Penetration testing market analysis: where is all the revenue?

April 5, 2013

I was recently sitting at the Australian Technology Park having a cup of coffee with Casey Ellis, co-founder of Bugcrowd, chatting about upcoming investor presentations. We worked our way on to market sizing, and found that we had both had the same experience when attempting to do a 'bottom up' sizing of the penetration testing market in Australia. The problem that we both came across, was that even using fairly conservative numbers as to the amount companies are spending on penetration testing, the amount of theoretical penetration testing revenue sloshing about in the market simply does not align with the revenue of the service providers in this space, or simply with the number of testers providing these services.

[Incidentally, I had brief flashbacks to my case-study interviews with strategy consulting firms before I started SIFT... where I had awesome questions like:

"Estimate the size of the market for salmon in the United Kingdom"; and
"Estimate the number of PCs imported to Australia each year".]

Back to the penetration testing market...

Let's start with the big guys.

ASX 20

Of the ASX20, which includes companies in financial services, materials/mining, energy, consumer staples, telecommunications and healthcare, my back-of-the-envelope estimates would suggest that the biggest spenders would spend about $4 million annually on penetration testing, and the lowest spenders would spend about $100K annually. Putting together the expenditure of the whole group, I estimate it works out at pretty close to a neat $20 million across the 20 companies.

And of course, the ASX20 is - as its name suggests - just the 20 largest companies by market capitalisation on the ASX. There are a total of 2,157 companies listed on the ASX (when I downloaded the list a moment ago), all of whom you could argue have some degree of obligation to their shareholders to ensure the security of their data and systems, with penetration testing being a pretty common response to that obligation. For argument's sake, lets say less than half of them do anything, so 1,000 companies. And let's assume that averaged across that many organisations, the average spend on penetration testing is $50K per annum. That's another $50 million into the annual penetration testing market.

Let's look at some other big-spending sectors where some reasonably neat figures are available (about the size of the sector; if not the amount spent):

Financial Services

I'd estimate that about 60-70% of the ASX20 spend is coming from the financial services companies in the group who were some of earliest adopters of penetration testing as a service, and continue to be the 'anchor tenant' for the industry.

According to APRA, at the end of 2012, there were 19 Australian banks, 8 foreign subsidiary banks, and 40 branches of foreign banks. On top of these, there were 91 credit unions and 9 building societies. There are also a handful of 'miscellaneous' companies like payments clearing, 'specialist credit card institutions' and 'purchased payments facilities' who are also significant market participants.

So that's an extra 170-ish financial services companies who are probably getting penetration testing completed to a greater or lesser extent. Even if we rule out the 'branches of foreign banks' (as many of them will have their penetration testing managed by the global head office and hence delivered from overseas), we've still got about 130. Chop out the group already counted in the ASX20, and we've got about 125. Now let's be super-conservative and say that they will spend only 10% of the amount that the larger companies will spend; or a meager $100K per institution. That's another $12.5 million into the annual penetration testing market.

Take a moment to consider that according to the Australian Bureau of Statistics, at the end of the 2010-11 year, there were over 164,000 businesses in Australia classified as 'financial and insurance services'. In the calculations above we covered about 200 of them; admittedly the biggest, but it still leaves a vast number who have data to protect, and some of whom certainly have some penetration testing done. (If just 2% of them spend just $5K each, that's another $15 million into the budget).

Government

Federal, State and even Local Government are covered by a range of policies explicitly requiring independent penetration testing. One of the most succinct is that of the Victorian Government - SEC STD: Penetration testing which states that:

According to vic.gov.au's Contacts & Services directory, there are 521 distinct entities within the Victorian Government, for which 259 unique URLs are provided. For example, the letter 'A'...

As per policy, each of these needs at least annual independent penetration testing. Let's use our average across the set (covering both infrastructure and applications) of just $20K per annum. That gives us about another $6 million for our penetration testing budget.

To avoid the pain of digging out the numbers for all the other states and territories, let's make a broad assumption that all the other state and territory governments added together, sum to three times the size of Victoria's, in terms of Internet-facing infrastructure (which given it include NSW & QLD, plus the rest, seems reasonable). Let's also assume that they have a similar intent to test everything annually. So that's another $18 million to the budget. That number feels high, so let's include all local government, councils etc across the country as well in that figure.

