SCP - Chapter 1 - The global outlook for cyber security

Key points in this chapter

  • Cyber security spending is soaring and set to increase by 88 per cent to US$248 billion by 2026
  • Indo-Pacific countries are rapidly emerging as significant buyers of cyber security solutions, adding to the market opportunity for Australian providers
  • Demand drivers include expanding threat of cyber attacks, mounting exposure to cyber risk, increased risk awareness and increased regulation
  • The cyber security market is diverse and sophisticated
  • Three fundamental security needs shape demand for products and services – core systems protection (the ‘protection stack’), security operations, and underlying processes
  • Technology reshaping the industry includes convergence of information technology and operational technology, mobile internet, artificial intelligence and big data, cloud computing and the Internet of Things
Disruptive technological trends will continue to evolve and, as a result, generate demand for new cyber security solutions

1.1 Overview

The world is abuzz with new connections. Cars, fridges, houses, factories – the list of things that can be controlled and monitored remotely grows daily. At the same time, more and more people around the globe have access to these new technologies and depend on them in their daily life. But the mass of interconnected things, referred to as the Internet of Things (or Internet or Everything), and technological innovation comes with a risk: it increases the number of potential targets for malicious cyber activity.

Malicious cyber activity is a growing challenge for organisations worldwide. It ranges from straightforward online fraud – such as scams using email, websites or chat rooms – to sophisticated cyber espionage and calculated cybercrime, used to steal secrets and other information stored digitally on systems and networks. Malicious cyber activities have the potential to seriously harm not just an organisation’s business and reputation, but also to compromise a nation’s security, stability and prosperity. The number of incidents has spiked in recent years, as perpetrators aggressively exploit flaws in digital infrastructure. This has catapulted cyber security to front-of-mind for business leaders, regulators and politicians who are anxious to shore up defences and improve resilience.

Cyber adversaries are constantly devising new ways to exploit vulnerable systems and networks. This is forcing organisations – from banks to energy companies, and from government agencies to charities – to strengthen their cyber defences. The growing security needs of organisations are expected to underpin the rapid evolution of the global cyber security sector, which provides a substantial opportunity for cyber security businesses in Australia.

Over the next decade, the industry will become more diverse and sophisticated, as businesses continue to refine their product offerings to meet their customers’ varying cyber security needs. However, the outlook for security needs and the main product types (hardware, software and services) is not uniform. It is driven by differences in current size, projected demand, export potential and ability to create more jobs.

The Internet of Things, Cloud Computing and the convergence of IT and operational technology (OT), are some of the current important disruptive technological trends that will contribute to the future demand of cyber security solutions. They will increase demand for all forms of cyber security, particularly software. These disruptive technological trends will continue to evolve and, as a result, generate new demand for new cyber security solutions.

1.2 Cyber security spending is growing fast

Demand outlook

Spending on cyber security worldwide is expected to soar over the next decade. The global cyber security market is currently worth around US$131 billion and is set to increase by 88 per cent to US$248 billion by 2026, as shown in Figure 2. Roughly three‑quarters of the global expenditure on cyber security comes from cyber security ‘users’ (organisations and individuals seeking to defend themselves against malicious cyber activity) purchasing the products and services of external cyber security ‘providers’ (both specialist cyber security companies and IT or telecommunications companies with cyber security offerings). The remaining quarter of spending covers all internal expenditure on cyber security, mainly the cost of employing in-house teams with specialist cyber security skills.1

The global cyber security market is currently worth around US$131 billion and is set to increase by 88 per cent by 2026

Analysis based on available market data and expert interviews suggests this trend will accelerate in the future. While money spent on in-house or internal cyber security functions is expected to grow by around 5.4 per cent each year to 2026, global spending on external cyber security products and services is set to increase by nearly 8 per cent annually over the same period.

The global cyber security market is currently worth around US$131 billion and is set to increase by 88 per cent by 2026

Figure 2 – Global cyber security spend

Figure 2

The demand outlook for Australia’s neighbours is particularly strong (see Figure 3). Cyber security spending in the Indo-Pacific region, which includes Asia-Pacific nations as well as China and India, is expected to increase faster than the global average, with an additional $31 billion in spend by 2026. This means Indo-Pacific countries are rapidly emerging as significant buyers of cyber security solutions, set to account for roughly one-quarter of global cyber security spending in 2026. The fast-rising demand from countries in Australia’s vicinity adds to the market opportunity for Australian cyber security providers.

