SCP - Chapter 1 - The Australian cyber security sector today

Australia's cyber security sector has rapidly grown in response to strong demand for its critical services

Australia's cyber security sector has come a long way in a short time

Using data from AustCyber's Digital Census 2020, this chapter paints the most comprehensive picture yet of Australia's cyber security sector. Demand is growing, with Australians spending approximately $5.6 billion on cyber security in 2020 - from both local and international providers - a figure that is expected to increase to $7.6 billion by 2024. The local sector's revenue has grown by $800 million since 2017, to reach an estimated $3.6 billion this year. SMEs generate about a quarter of the cyber sector's revenue in Australia, with the rest directed to diversified professional services providers, technology integrators, mid-tier providers and defence contractors. Gross value added (GVA) of the Australian sector has been estimated for the first time in this report at $2.3 billion.

The sector is made up of young cyber security providers, and a workforce that's steadily growing

There are more Australian cyber security providers and workers than ever before. In 2020, approximately 350 providers make up the domestic sector. Among this group of young companies - the average age is 8.5 years and more than 40 per cent were founded in the past five years - there are success stories of companies that have flourished, becoming internationally recognised names.

The workforce has grown by 4,000 since 2016, reaching approximately 26,500 people who work for providers or staff internal security teams as businesses and government improve their cyber capabilities.

A closer look at the sector reveals that it is characterised by new, innovative SMEs, with more than 88 per cent of providers having fewer than 100 employees. SMEs and larger providers specialising in systems security account for the biggest portion of Australia's cyber security market. Many of their customers are government or defence organisations.

States and territories are developing their own communities to foster innovation

The sector is building its network across Australia, with clusters of innovation developing in major cities. AustCyber's National Network of Nodes will accelerate cyber capability development and innovation. Having a presence in states and territories will help to sharpen customer awareness of domestic cyber security capability and attract top talent.

Initially, the impact of COVID-19 appears to have hit micro and small providers hardest, while medium-sized companies have recorded an uptick in demand as customers adapt to digital modes of working and develop go-to-market strategies. Despite the short-term disruption to some service delivery, the pandemic is likely to accelerate the long-term transformation of the economy through technology and increased demand for cyber security.

Australia spent approximately $5.6 billion on cyber security in 2020, with demand expected to reach $7.6 billion by 2024

Demand for cyber security is rapidly growing, with spending increasing by nine per cent each year over the past four years.

There are several core drivers of demand. First, digitisation exposes businesses to more threats. Second, the overall threat environment is increasing, with several high-profile attacks - such as against NSW Government agencies, Toll Group and PayID - over the past year. Third, governments and regulators are requiring stronger security for critical infrastructure and systems of national significance.

Analysis based on available market data and expert interviews suggests that Australian demand will continue to grow by eight per cent per year, reaching as high as $7.6 billion by 2024. This is a slight reduction on previous growth of nine per cent, reflecting some slowness in the market as a result of the economic conditions caused by the COVID-19 pandemic. But the growth rate is still robust, considering the broader economic recession. The impact of COVID-19 is further explored on page 24. Globally, it is expected that spending on cyber security will reach US$207 billion by 2024.¹

Growth in spending is reflected in the local sector's revenue, which has risen by $800 million since 2017

Australian cyber security revenue has grown substantially over the past four years. Between 2017 and 2020, sector revenue grew by $800 million - from $2.8 billion to $3.6 billion.

These gains have been made very quickly. Sector revenue grew by an average of eight per cent each year between 2017 and 2020. By contrast, the information, media and telecommunications (IMT) sector's revenue grew by just three per cent each year over the same period.² Australia's cyber sector revenue growth is increasing at a similar pace to overall spending on cyber security, indicating that the share of imports in the Australian market is relatively stable.

As the cyber threat landscape continues to evolve, sector revenue is forecast to continue to grow at about nine per cent each year over the next four years. The sector could reach $5 billion in revenue by 2024, which is nearly double its 2017 level.