And of course there is also Federal Government. It's possible to download a list of all registered contracts with keywords like 'penetration testing' or 'security testing' at https://www.tenders.gov.au/?event=public.CN.search, but these lists are woefully incomplete when trying to get a picture of the size of the market. The Federal Government side of things is also somewhat obscured by the fact that at least some of the vulnerability assessment and penetration testing completed is performed by the Defence Signals Directorate (DSD). Rather than tie myself in knots trying to work it through, I'll take a short-cut and assume it's the same as Victoria: $6 million annually, across all government agencies including the Defence Department.

E-Commerce / Payments

The Payment Card Industry Data Security Standard (PCI DSS) requires penetration to be completed at least annually for in-scope systems and organisations.

There are approximately 200,000 websites in the .au domain space with 'shopping cart' functions. Mmany of those will be using PCI compliant externally-hosted shopping carts so probably don't get penetration testing completed themselves. But let's say just 10% of e-commerce websites with 'shopping cart' functions get penetration tested each year. That's 20,000 websites. Most of these are probably pretty small, so let's say they are just $10K penetration tests. That's another $20 million in the budget.

We'll assume that the vast number of companies covered by PCI DSS, but who don't have a distinct 'shopping cart' function so aren't included in the figures above, are covered elsewhere in one of the figures we've already looked at.

Education

There are 44 universities in Australia, and another half-a-dozen miscellaneous self-accrediting higher education institutions (ie theological colleges, maritime college etc), giving us a nice neat 50.

There are then at least another 100 state and territory accredited educational organisations, plus TAFEs and the like. There are thousands of schools.

Given universities'... errr... 'creative' student population, they have a bigger need than most of the others here. Let's assume $100K per annum for the universities, which is $5 million in total to the budget.

For the thousands of schools, TAFEs, and other miscellaneous bodies, it's hard to know where to start, so let's just allocate the entire sector $25 million and be done with it. If there are 5,000 schools across the country that's only $5K of testing per school, so pretty conservative, although I'm cognisant of the fact that far-flung country-shed classrooms are unlikely to be having this testing done.

Information & Communications Technology (inc Software)

One of the larger consumers of penetration testing services is the broad and large ICT industry - and in this I also include companies developing software for sale to others, who therefore have a requirement for security assurance of that product prior to taking it to market. It is also the fourth largest industry sector contributing to Australian GDP and employs 291,000 people in Australia. According to the Australian Bureau of Statistics, at the end of the 2010-11 year, there were 18,854 businesses operating in the Information, Media & Technology classification.

Let's just say 1% of these companies, spend $100K annually on penetration testing. That's close enough to another $20 million.

The rest

And we haven't even touched industry sectors like healthcare, resources (in the midst of all the 'China APT' news), legal, accounting, professional services, let alone the hundreds of thousands of small and medium sized businesses in this country, at least some of whom are spending some money on penetration testing.

Adding it all up

So using this logic, there's a spend of something like $200-300 million on penetration testing, annually, in Australia. Given the massive slabs of Australian business that are not covered in the figures above, even with the odd wayward assumption or double counting here and there, it seems reasonable.

And this is where the trouble starts. Where is it going?

Many jurisdictions have bodies similar to the ACCC who are responsible for monitoring the misuse of market power. In some of these jurisdictions, they have put numbers to what 'substantial market power' means, and a 'minimum' threshhold for considering a company to have an influential market position. The best figures I could find are from Hong Kong, who discuss using 40% as an indicator of 'substantial market power', and 25% as the 'minimum' threshhold before being particularly interested in a company's market position. Working with these:

Taking the 40% figure, we'd be looking for a company with $80-120 million in penetration testing revenue, annually, in Australia. They don't exist. No big deal, it just means we don't have a company with 'substantial market power'.
Taking the 25% figure, we'd be looking for a company with $50-75 million in penetration testing revenue, annually, in Australia. They still don't exist. So we don't have any real competition concerns in the market, which is healthy.
For argument's sake, let's take a 10% figure, so we'd be looking for a company with $20-30 million in penetration testing revenue, annually, in Australia. I'm still doubtful any service provider in Australia operates at that level.

If I'm right, and there is not a single company in Australia with 10% of the penetration testing market, who is delivering all these penetration tests? Or is it that the numbers above are fundamentally incorrect because organisations just don't do as much penetration testing as they should (under policy, regulation, best practice etc)?

Let's take another angle on this. Using $200 million as the market size, and a pretty standard average consulting rate of $1,500/day, there are about 133,333 days worth of consulting-level penetration testing to be delivered each year, which would require about 610 full time penetration testers in service provider organisations. They aren't there either.

One thing I am confident of is that there is also an extremely long tail when it comes to suppliers of these services. That is, there is a very large set of companies who each provide a very low portion of the services overall consumed in the market. A great many miscellaneous ICT service providers (of which as per above there are many thousands) provide security related services such as penetration testing to their existing client base, with varying levels of quality. Because of the large numbers, if 1,000 of these companies provide $100K of penetration testing services each, that could make up $100 million of the market total.