Indo-Pacific countries are rapidly emerging as significant buyers of cyber security solutions, adding to the market opportunity for Australian providersan providers

Figure 3 – Indo-Pacific (Asia-Pacific including China and India) cyber security spend

Figure 11

Demand drivers

Several trends support the growth outlook for cyber security spending:

  • Expanding threat of cyber attacks – Malicious cyber activity is on the rise, as criminals use ever-more sophisticated strategies to infiltrate systems and networks. For example, an average client of the technology company IBM Corporation experienced 178 security incidents in 2015, an increase of 64 per cent on the previous year.2Software provider Symantec Corporation discovered more than 430 million new unique pieces of malware in 2015, up 36 per cent from the year before. The frequency of so-called mega breaches, defined as the loss or theft of more than 10 million personal data records at once, has soared to record highs globally.3 But official numbers are likely only the tip of the iceberg, as more and more companies choose not to reveal the full extent of the data breaches they experience. Symantec estimates the true number of lost records was closer to half a billion in 2015. Cyber threats have increased markedly in Australia too. During 2016–17, malicious emails alone caused businesses in Australia to report losses of more than A$20 million, an increase of over 230 per cent from the A$8.6 million reported the previous financial year.4 Again, this figure likely represents only a small percentage of total malicious cyber activity, due to both misreporting and underreporting.
  • Mounting exposure to cyber risk – The rapid expansion of internet-enabled economic activity and the number of connected devices and systems increase the likelihood of widespread malicious cyber activity. People in far corners of the globe are gaining online access, as the world becomes more digitised and interconnected. This is partly due to smartphone penetration, which has risen markedly in many countries. Everyday items such as watches, fridges and cars are now internet connected, as are important customer databases, power plants and government payment systems. This increases the volume and quality of information shared electronically, and widens the range of potential targets for perpetrators.
  • Growing risk awareness – Recent high-profile cases of malicious cyber activity and media coverage of data breaches have made companies and other organisations increasingly aware of the risks cyber adversaries pose to their businesses. Latest Telstra research shows that 40 per cent of organisations surveyed globally, including 36 per cent of Australian respondents, have implemented cyber-awareness programs as part of their cyber preparation strategy.5 As of February 2018, many businesses in Australia are now required to notify victims and the Privacy Commissioner of data breaches, which will drive further awareness and accountability. The growing awareness is increasingly driving companies to adopt frameworks including security audits, risk assessments, compliance tools and continuous end‑user training.
  • Increasing regulation of cyber risk – Governments worldwide are increasingly concerned that cyber attacks could hit crucial economic sectors. Many are issuing new laws to ensure organisations bolster their cyber security controls. The expected growth in cyber-related regulation is likely to prompt organisations to increase their security spending. For example, increasing regulatory oversight has already forced banks and insurance companies to be more acutely aware of malicious cyber activity threatening their operations. The new data breach notification laws in Australia now require all businesses with an annual turnover of $3 million or more to publicly disclose any case where they believe personal data was compromised, or risk hefty fines. Similar laws have been in place in the US for years. In the EU, new data protection regulation, including privacy provisions, came into force in May 2018. Such mandatory standards will almost certainly lead to higher demand for new cyber security products and services – a recent survey shows that almost half of all Australian small and medium-sized businesses with an annual turnover of over $3 million do not consider themselves prepared for the new disclosure laws.6

1.3 The cyber security market is diverse and sophisticated

Cyber security is no longer just firewalls and off-the-shelf virus software. In recent years, it has evolved significantly to encompass a sophisticated range of products and services, as well as activities within organisations to build and operate their cyber security system.7 Cyber security today is best defined and understood as the collection of tools, technologies, processes and practices that can be used to protect networks, computers and data from unauthorised access or attack. This broad definition, based on the definition used by the International Telecommunications Union, captures the multidisciplinary nature of cyber security practice today.8

Cyber security is no longer just firewalls and off‑the-shelf virus software

Three fundamental security needs shape demand for cyber security products and services: the ‘protection stack’; security operations; and underlying processes. Matching the different security needs and product types, as shown in Figure 4, provides a helpful structure for understanding the diversity of the global cyber security sector.