Note: Australia's cyber security sector includes all cyber security activity that occurs in Australia, where the economic value is added in Australia, including by foreign-owned entities. IMT's growth rate for 2020 was estimated using historical data.

SME providers received about a quarter of sector revenue in Australia

Australian cyber security providers are generating $3 billion in revenue from the domestic market and $600 million from international markets, totalling $3.6 billion.³ Based on expert interviews, the Australian cyber security sector is segmented into five key groups:

• SMEs: startups and smaller providers. SMEs received approximately $800 million in revenue, which is around one-quarter of the sector's total revenue.
• Major consultancies: cyber security practices at major consulting firms. They are estimated to earn approximately $500 million in revenue.
• Technology integrators: large international diversified technology businesses that integrate systems and security. Integrators are capturing the largest share of the market, valued at an estimated $1.5 billion.⁴
• Mid-tier firms: scaled pure-play providers such as CyberCX, Tesserent and Trustwave. They account for an estimated $500 million of revenue.⁵
• Defence-related firms: providers focused on defence and national security, such as the so-called Defence Primes.⁶

The cyber security workforce has grown by 4,000 over the past three years

The substantial growth in cyber security spending in Australia has led to the workforce expanding by about 4,000 since 2017. A total of about 26,500 people work in the Australian cyber security sector today.

This estimate includes both employees in the cyber security sector and those in related roles, such as members of in-house cyber security teams and Chief Information Security Officers in other sectors.

Growth in jobs in cyber security has far outpaced the national average. Between 2017 and 2020, employment in the sector grew by six per cent each year, while the nation's overall workforce expanded by just two per cent each year.⁷

In absolute terms, the total number of direct jobs in the sector is comparatively small compared to other, more established industries. However, cyber security underpins the digitisation and growth of the entire economy, meaning it has a much greater impact on Australia's overall employment through indirect jobs.

Strong job creation in cyber security is likely to continue, with 7,000 more jobs expected to be added to Australia's economy by 2024.

A number of government and industry programs, such as the Australian Signals Directorate's CyberEXP Program and the Australian Defence Force's Cyber Gap Program, are focused on developing Australia's workforce to meet this growing demand. Further programs will be added into the economy in the next year as a result of the Australian Government's Cyber Security Strategy 2020 and initiatives of state and territory governments.

For the first time, the gross value added of Australia's cyber security sector can be estimated, at $2.3 billion

GVA (gross value added) is a measure of economic activity and can be used to estimate the contribution of the cyber security sector.

AustCyber's Digital Census enables the calculation of GVA for the sector for the first time. GVA is the sum of the profits and wages from economic activity in the sector. In 2020, the former is estimated at $900 million (25 per cent of revenue) and the latter at $1.4 billion, resulting in GVA of $2.3 billion. The sector's GVA is already comparable to other digital sectors such as computer software ($4.2 billion) and retail e-commerce ($3.2 billion).⁸

While GVA estimates the direct contribution of cyber security to the economy, it does not account for its role in enabling economic activity in other sectors. For example, the GVA of sectors such as banking and telecommunications would not be possible without robust cyber security. As our corporations, educational institutions and essential services become increasingly digitised, their success and impact largely rely on having trusted infrastructure and data.⁹ The sector's role in a rapidly digitising economy is further explored in Chapter 2.

Note: This is an experimental first pass calculation of GVA for Australia's cyber sector using Digital Census data, as well as ABS and publicly available data. As more robust data on the cyber sector becomes available, this measurement can be further refined. Retail e-commerce is estimated using Australian online retail sales' share of total Australian retail turnover.

Most of the businesses in Australia's cyber security sector are very young, with more than 40 per cent of providers around or under five years old, and 66 per cent less than ten years old

Despite this, a number of younger Australian cyber security firms have found early success in both Australia and abroad. One example is ASX-listed Tesserent, which was founded in 2016 and specialises in managed security and security consulting. Over the past two years, it has acquired smaller cyber security providers such as Rivium, Pure Security and Seer Security, further adding to its suite of capabilities.