Another interesting question is how big the market would be if everyone was following 'best practice'. At present, there is far from anything like consistency when it comes to the amount that organisations are spending on IT security, let alone on a sub-set of the topic such as penetration testing. Near-identical banks can quite plausibly be spending amounts on penetration testing that are out by a factor of 10. Where one bank spends $2 million; another spends $200,000. There are also a great many companies - including those no doubt in lists like the ASX 200 - who simply do not have penetration testing completed at any meaningful level.

If all Government agencies were following policies and had every system tested annually; and all PCI-relevant organisations had penetration testing completed annually; and all ICT companies had their software and hardware tested before releasing it to market... etc, then the figures above could easily double to $500 million plus, annually.

So we have a $200-300 million market (much of which is probably only now coming to market for the first time), with a half-billion dollar opportunity, with no company in a position of market dominance, and an under-supply of qualified penetration testers to deliver the services.

Pretty compelling. Want to buy a penetration testing company? Call me.

Why cyber-security capability in Australia is hot right now

March 27, 2013

In short, cyber-security is growing; and Australia is growing. To provide a bit more data and analysis to back this up, I'll present a couple of current and topical reference points.

For 'exhibit A' I would point to the Ultra Electronics preliminary results presentation released at the start of March 2013. For those who don't know of Ultra Electronics, they are a UK-listed defence, security, transport and energy company with operations around the world. According to their website, they have "twenty-five businesses, which deliver over one hundred distinct market niches", which makes it interesting to look at the parts of their business that they see are growing, and which geographies they see growth in also.

In their preliminary results presentation, Ultra includes a list of "regions where we see growth", as follows:

Australia
Brazil
China
India
Indonesia
Libya
Middle East
Turkey

Australia is obviously well positioned in that group of countries due to its political stability, strong legal framework, similar business environment, and strong positive relationship between the government and the governments of the countries-of-origin of the majority of the serial acquirers in the cyber-security space (US, UK, Japan, and others).

This is solidly confirmed by the 'Ease of Doing Business' rankings put together by the International Finance Corporation / World Bank. Australia comes 10th (out of 185 ranked countries). By comparison, the other countries in that list come 130th (Brazil), 91st (China), 132nd (India), 128th (Indonesia), 71st (Turkey), and 22nd (Saudi Arabia, the highest ranked Middle East country). Libya is unranked.

Ultra also includes details in their preliminary results presentation of positive service-line revenue drivers, as follows:

Anti-Submarine Warfare
Cybersecurity generally and ECU speciﬁcally
Airport IT
Power management and
Nuclear energy

So two out of the five are IT related; and cyber-security is acknowledged as being a positive revenue driver in its own right.

Putting the two things together, the cyber-security market in Australia is a growing business area, in arguably the 'easiest' of the identified growth economies to do business in. This alignment is rare and valuable.

For 'exhibit B', I refer to the article with a lead-in on the front-page of the Australian Financial Review today, 27th March 2013, titled 'Telstra’s cyber security strategy for growth'. The article references Telstra COO Brendan Riley as saying that "...Telstra had begun bolstering its local team of cyber security experts as a major selling point for its $1.3 billion cloud computing and network services business."

This is relevant from two different perspectives.

Firstly it provides a clear indication of the need to have a visible cyber-security strategy for any large ICT service provider. From a market positioning perspective, large ICT providers cannot be seen to be ignoring the importance of cyber-security as a future driver of growth.

Secondly, it provides an indicator of the need for cyber-security operations within companies such as Telstra, not for the purpose of provide stand-alone cyber-security services, but rather as part of a broader 'secure IT' push. It is not enough for a company such as Telstra to have a cyber-security division providing these services; the market is now expecting every service provided by Telstra to have a rigorous level of security applied as part of business-as-usual. Such an approach significantly changes the scale of the resourcing challenge these organisations will have.

When discussing resourcing and recruitment challenges, the must-read report continues to be 'A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters' (http://csis.org/files/publication/101111_Evans_HumanCapital_Web.pdf), released by the CSIS Commission on Cybersecurity for the 44th Presidency (USA), in November 2010, which discusses in depth the shortage of both quality and quantity in the cyber-security personnel marketplace.

As the CSIS Commission Report so eloquently puts it:

"cybersecurity is similar to 19th century medicine - a growing field dealing with real threats with lots of self-taught practitioners, only some of whom know what they are doing."