Figure 4 – Examples of product security needs

Figure 12

Security needs

Three security needs drive demand for cyber security products and services:

  • Building a ‘protection stack’ – This is the basic infrastructure that protects an organisation’s IT networks and computer systems. It includes basic hardware, such as firewalls, routers and sandboxes, and a range of software tools including intrusion prevention systems (IPS). Organisations also need to protect software applications and systems that perform critical network tasks, and they need to ensure the endpoints of their network (such as user devices) are properly managed and secured.
  • Maintaining operational security – Once they have established a basic security infrastructure, organisations need to monitor and maintain their safety networks and systems. Some maintenance tasks are fundamental and ongoing, for example the security assessment and associated analytics to identify risks and detect attacks on their networks. Organisations also need to maintain their identification and access management systems to ensure only authorised staff enter their networks. When cyber security incidents do occur, organisations must have the capability to respond to the incident, fix weaknesses and restore their systems.
  • Strengthening underlying structures – To successfully fend off cyber adversaries, an organisation must create a strong culture of risk awareness. This includes clear rules for compliance, governance and risk management and ensuring all staff are well-trained and conscious of common cyber security threats.

Security needs of vary depending on an organisation’s size and the sector it operates in. Security needs also evolve over time depending on the maturity of an organisation’s cyber security strategies, changes in technology and the shifting nature of cyber threats. Most organisations meet these needs through a combination of internal capabilities and external cyber security providers.

Product types

An organisation can meet its cyber security needs through a combination of hardware, software and services. All three product types are embedded in distinct markets that vary in size and growth rate, exportability, potential for job creation and job quality (wage level and security of jobs). Technological trends also affect these three product types differently.

Dividing the cyber security sector into these three basic product types remains meaningful and useful for this analysis, even with some areas of overlap between product types. For example, software is increasingly delivered as a service rather than a standalone product, and hardware devices are often combined with proprietary software.

Hardware ware

Hardware manufacturers build the physical devices, such as firewalls and encrypted USB flash drives, that help protect IT networks against malicious cyber activity.

  • Size – Hardware forms the smallest product type of the cyber security sector, accounting for roughly 10 per cent or US$9.5 billion, of external cyber security spending globally in 2017. It is most heavily concentrated in the protection stack, with the bulk of revenue generated by providing clients with core system protection and management. Outside the protection stack, spending on hardware is very limited (see Figure 5).
  • Growth – While the global demand for cyber security is projected to increase significantly over the next decade, hardware producers will receive a relatively small share of the sector’s growth. The external global spending on physical IT protection equipment is estimated to increase by US$6.2 billion by 2026, equivalent to an average growth rate of 6.5 per cent per year. This represents only a fraction of the projected total industry external demand growth of more than US$103 billion over the same period.
  • Exportability – Cyber security hardware manufacturers have ample scope to export their products and compete in a global marketplace with relatively few barriers. The Wassenaar Arrangement may limit exports of some cyber security hardware products with potential use in defence. The Wassenaar Arrangement is a multilateral export control regime covering 41 states including Australia.9 It promotes transparency and information exchange to ensure the transfer of certain goods and technologies, particularly those with dual-use, does not enhance military capabilities that would undermine international and regional security and stability.
  • Job creation and quality – Hardware production supports an average of 4.6 full-time jobs per US$1 million of annual revenue generated, a labour intensity that ranks between software and services (see Figure 6). The quality of jobs in hardware varies widely from design (with high-skilled, high-wage jobs that are unlikely to be automated) to manufacturing (with lower skills required and higher susceptibility to automation).

Software

Software companies within the cyber security sector create the applications that help organisations defend their computer systems and IT networks against intrusion and unauthorised use. Typical examples are applications for secure messaging, anti-malware, anti-spyware, identity management and network access control.

