presence, any revealed comparative advantage, and the segment’s match with Australia’s skill profile.

As a result of this analysis and extensive interviews with industry participants, which are shown in Exhibit 12, three focus segments stand out: software, services in the protection stack, and services in underlying processes.

Exhibit 12:

Software

Software is an attractive segment in both security operations and the protection stack, with strong existing size in the protection stack and the largest increase in demand forecast for security operations. Software products are highly exportable, and generate high-quality jobs. Software will also be positively impacted by the convergence of IT and OT, mobile internet and the Internet of Things, that will multiply the complexity of networks and security operations. Automation is also likely to emphasise software at the expense of services, as developments in AI and advanced machine learning lead to more sophisticated software-based solutions.

Given the appeal of both these software segments, the best approach for Australia is to consider software as one broad segment and then identify specific areas of research capability upon which we can build a strong software ecosystem. Two possible areas of focus are cryptography (which is typically applied in the protection stack) and data analytics (in security operations), but these will need to be further refined through more detailed assessment of our comparative research strengths.

Though attractive, there is not as strong evidence for Australia’s ability to compete effectively in software. Our current revenue in software is very low, which implies a lack of comparative advantage. However, there are several firms that have succeeded both domestically and in export markets. These include Nuix, which has become internationally renowned for its forensic capabilities (see Box 1), Huntsman Security and Stratokey. These beachhead firms can provide a model for the development of a stronger Australian software segment.

Services – protection stack

The protection stack includes a range of services that prevent attackers from gaining access to organisations’ networks, and protect applications and endpoints (see Box 3 for example). Specific services include network security architecture, firewall configuration and management, penetration testing, vulnerability assessment, and patch and configuration management. Services in the protection stack is currently the second largest segment in the Australian industry—after security operations services—and is forecast to experience continued strong demand growth.

While harder to export than software, protection stack is still relatively exportable due to less need for in-country technical teams to provide the services than in security operations. It requires a strong supply of medium- to high-skill workers, which matches well with the skill profile of the Australia cyber security workforce. The convergence of IT and operational technology (OT), and the Internet of Things are two trends that lead to a higher number of network endpoints and a stronger need to protect these endpoints. While automation may have some negative impact on employment in this segment, strong demand growth will mean that the productivity shock from automation should be limited.

Australia already has a strong domestic protection stack services segment, with the highest revealed comparative advantage among all seven segments. In interviews with CISOs and CIOs, services such as penetration testing and network security architecture are regularly identified as the industry’s current ‘spikes’. Australian firms have also been successful in exporting in this space: Mailguard, for example, has developed an email and cloud security service that is now sold in 27 countries worldwide. Their solution builds on a platform of “Software as a Service” (SaaS) to create what is effectively a niche-managed service providing email filtering.

Box 3: Securing endpoints through behavioural analytics

ResponSight is an Australian data science company that uses anonymous behavioural analytics to provide an innovative approach to detecting malicious cyber actors and security breaches. 

While traditional systems actively search for threats, ResponSight’s solution focuses on monitoring endpoints in fine detail for unusual activity by gathering analytics and taking snapshots to determine the fingerprint of each endpoint. Using its cloud-based analytics engines, ResponSight consolidates and analyses millions of activities to understand what is normal online behaviour for every legitimate user. When behaviour differs, an alarm is raised indicating a user’s endpoint could have been compromised, malware is present or the device is being used by a different (authorised/unauthorised) user.

ResponSight collects numerical, mathematical and statistical data about how the endpoint is used and can be distinguished from other user and entity behavioural analytics (UEBA) technologies that mostly gather their behaviour data from log data or centralised Security Incident and Event Management (SIEM) repositories. This means that other UEBA data is rarely complete and often out of sequence.  By working on the endpoint, ResponSight is as close to the actual user as possible, providing a detailed fingerprint. This technology can be integrated with other existing enterprise technologies.