In such an environment the value of proven cyber-security teams - who know what they are doing - is clear. And the market peak for cyber-security is a long way off, as 'IT Security' is replaced by 'Secure IT', significantly magnifying both the market size and the market need.

Large cash stockpiles boosting acquisition activity

March 13, 2013

Between money printing (aka 'quantitative easing'), and a US investor culture that is geared heavily towards future growth and capital gains and largely ignores the payment of dividends (partly also as a result of differing tax treatments between these returns), corporations in the US have amassed significant stockpiles of cash over recent years.

(For a comparison of US to international dividend yields, see these charts: http://static.cdn-seekingalpha.com/uploads/2012/9/16/saupload_Dividend-Yields-by-Country.png, from this article at Seeking Alpha: http://seekingalpha.com/article/869801-u-s-vs-foreign-stocks-a-dividend-yield-comparison)

Of note, however, is that with interest rates in the US at zero or near-zero levels, the cash sitting on these balance sheets is doing very little to generate a return on assets for shareholders. With these ever-growing stockpiles of cash, generating a negligible return for investors, pressure naturally mounts for this cash to be either (a) returned to investors directly through a special dividend or share buy-back; or (b) used for some productive purpose, which often means growth through acquisition.

Although, to be fair, US interest rates aren't always strictly relevant since huge amounts of cash are not in fact kept in the US at all. See 'Top U.S. Firms Are Cash-Rich Abroad, Cash-Poor at Home' - in fact, some US firms are in the position of having billions of dollars in the bank internationally, but borrowing cash in the US to pay their bills, as the interest rate in the US on those borrowings, is significantly lower than the tax impost of repatriating the cash from overseas!

Well, sort of. To be strictly accurate, the cash *is* often kept in the US, in US bank accounts, invested in US treasuries and the like, but in accounts held by the offshore entities associated with the US firms themselves - see 'Firms Keep Stockpiles of 'Foreign' Cash in U.S.' ...but this discussion isn't about US tax codes and the mechanisms corporations use to manage their cash flow and bank balances, as interesting as these machinations are.

With their famous cash balance of some $137BN, Apple has certainly been subject to a significant amount of this scrutiny (eg http://mobile.blogs.wsj.com/cfo/2012/01/25/apple-feels-pressure-to-use-cash/) as has Google (http://www.cfo-insight.com/financing-liquidity/cash-management/google-cfo-pichette-says-we-need-cash-for-acquisitions/), whose CFO has clearly indicated there is no intent to pay a dividend in the foreseeable future, and the cash is being stored for acquisitions. Given Google's acquisition of Motorola Mobility was completed entirely with cash - $12.5BN of it - there is at least evidence to back this up.

For companies who are considering an exit through trade sale, this trend is very relevant. It certainly remains the case that for smaller transactions, a material proportion of the payment for the company is likely to be made through some kind of share-based or earn-out based mechanism, with the intent being to incentivise the vendors (who are often critical to the success of the business) to continue to work hard and ensure the acquired company continues to fire on all cylinders post-acquisition. But for larger transactions, or transactions where the vendor has successfully managed to 'de-risk' it enough by removing themselves from day-to-day operational roles, all-cash transactions are now significantly more common.

Such a trend should be a significant influence on organisations trying to decide whether or not formalising and documenting processes - and even pursuing an ISO 9001 type accreditation to reflect this formality - is worth pursuing. The neater your business, the more likely the exit will be clean, and paid in cash.

Some impressive corporate cash balances, from their most recent financial data, where necessary converted to USD (using rates on 12/03):

Company Name Balance

Accenture $6,641,000,000.00

Boeing $13,650,000,000.00

Cisco $48,720,000,000.00

EMC $6,167,000,000.00

HP $11,300,000,000.00

IBM $11,130,000,000.00

Infosys $4,210,000,000.00

Intel $18,160,000,000.00

Microsoft $63,040,000,000.00

Northrop Grumman $25,220,000,000.00

NTT $16,850,000,000.00

Raytheon $4,044,000,000.00

Telstra $4,056,000,000.00

Being an Entrepreneur: The Best Advice I Received

February 14, 2013

Back in the Spring of 2000, I was finishing University and figuring out what to do next. Two main paths lay before me: Follow many of my peers into the strategy consulting world (McKinsey, BCG, Booz Allen & Hamilton, Bain, AT Kearney and others), or venture out into the great unknown of starting a business. I interviewed with the majority of the consulting firms, and received a couple of offers (although not the ones I really wanted). Weighing up my options, it seemed that it was as good a time as any to try my hand at starting a business, and in the worst case scenario, I'd go back to that consulting pool in a year or two's time.