  • Size – Software represents the cyber security sector’s second-biggest product type. In 2017, it accounted for more than US$30 billion of the world’s total external cyber security spending, or 30 per cent of the sector’s revenue, as shown in Figure 5. The use of software is currently concentrated around the protection stack, providing application protection, protection of endpoints and data at rest, and offering programs for the core system protection and management. It is also used in operational security, particularly for identity and access management.
  • Growth – The growth outlook for cyber security software is strong. In the eight years to 2026, external demand for cyber security software is expected to increase at an average annual rate of 6.5 per cent. This demand growth is forecast to be strongest in security operations, as users seek more effective solutions for security assessment and analytics, and identity and access management. Application protection, currently the largest security need in software, is expected to remain an area of focus.
  • Exportability – The market for cyber security software is strongly globalised, with relatively few barriers to trade. This has led to a concentration of market share in a small number of countries: companies domiciled in the US control 61 per cent of the global market, while Israeli companies dominate around 18 per cent.10 However, country-specific rules protecting intellectual property could act as a barrier to export software.
  • Job creation and quality – Figure 6 shows cyber security software tends to be less labour intensive than cyber security hardware or services, supporting an average of 4.0 full-time jobs per US$1 million of annual revenue. Cyber security software jobs are typically of very high quality and hard to automate, requiring high-skilled and well-paid staff.

Figure 5 – Breakdown of global cyber security spend

Figure 5

Figure 6 – Job intensity

Figure 6

Services

Cyber security service providers meet a broad range of security needs for organisations. For example, they may help manage an organisation’s core computer system defences, assess network vulnerabilities or provide a security strategy plan. Some act as ‘first responders’ when an organisation has a security incident, while others offer specialised advice on risk and compliance issues.

  • Size – Services form the largest product type in the cyber security market, generating around 60 per cent, or US$59.2 billion, of the sector’s global external revenue, as shown in Figure 5. Demand is highest in security operations, and specifically in security management, assessment and analytics (a sub-segment of security operations). This includes, for example, setting up real-time monitoring systems for servers, endpoints and network traffic to rapidly detect any potential malware or data loss. Companies in the security operations segment attract almost 45 per cent, or US$26.6 billion, of the entire global spending on external cyber security services.
  • Growth – Services enjoy the strongest growth outlook within the global industry. Over the next decade, the global spending on external cyber security services is expected to increase by 8.7 per cent per year. Growth is expected to be strongest for security operations, with an additional US$37.5 billion in demand forecast over the period to 2026.
  • Exportability – Cyber security services are exportable, but country-specific regulation and IT infrastructure can make the services trade more challenging. For example, companies that help configure and manage their client’s firewall may be limited in their reach by existing cross-border data regulations. Similarly, companies offering security management, assessment and analytics worldwide may require local offices to effectively service customers abroad. The assessment in Figure 7 shows that such factors affect exportability of incident recovery and response services the most, while application protection services and awareness, training and oversight are the least affected.
  • Job creation and quality – Figure 6 shows that, on average, services support 6.4 full-time jobs per US$1 million of annual revenue, marking the highest rate of job creation among the three product types. However, the quality of services jobs is less consistent and tends to be lower than cyber security jobs in the hardware and software segments of the industry. Services jobs in identity and access management, for example, typically require lower skills and pay lower wages than others. Automation is also more likely to impact services than other areas of cyber security, as advanced machine learning and artificial-intelligence (AI) software will continue to take over an increasing number of tasks. This trend is particularly acute in relation to monitoring threats.

Figure 7 – Assessment of the exportability of services to address different security needs

Figure 7

1.4 Technology is reshaping the industry

While technological change affects every industry, the cyber security sector is affected more than most. Several major trends are likely to unfold in coming years, which will shape the structure of cyber security markets. For some organisations, many of the looming technological changes will be disruptive. For others, they could work as a tailwind.

Analysis suggests that software companies generally appear best positioned to benefit from the following five major technological trends:

