The cybersecurity market is growing and changing at a rapid pace, leading to major opportunities for vendors, heightened confusion for buyers and new challenges for CISOs.
Business is booming for both cybercriminals and cybersecurity tech companies. Market research firm Statista recently predicted the annual cost of cybercrime worldwide will increase 69.94% between 2023 and 2028. Tech vendors are responding in kind, and the cybersecurity market appears poised for significant growth in the near term.
Global spending on security and risk management is set to increase 14.3% in 2024, according to Gartner, more than IT spending as a whole at 8%. And Fortune Business Insights expects the cybersecurity market to reach $424.97 billion by 2030, nearly 2.5 times its 2023 valuation.
Within the growing cybersecurity market, experts said they see the following key trends unfolding:
New single-purpose point products continue to emerge.
Managed cybersecurity services continue to gain ground.
Industry analysts say all of this adds up to opportunity for vendors, confusion for buyers and evolving challenges for CISOs.
$2 trillion market opportunity for vendors
While most experts agree the cybersecurity market will continue to expand, some researchers think exponential growth -- well beyond what is usually discussed -- is possible. A recent report from McKinsey & Company suggested total market opportunity amounts to between $1.5 trillion and $2 trillion -- or around 10 times the current vended market.
McKinsey researchers based their estimations on the continuing explosion in cyberthreats, growing regulatory pressures on enterprises and the ongoing digitization of the global economy.
"Currently available commercial solutions do not fully meet customer demands in terms of automation, pricing, services and other capabilities," the researchers wrote. To capitalize on the market opportunity, they added, providers should consider the following tactics:
Prioritize cloud cybersecurity offerings, particularly for hybrid and multi-cloud environments in highly regulated industries.
Create pricing options appropriate for SMBs and midmarket organizations, which the cybersecurity market currently neglects in favor of large enterprises.
Invest in automation, AI and machine learning innovation.
Offer bundled managed services that focus on security outcomes, rather than technologies.
The cybersecurity market is unlikely to attain trillion-dollar status in the near future, the McKinsey researchers emphasized. But, they added, vendors and service providers should recognize massive untapped opportunity exists.
3 cybersecurity market trends and what they mean for CISOs
In the long term, technological innovation will hopefully help cybersecurity practitioners manage the ever-expanding threat landscape and keep attackers at bay.
In the short term, however, the cybersecurity market's rapid rate of change poses challenges, as well as opportunities. Consider the following key trends and their implications for security leaders.
1. New cybersecurity point tools multiply
As the number of cyberthreats continues to skyrocket, cybersecurity vendors are rolling out point technologies in equal measure. But, rather than bringing order to chaos, many experts say the proliferation of new tools muddies already-murky waters.
"You're not necessarily seeing end users grabbing every new security product that comes on the market," said Jerald Murphy, senior vice president of research and consulting at Nemertes. "People are actually more confused. They're saying, 'Wait a second. How does this fit into what I'm already doing? Show me how it gives me a distinct benefit.'"
Determine what a tool does by asking vendors for technical documentation, practical demonstrations and real-world examples.
Evaluate how a tool fits into the organization's existing portfolio to minimize overlapping functionality.
Assess how well a tool aligns with the organization's long-term cybersecurity strategies.
Seek independent evaluations and reviews.
Ask for proof-of-concept testing.
Establish total cost of ownership.
"Point solutions may be a blessing and a curse," said Steve Tcherchian, CISO at cybersecurity vendor XYPRO. On the one hand, they may be designed to address an immediate pain point and specific security concerns. On the other hand, they don't always integrate well with existing systems, creating management complexity and possible security gaps.
Ultimately, purchasing a new product should be the last resort, not the first action.
Alyssa MillerCISO, Epiq
Alyssa Miller, CISO at legal and business services provider Epiq, said cybersecurity programs need to focus more on innovating with their existing tool sets before rushing to shop every new, vendor-proclaimed product category.
"What concerns me is the level of unused capability in the solutions I already own," she said, adding that security teams often take advantage of only a fraction of their deployed tools' capabilities. "Ultimately, purchasing a new product should be the last resort, not the first action."
2. Existing cybersecurity tools converge
Even as the number of new point tools grows, vendors are bundling other, formerly standalone technologies into multifeature platforms. Counterintuitively, such consolidation activity can lead to technological sprawl, causing further buyer confusion.