ResponSight’s philosophy is simple – to deliver reliable technology and service to help customers address security risks by reducing the time it takes to detect a breach across organisations that have multiple user devices. Founded in 2015, ResponSight has plans to expand its customer base into the US later in 2017. The founder of ResponSight has over 20 years experience in security and sees the organisation’s growth being driven by its ability to deliver on its promises and making a difference in a complex aspect of cyber security.

Services – underlying processes

Services are the dominant product type in addressing the security need of underlying processes. Specific services delivered here include the development of cyber security strategies, risk and compliance policies, employee training, and measures to raise the general awareness of cyber security risks within organisations (see Box 4 as one example). While underlying processes in services is the smallest of the services segments in Australia and globally, it still accounts for more than 10 per cent of Australian external demand.

Box 4: keeping cyber intruders at bay

Australian firm Airlock Digital, founded in 2013, helps keep cyber intruders out of an organisation’s network by creating so-called application whitelists. Application whitelisting involves specifying which applications (e.g. programs, software libraries, scripts and installers) are permitted and can be executed on a computer system. The goal of whitelisting is to protect computers and networks from potentially harmful applications. The Australian Signals Directorate considers the method to be one of the most effective to mitigate targeted cyber intrusions.

But what sounds simple in theory, can be challenging to put into practice for small and large organisations alike. That’s where Airlock tries to make a difference. It offers application-whitelisting solutions that it says are cheaper, less complex and require less resources to perform successfully.

Unlike signature-based file blocking (blacklisting) such as antivirus software, Airlock’s solution proactively sets up barriers to ensure attackers cannot execute malicious and unknown code on an organisation’s networks. Each Airlock deployment results in a unique whitelist according to customer needs. Airlock then verifies, monitors and records all file executions across the organisation, permitting only authorised files to load. This makes Airlock extremely effective at preventing both opportunistic and sophisticated attacks, including ransomware and other targeted attacks, allowing the customer to react faster to cyber threats.

Airlock Digital’s solution has proven effective in many industries. Key clients include government agencies, large enterprises and small firms in Australia. More recently, Airlock has also started growing its international customer base.

The exportability of services varies considerably. Governance, risk and compliance, for example, is challenging to deliver without having a strong technical team on the ground that understands a country’s regulatory environment. In contrast, awareness, training and oversight services can be delivered remotely. Cyber security training appears particularly well suited for exporting, as it can be offered online or ‘exported’ through international student enrolments.

Education-related travel services are already Australia’s largest services export, accounting for around six per cent of our total exports in 2015. Their quality is highly regarded abroad, particularly in the Asia-Pacific region. As continued strong global growth in cyber security creates demand for skilled professionals (see the next chapter for details on skills shortages), our experience in export of education means that Australia’s universities and vocational training institutions are well positioned to exploit this opportunity. Several universities and training institutions are already active in this segment, and report a high number of international students in cyber security programs, especially in Masters study programs. However, the total number of international students in Australian cyber security courses—estimated to be around 200—are still very low.

Similarly, Australia already has a strong ecosystem of local firms offering cyber security governance, risk and compliance services. While most have not yet attempted to export these services, some are currently exploring more scalable service delivery models that may enable exportability. Cyber security company Hivint, for example, has established an innovative service platform Security Colony.

*******

These three segments will be the initial focus of efforts to develop a globally competitive Australian cyber security industry. However, many of the strategies and actions proposed to be undertaken by ACSGN and others in support of these segments will also benefit the wider industry. The set of focus segments will also be regularly reviewed by ACSGN to respond to changes in the industry structure and technology trends that have not been anticipated.

2.6 Playing to our industry strengths

Australia’s most promising opportunities in cyber security, while driven primarily by the attractiveness and feasibility of the different product types and security needs, should also consider opportunities emerging from the varying needs of different industries that use cyber security. While all industries have the same basic security needs, the specific cyber security threats that they face—for example, protecting large quantities of confidential user data or hardening the resilience of operational technology—informs the specific mix of products and services that they require.