The average age of Australian cyber security providers is 8.5 years, and only nine per cent in the sector have been operating for more than 20 years.¹⁰ Of the firms that are older than 20 years, only 23 per cent are dedicated cyber security providers.¹¹ The majority of these are services or IT businesses that offer cyber security as one part of their business.

The sector's youth opens up many new opportunities for the Australian economy, but it also presents some challenges, as explained in chapters 2 and 3.

Reflecting its youth, the sector is dominated by SMEs, with over 88 per cent of providers having fewer than 100 employees

Characteristic of its youth, the cyber security sector is dominated by SMEs, which make up around 66 per cent of providers. One-quarter of the businesses in the sector are micro providers (zero to four employees).

This is expected to change as the sector matures. Of the providers surveyed, 40 per cent report that they plan to expand their workforce over the next 12 months.¹² It is important to remember that this forecast comes at a time of uncertainty due to COVID-19.

Of the providers with 200 or more employees, only 13 per cent identify as dedicated cyber security companies.¹³

The rest of the large cyber security providers are professional services firms such as Deloitte and KPMG; international technology integrators such as Microsoft and IBM; and international defence specialists such as Lockheed Martin and BAE Systems. These larger providers offer cyber security as one part of their overall business, with expert interviews suggesting that cyber contributes five per cent for professional services providers.

Note: Australia's cyber security sector includes all cyber security activity that occurs in Australia, where the economic value is added in Australia, including by foreign-owned entities.

Providers specialising in systems security capture the largest portion of Australia's cyber security market

Market spend on cyber security can be broken down by product segment. The largest product segment in Australia's cyber security market is 'Systems security' ($1.5 billion), followed by 'Software and platform security' ($1.3 billion). The 'human, organisational and regulatory' segment has the most providers, with 49 per cent accounting for a key offering. The segment with the fewest providers is 'Infrastructure security', although spending is still $1.1 billion, reflecting how this type of service is geared towards larger cyber providers.

Cyber security, like much digital technology, has traditionally been understood in terms of hardware, software and services. But the diversity and sophistication of modern cyber security means that these categories are no longer appropriate. The Cyber Security Body of Knowledge (CyBOK) is an international collaboration headed by the University of Bristol that structures cyber security according to five main categories:

• Infrastructure security: securing computer and digital networks and related physical hardware and systems against intruders.
• Systems security: operational, network and systems security that includes the processes and decisions for handling and protecting data assets.
• Software and platform security: security that focuses on keeping software and the entire computing platform and devices resilient to cyber threats.
• Attacks and defences: a proactive and adversarial approach to protecting against cyber attacks, including performing penetration and vulnerability tests.
• Human, organisational and regulatory: tools and services to protect against intentional and unintentional user mistakes, and to ensure cyber governance and compliance.

This new framework provides a more robust foundation for researchers, policymakers and industry to study the sector. See Appendix B for detailed descriptions of each product category.

Note: Specialty is defined as the product or service that generates the largest amount of revenue for the business.

The government and defence sectors are the largest customers of cyber providers of all sizes

Analysis of revenue breakdown by industry for both SMEs and larger cyber security providers reveals that although there are minor differences in how revenue is distributed, there are distinct commonalities in how the sector generates its revenue.

For both SMEs and large providers, government (including organisations in healthcare, social care and education) and the defence sector account for approximately 30 per cent of total revenues. 'Government' is the sector's pivotal customer, with nearly 50 per cent of providers surveyed having sold cyber security products or services to the Australian Government over the previous 12 months.¹⁴ This is consistent with the rising cyber threats facing governments such as the growing sophistication of state-sponsored attacks, increasing demand for sovereign cyber capabilities and solutions.

The 'Financial and insurance services' industry is the next major source of revenue, accounting for around 20 per cent for smaller providers and a slightly higher share for larger providers. The financial services sector's appetite for cyber security is driven by the high degree of criminal attention it garners, as well as stringent regulatory and compliance obligations.

It must be noted that this analysis includes only external spending on cyber security. Expert interviews suggest that many of the large providers to the financial services and information and communications technology (ICT) industries are building substantial internal cyber capabilities, as opposed to purchasing external products or services.