Say, for example, a security program has four previously single-purpose security tools. But each tool recently added numerous new technical capabilities -- many of which now overlap. "What do I need -- is it XDR? Is it managed detection and response? Is it SIEM? Is it security orchestration, automation and response?" Murphy said. "Which four products are going to get me the 15 features I really need?"
As they weigh whether and how evolving cybersecurity market offerings fit in their portfolios, CISOs should consider the following best practices:
Start with the problem. Organizations can minimize cybersecurity tool sprawl and tech overlap and maximize ROI by looking at their portfolios holistically, Murphy advised -- focusing on the business's security gaps, rather than on a new offering's capabilities.
"Solve the problems you know exist, not the ones vendors tell you that you need to worry about," Miller added. "Look to solve those problems with the tools, processes and people you have in place already, rather than trying to plug every hole you see with a new technology."
Create a roadmap, but prepare for detours. Technological change happens incrementally at the typical organization, Murphy said, due to legacy investments and budget constraints. "You're not going to disable all your firewalls and replace them with zero-trust access control overnight," he said. Rather, CISOs should take the following steps:
Identify where the security program is today, relative to the long-term vision.
Identify short-term needs, and choose offerings that get the security program incrementally closer to the reference model.
If necessary, strategically invest in new point tools to address immediate threats as they emerge.
Murphy said he expects cybersecurity buyers will continue to grapple with confusion for the foreseeable future, as technological innovation and consolidation activity continue to drive rapid change in the market.
3. Managed cybersecurity services gain ground
Managed cybersecurity services offer an attractive, cost-effective way to improve security, even in the case of ongoing staffing shortages and security budget woes.
Research firm MarketsandMarkets predicted the global security-as-a-service market will be worth $23.8 billion by 2026, up from $12.4 billion in 2021. The researchers pointed to the following key drivers behind the managed cybersecurity services boom:
Increasing regulatory and compliance pressure.
Growing demand for cloud-based security among SMBs.
The high costs and risks associated with managing on-premises security programs.
TechTarget's Enterprise Strategy Group (ESG) has found 85% of organizations are already using managed detection and response services to augment existing staff.
A shift for CISOs?
Outsourcing services to third-party providers can help businesses implement more sophisticated and effective security controls than they could afford on their own. But, for CISOs who came of age in an era when security mostly happened on premises and in-house, managing multiple third-party security providers may prove challenging, according to some experts.
"It's a whole new skill set, coordinating all that. You're basically a job shop," said Jon Oltsik, analyst emeritus at ESG. "I'm not sure the industry is ready."
Managing internal teams and technologies remains important, added Joseph Harisson, CEO of IT Companies Network, an online directory of service providers. But CISOs also need to hone their skills in contract negotiation, service-level agreement oversight and vendor relationship management.
Murphy said the cybersecurity-as-a-service model raises questions for security leaders who are on the hook for their third-party providers' performance and outcomes.
"As a CISO, I'm responsible for security functions," Murphy said. "That may be done by employees, contractors, vendors or service providers. But, while I can delegate functionality, I can't delegate responsibility."
And, added XYPRO's Tcherchian, CISOs have less direct oversight and control over third-party providers. "In-house teams develop a stronger understanding of the company's culture, goals and processes, leading to better alignment and communication," he said.
Andy Ellis, former longtime CSO and current operating partner at YL Ventures, predicted SMBs -- many of which never had significant in-house security teams to begin with -- will increasingly outsource their security operations. But he said he doesn't believe the rise of managed services will have a dramatic impact on larger enterprises.
"I suspect the security engineering teams will pivot to supporting third-party products and services, but the operations will probably look very similar to how they look today," Ellis said.
Epiq's Miller agreed, saying she currently works with a managed security service provider that has -- rather than replacing her in-house staff -- freed them to develop specialized, sophisticated skill sets and work on high-value projects.
"Sure, there's a component of effective management of the third party, but for CISOs who have been doing a proper job in their role, that is nothing new," she said. A CISO should always be evaluating value and effectiveness of all parts of the cybersecurity program, Miller added, whether internally deployed products or outsourced services.
Alissa Irei is senior site editor of TechTarget Security.