Therefore, there are potential sources of comparative advantage for Australian firms in the industry composition of our cyber security demand, the industry mix of the broader economy, and in our export performance. Two examples of such industry strengths are financial services and resources.

Financial services

Australia financial service firms are the largest users of cyber security products and services in the country. They account for almost one-third of the nationwide security demand, which means they are a much more relevant customer group for cyber security providers in Australia than financial services firms are elsewhere in the world, as illustrated in Exhibit 13. Financial services organisation face some of the most challenging threats to their cyber security, as the convenience of modern consumer banking—featuring ATMs, point-of-sale systems and mobile banking—has vastly increased the number of endpoints that need to be protected. Banks are also responsible for some of the most sensitive consumer and corporate data, and risk serious reputational damage in case of a breach.

Cyber security firms could harness Australia’s strength as a regional banking and finance hub by tailoring their products and services to the specific security needs of financial services firms. This would allow them to quickly build scale and reach international markets. Interviews with successful Australian cyber security firms indicate that a number have pursued this strategy effectively. The fintech incubator Stone & Chalk has also recently partnered with Data61 and industry to host a series of events on the opportunity for Australia to lead in cyber security for fintech, and is planning to launch a Fintech Cyber Innovation Lab.

Exhibit 13:

Resources

Resources have been a major engine of the Australian economy, especially in the last decade. Natural resource rents were almost five per cent of Australia’s GDP in 2015, while globally they accounted for just 1.7 per cent. Resources also dominate our exports to the rest of the world: even at the end of the mining boom, in 2015, commodities made up six of the ten most valuable Australian goods or services exports. Being a resources powerhouse has allowed Australia to produce some of the world’s largest mining companies and to develop world-leading mining technology.

The convergence of operational technology and IT creates new security issues for the mining industry—and provides a significant business opportunity for Australian cyber security providers in the focus segments. Exhibit 13 shows that the cyber security demand from resources firms in Australia (measured as spending relative to GDP) is currently lower than the cyber security investments of resources firms globally. However, this could change quickly, as the Mining Equipment, Technology and Services sector in Australia remains strong and is still home to several major global resources players. Improvements in software will be particularly valuable for resources organisations who need to manage the risks from the integration of their operational technology into the broader network infrastructure.

2.7 The size of the prize: benefits for Australia

The potential benefits to Australia from developing a globally competitive cyber security industry are substantial, even when compared to the existing strong forecast growth in the industry over the next decade.

Exhibit 14:

Those ‘business-as-usual’ forecasts imply that industry revenue will more than double in the period 2016-26 from A$2.2 billion to A$4.7 billion, as shown in Exhibit 14. If Australia undertakes concerted actions focused on supporting the growth of three initial focus segments, it is estimated that industry revenue in 2026 could increase to A$6.0 billion, which equates to an annual growth rate of almost 11 per cent over the decade.

This uplift in revenue would generate new jobs and a significant increase in the size of the cyber security workforce. ‘Business-as-usual-growth’ forecasts, illustrated in Exhibit 15, suggest that that employment in cyber security in Australia will increase from around 19,000 to more than 26,000 by 2026. Actions to promote the development of the focus segments could add a further 5,100 jobs to the cyber security workforce, Exhibit 15 shows. Given estimates of natural retirement and net loss to overseas jobs, this implies that Australia will need more than 16,000 additional workers to enable the industry to meet its growth potential.

There will also be significant spillover benefits to the wider economy. Having a stronger cyber security industry will enhance Australia’s global reputation as a trusted and secure business environment. This could increase demand for other Australian goods and services exports. A growing local market for security solutions will also lower the cost related to data breaches and malicious cyber activity for Australian organisations.

Exhibit 15:

These benefits will complement positive outcomes from measures already announced in Australia’s Cyber Security Strategy. For example, the Australian Government said in the Strategy that it will sponsor research to better understand the cost of malicious cyber activity to the Australian economy. This research will also help identify the specific financial gains that come with a more effective domestic cyber security industry.