  • Convergence of information technology and operational technology – Historically, technologies used to control production plants and machines (operational technology, or OT) have differed from computer hardware and software technologies used to manage the an organisation’s general data flow. Over the last few years, however, operational technologies, such as sensors to monitor the temperature or water pressure during production, have become increasingly computerised. More and more companies are now equipping their machine-monitoring devices with IT-like features to integrate computer systems, save cost and speed up production. This convergence of OT and IT leads to increasingly complex networks, with multiplying endpoints and data types requiring more sophisticated cyber defences. The vulnerability of these merged systems generates fresh demand for most security product types.
  • Mobile internet – The number of people who own a smartphone and use the internet continues to climb. A survey by US research organisation Pew Research Center found that, across 11 industrialized countries, a median of 68 per cent of adults owned a smartphone in 2015, with even higher rates of smartphone ownership in Australia (77 per cent) and South Korea (88 per cent).11 Smartphones are also on the rise in emerging and developing countries, where their penetration rate increased to 54 per cent in 2015, from 45 per cent two years earlier. Two thirds of adults worldwide use the internet, according to the research, and a growing share of them now use their mobile phones to go online. This rapid increase in smartphone usage worldwide is multiplying the number of endpoints in networks and propelling demand for cyber security products. It is especially likely to drive investment in identity and access management.
  • Artificial intelligence and big data – Rapid improvements in artificial intelligence and advanced machine learning are changing the modern workplace. Increasingly, computers are used to perform tasks that rely on complex analyses, subtle judgments, and creative problem solving – a trend coined ‘automation of knowledge work’. McKinsey estimates that today’s available technologies could automate 45 per cent of activities that people are currently paid to perform.12 In cyber security, these advances are already starting to change the way threats can be identified, by reducing reliance on human network monitoring activities. This will benefit software developers, as companies increase their demand for applications to identify, analyse and manage cyber security threats. In the medium to long-term, service providers will be disadvantaged. However, the transition to greater automation will likely increase the demand for services in the short-term as cyber service providers support their customers to transition to more automated security systems.
  • Cloud computing – The evolution of cloud computing technologies is becoming a major driver of business efficiency. The ability to store huge amounts of data and bundle an array of IT solutions in one location is a powerful tool for companies to save costs and simplify their IT infrastructure. Increased use of cloud technology has moved the potential area of malicious cyber activity from the corporate network to cloud computers managed by third parties. This is prompting companies to think differently about how to secure their operations. Several cloud computing providers are already offering network protection products and services through the cloud itself. This reduces the need for companies to purchase their own cyber security infrastructure, dampening the outlook for hardware producers but generating more demand for security operations to manage and monitor access to the cloud.
  • Internet of Things – The world of consumer products is turning into a network of interconnected things. Cars, buildings, fridges and countless other everyday devices are increasingly equipped with sensors, voice-control systems, internet access and data-processing features. Today, a smartphone can communicate with wearable devices to monitor a person’s health, while smart cars can sync with a user’s calendar to monitor petrol needs or plan routes. The growing number of interconnected devices, and the expansion in data types and volume, will increase the risks of malicious cyber activity. In turn this will generate new opportunities for providers of cyber security solutions. Software developers will particularly benefit, as new types of endpoints need to be secured.

The rapid increase in smartphone usage worldwide is multiplying the number of endpoints in networks and propelling demand for cyber security products

Figure 8 summarises how these five major technological trends may impact the cyber security sector and its products.

Several other important technologies could also have profound implications for the structure of the cyber security sector. Two that are currently attracting attention are blockchain and quantum computing.

Quantum computing is considered a breakthrough technology still in development but that would spark a major upheaval in the current cyber security sector if it becomes a reality. Australian researchers are among the leaders in a global race to develop quantum computers, and home-grown startups like QuintessenceLabs are at the forefront of offering new quantum‑safe encryption technologies (see Box 13).

Similarly, the disruptive power of blockchain technologies (digital ledgers of bitcoin or other cryptocurrency transactions) may bode well for Australia’s well-established financial services industry.

It is difficult to predict how these trends will end up impacting different segments of the cyber security sector, but the potential for Australia to seize a competitive edge in both blockchain technologies and quantum computing is significant.

Any analysis of potentially disruptive technological trends needs to factor in a high degree of uncertainty, but this uncertainty is particularly stark in cyber security. Unlike other industries in the broader ICT sector, cyber security evolves around the existence of an adversary: it has to constantly respond to highly unpredictable, destructive activities. Despite best predictions and preparations, it is not possible to know exactly where future attacks will come from and how the sector will reshape in response.

Figure 8 – Potential impact of technological trends on the cyber security sector

Figure 8

Box 1

British tech companies chose Sydney as regional hub for cyberecurity and data analytics

Australia's proximity to Asian markets has become a magnet for British technology companies, particularly those operating in the cyber security and data analytics market. In 2017, five UK companies in the information and telecommunications (ICT) sector opened new regional headquarters in Australia. Together they are investing more than A$130 million and creating hundreds of new jobs, according to Austrade.13 Other companies are substantially expanding existing operations to tap into the growing cyber security demand in Australia and the Indo-Pacific.