Australia is home to around 350 cyber security providers, with over 80% headquartered in Victoria, New South Wales and the Australian Capital Territory

Figure 10

State-by-state snapshot of cyber security providers

Click on each state to view the details.

Note: Cyber security priority areas are the priority capability strengths that have been identified by AustCyber and each state’s Cyber Security Innovation Node. Victoria are in the process of establishing a Node, as well as cyber priority areas. The number of headquarters in each state includes dedicated providers, as well as diversified providers – such as professional services firms, technology companies and defence providers – offering cyber security as part of their business. The percentage of providers that are exporting and the providers’ demographic information is calculated based on where the company is headquartered. State profiles are based on insights gleaned from AustCyber’s Digital Census 2020. No cyber security provider participating in the Census recorded themselves headquartered in Tasmania or the Northern Territory, so these two jurisdictions are not described in this section. As the cyber security sector continues to mature, we expect that Tasmania and the NT will develop their own local hubs.

Sources: AustCyber’s 2020 Digital Census, customised data from illion, AlphaBeta analysis

COVID-19 appears to have hit smaller providers hardest, with medium-sized providers reporting an uptick in demand

The COVID-19 pandemic has driven most economies around the world into recession. The International Monetary Fund expects the global economy to shrink by three per cent this year, while the Australian economy decreased by seven per cent in the second quarter of 2020.

The effects on cyber security are not straightforward. While customers will be restricted in their spending capacity, economies have accelerated their digitisation to cope with social distancing needs. Since social distancing measures came into effect, it is estimated that up to 32 per cent of Australians have been working from home.¹⁵

Trends such as widespread remote work, e-commerce and the adoption of cloud services are likely to be permanent, which will boost cyber demand in the long-term. Interviews with cyber security providers suggest that while some of their customers are withholding or delaying spending, new customers are seeking to invest in protection as they transition to new digital tools.

Like most businesses, cyber security providers are having to change how they operate - 51 per cent report this as an effect of COVID-19. Encouragingly, providers are also showing strategic flexibility in response to the global pandemic, with 46 per cent of those surveyed reporting a change in business priorities. Furthermore, only 13 per cent reported a decrease in employee numbers as a result of COVID-19, while 18 per cent reported an increase.¹⁶

1. Gartner (2020), Forecast: Information Security and Risk Management, Worldwide, 2018-2024, 2Q20 Update. Available at: https://www.gartner.com/en/documents/3988093/forecast-information-security-and-risk-management-worldw
2. Australian Bureau of Statistics (2020), Australian Industry 2018-19, Table 1, key data by industry subdivision. Available at: https://www.abs.gov.au/statistics/industry/industry-overview/australian-industry/latest-release
3. Market data from Gartner and IBISWorld, supplemented with expert interviews
4. Expert interviews and customised data from illion
5. Expert interviews and customised data from illion
6. Expert interviews and customised data from illion
7. Australian Bureau of Statistics (2020), Labour Force, Australia, Detailed Quarterly. Available at: https://www.abs.gov.au/statistics/labour/employment-and-unemployment/labour-force-australia-detailed-quarterly/latest-release
8. Australian Bureau of Statistics (2019), Measuring digital activities in the Australian economy. Available at: https://www.abs.gov.au/websitedbs/D3310114.nsf/home/ABS+Chief+Economist+-+Full+Paper+of+Measuring+Digital+Activities+in+the+Australian+Economy
9. AustCyber (2020), Australia's Digital Trust Report 2020. Available at: https://www.austcyber.com/resource/digitaltrustreport2020
10. Note: Outliers, such as professional services providers, old IT providers, defence related firms and other providers that have been around for more than 30 years were excluded
11. Dedicated cyber security providers refer to firms where 100 per cent of revenue and employment can be attributed to provision of cyber security products and services
12. AustCyber’s Digital Census 2020
13. AustCyber’s Digital Census 2020, expert interviews
14. AustCyber’s Digital Census 2020
15. Roy Morgan Research Centre
16. AustCyber’s Digital Census 2020