Security market to edge close to US$100 billion this year

Deshpande talks about the security outlook through to 2021.

Siddharth (Sid) Deshpande, Principal Analyst, Gartner, shares that the global security market was worth US$98 billion in 2017, with market growth driven by budgets shifting to detection and response. Gartner forecasts a 7.6% CAGR through to 2021, when the market will be worth US$132 billion.

Driven by security skills shortages security services comprise 63% of the total enterprise market today, with the remainder being products. Similarly, security outsourcing services will be the largest security market segment in 2021, and is expected to account for US$30 billion by then.

"Even if the technology is really great the customer might not have the people to (make use of it)," Deshpande explained.

In a separate announcement, Gartner shared that security testing, IT outsourcing and security information and event management (SIEM) will be among the fastest-growing security subsegments driving growth in the infrastructure protection and security services segments. In 2018, spending on security outsourcing services will total US$18.5 billion, an 11% increase from 2017. Gartner also forecasts that by 2020, more than 60% of organisations will invest in multiple data security tools such as data loss prevention (DLP), encryption and datacentric audit and protections tools, up from approximately 35% today.

Gartner predicts that by 2019, total enterprise spending on security outsourcing services will be 75% of the spending on security software and hardware products, up from 63% in 2016. Enterprise security budgets are also shifting towards detection and response, and this trend will drive security market growth during the next five years.

The technologies which are most likely to change the organisation in the next five years were analytics (chosen by 81% of respondents), followed by the Internet of Things (IoT) (48%) and digital security (43%). Security and risk leaders are being asked today to inform, advise and enable business-critical digital risk decisions, Deshpande said. 

Source: Gartner presentation. CIOs consider security "transformational", after advanced analytics and the IoT.

"CIOs and other C-level peers are treating security as a strategic imperative in their organisation," Deshpande said. While they are being given more budget for security implementations, they are also beholden to the board and CEO, and the CIO must know what the return on investment (ROI) is for security, he noted.

Deshpande clarified that ROI in security does not mean financial returns, but a defined level of risk to be accepted by the business. ROI should refer to security metrics that have business value and are quantifiable, he said.

"It should communicate security value in non-technical terms," Deshpande emphasised. "CISOs should reduce the amount of technical jargon and talk about it in terms of business risk. That is where the conversation starts, what is the acceptable level of risk; then how to get from there to here, what are the technologies we need, instead of starting off saying 'We need DLP'. The moment you start talking about security in a technical manner right up front, you risk losing (decision makers)."

Artificial intelligence (AI) and machine learning are up-and-coming innovations for security, but by no means a silver bullet for security, Deshpande said. "We see vendors are increasingly talking about AI and machine learning but what we actually found is that there are actually few things that are benefitting," he said, naming improved malware detection as being one aspect that has actually been helped by AI.

"A lot of buzz that is being created by AI and machine learning are distracting people from what they should actually be doing – which is doing security (right)."

Gartner forecasts that by 2020, 40% of security vendors will claim AI-driven capabilities, up from 10% today. This is still early days as only 40% of questions about security-related AI and machine learning are from end-users, reflecting an exploratory approach, he said.

Paradoxically, Gartner has found that cloud security is both the No. 1 driver and No. 1 inhibitor for public cloud adoption. While those which are reluctant to adopt cloud computing cite security as a fear, others are embracing the cloud because they cannot implement the same high levels of security as a cloud provider, Deshpande explained. "Tier 1 cloud providers have far superior security hygiene," Deshpande said. "(They're) moving to the cloud because it is more secure than what they can do themselves."

With the customer being the weakest link in cloud security - Gartner says 95% of security incidents are the customer's fault through to 2020 - cloud providers are becoming security vendors themselves, Deshpande observed. They are adding more native security features on their platforms, and where it makes sense are not shy to offer security capabilities themselves.

While native security features in the cloud platform may exist, customers still have to be able to use these features to mitigate risks effectively, he added.

Trends in the security market include:

- Regional regulations beginning to influence security spending. Gartner analysts said regulatory compliance and data privacy have been stimulating spending on security during the past three years, China's Cybersecurity Law that came into effect in June 2016 for example. Such regulations translate into increased spending, particularly in data security tools, privileged access management and SIEM.

- Buyers asking for orchestration and automation capabilities, deception as a defense mechanism, as well as proactive threat hunting and investigation

- Consolidation in the vendor landscape

- Attacks focused on business disruption rather than financial gain

Explore:

Buy the Gartner report Forecast: Information Security, Worldwide, 2015-2021, 3Q17 Update