'For many, their reasons for doing so were a combination of demand and interest from the Australian market, a strategic base for servicing clients in the Asia Pacific region, and being able to provide 24-hour support for global operations in Europe and North America,' said Andy Thompson, Austrade's senior investment manager for the UK and Ireland.

BT Group is one of those companies. The British telecom provider recently opened a new cyber security research and development hub in Sydney, its first outside the UK, to provide more targeted security solutions to business and government clients in 180 countries worldwide.

'Never before has cyber security been more important and we see potential for growth not only in New South Wales and [across] Australia, but further afield,' said BT Group's Security CEO Mark Hughes. 'This facility will be a cornerstone of our global cyber security capabilities and help us stay ahead in this fast-moving space.'

As part of the expansion, BT plans to hire 172 new employees, including 38 graduates, over the next five years. Most of the newly created jobs require highly qualified professionals with skills in cyber security, machine learning, data science analytics and visualisation, big data engineering, cloud computing, data networking, and software engineering.

The New South Wales Government is supporting the new BT research and development hub with A$1.6 million, adding to BT's own A$2 million capital infrastructure investment. The hope is that the centre will attract and retain IT talent in the state.14

'This operation will help keep Australia's best cybersecurity talent here in New South Wales and nurture our next generation of specialists to ensure we remain a regional leader in this fast-growing industry,' said New South Wales Minister for Innovation and Better Regulation Matt Kean. 'I'm confident job opportunities offered by BT will also act as an incentive for Australian citizens currently working overseas to come back home and bring their highly valuable skills with them.'

  1. Internal expenditure on cyber security is more difficult to measure than external spending, as enterprises are often wary of disclosing their investment in internal cyber capabilities due to security concerns. While this plan focuses primarily on external spending, it proposes several actions (including skills development) that would strengthen both outsourced cyber providers and in-house cyber security teams.
  2. IBM Corp. (2016), Cyber Security Intelligence Index. Available at: http://www-03.ibm.com/security/data-breach/cyber-security-index.html.
  3. Symantec Corp. (2016), Internet Security Threat Report. Available at: https://www.symantec.com/security-center/threat-report.
  4. Australian Cyber Security Centre (2017), Threat Report. Available at: https://www.acsc.gov.au/publications/ACSC_Threat_Report_2017.pdf.
  5. Telstra (2018), Telstra Security Report. Available at: https://insight.telstra.com.au/content/dam/insight/pdfs/Telstra_Security_Report_2018_PDF_FINAL.PDF.
  6. HP (2018), HP Australia IT Security Study. Available at: https://www.data3.com/wp-content/uploads/2018/02/Fact-Sheet-HP-Australia-IT-Security.pdf.
  7. This Sector Competitiveness Plan mainly focuses on the delivery of cyber security products and services to organisations. While individuals do purchase cyber security products, they account for less than 6 per cent of global demand. Gartner (2016), Information Security, Worldwide, 2014–2020, 3Q16 Update.
  8. International Telecommunications Union (2018), ‘Definition of cybersecurity’. Available at: https://www.itu.int/en/ITU-T/studygroups/com17/Pages/cybersecurity.aspx.
  9. Full title: Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies.
  10. International Data Corporation (2016), Worldwide Security Spending Guide 1H 2016 Update.
  11. Pew Research Center (2016), Global Technology Report, Available at: http://www.pewglobal.org/2016/02/22/smartphone-ownership-and-internet-usage-continues-to-climb-in-emerging-economies.
  12. McKinsey Quarterly (July 2016). Available at: http://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/where-machines-could-replace-humans-and-where-they-cant-yet.
  13. Austrade (2017), ‘UK ICT investment into Australia: 2017 highlights’. Available at: https://www.austrade.gov.au/international/invest/investor-updates/2017/uk-ict-investment-into-australia-2017-highlights.
  14. NSW Department of Industry (2017), ‘Sydney snares global cyber security facility’. Available at: https://www.industry.nsw.gov.au/media/media-releases/2017-media-releases/2017-media-releases/sydney-snares-global-cyber-security-facility.