I started the company which became "SIFT" with a good friend from University, who had similar aspirations to set our own agenda and prove that we could do it. We were very fortunate with SIFT that almost every early recruitment decision we made, worked out better than we could possibly have imagined, with that core team sticking with the company for many years, allowing us to build the company in their image, and believing passionately about the importance of doing things well - a passion that we could never have intended to 'teach', but that arose from a group of like minded people, seeking to make their mark on the world.

We grew slowly at first, then picked up pace in about 2005 once we had been in the market for a while, and started to be quite well known. By this point I was already a regular presenting on the conference circuit, and for five years had attended virtually every industry event I could get into without paying. Conferences, product launches, vendor drinks, breakfast forums, I was there, telling people who we were and what we did.

In 2007, the opportunity presented itself to complete our first corporate transaction, the acquisition of Safecoms Secure IT. As with so much of the business, this arose primarily through the relationship between the founder of Safecoms Secure IT, and myself. I have always believed that the market in Australia is too small to treat 'competitors' badly. Your competitor today could easily be your client or partner tomorrow.

We acquired Safecoms Secure IT, some staff and some clients, and set about making 2007 the strongest year we had yet recorded.

At the end of 2008, I met the Stratsec founders in Melbourne, and immediately felt I was with friends. Within hours of meeting we had started putting together the framework for how SIFT and Stratsec could come together to form the largest information security consulting firm in Australia; and in May 2009, that's exactly what happened. Our 'exit strategy' at that point - loose as it was - was that we expected within a 3 year timeframe, to be at a point where we could look at being acquired. Within 18 months, we were sold.

After approaches by a number of potential acquirers in early 2010, we decided that a piecemeal approach responding to our suitors was both inefficient and likely to result in a sale on someone else's terms rather than our own. I put together our Information Memorandum, and we took it both to companies who had already expressed interest, as well as others who we felt would be a good fit.

BAE Systems Australia was the last company into the process; but ultimately were the successful acquirer. The strategic fit was unquestionable, and their integrity, approach, and growth ambitions, were all a fit for how we did business. When Stratsec was acquired at the end of 2010, we had about 60 staff. By December 2012, that had doubled to about 120 and was continuing to grow rapidly, providing some great opportunities for our young leadership team and creating a genuine 'Tier 1' information security firm in the Australian market.

In December 2012, I finished at BAE Systems Detica (as we had rebranded Stratsec in the weeks before my departure), bringing to a close an adventure which ran for 12 years, 3 months, 2 weeks and a few days. It is something I am very proud of, to have started, acquired, merged, and ultimately sold the company successfully. Very few entrepreneurs get such a 'neat' end-to-end start/build/sell experience.

As time closed in on my departure date, a colleague in the industry, upon hearing that I was moving on, said “That’s a shame, Nick… you were always one of the guys who gave a shit.” It was meant sincerely, and I took it that way. And as I explained at my farewell party, I am more than happy for that to be my main contribution to the culture of Stratsec. These aren’t just projects, it is real life. At Stratsec, that meant that testing a system to ensure a malicious hacker couldn't break into your bank account or your health records, was more than just a 'testing project' - after all, it could just as easily be my, or your, account or record that could be compromised. And now at Delling Advisory, I see the same thing, when I look at how enmeshed many founders are with the businesses they have started and run. These are not just companies to be sold; they are years, if not decades, of long days and nights, and trying to make the business a little bit better every day.

A number of people have asked me what my greatest 'lessons learnt' were, or greatest inspirations, to help make their entrepreneurial journey shorter and easier. The best advice I received was from Bob Metcalfe (inventor of Ethernet and founder of 3Com). Of course, the advice wasn't directly from Bob to me, it was in the form of his 1999 article "Invention is a Flower, Innovation is a Weed" (still online at http://www.technologyreview.com/featuredstory/400489/invention-is-a-flower-innovation-is-a-weed/).

A snippet from the article:

I have a six-story townhouse in Boston overlooking MIT on the Charles River. I often invite young engineers and would-be entrepreneurs over to schmooze. Many of them tell me my townhouse is beautiful and they hope to invent something like Ethernet that will get them such a house.

The picture they have in their heads is of me lounging around on the beanbag chairs in a conference room at Xerox PARC in 1973. They see me having this idea for a computer network and submitting it as an invention proposal to Xerox. Then they envision me putting my feet up and letting the royalties roll in until I have enough to come up with the down payment on the townhouse with the river view.

My picture - the actual picture - is different. It’s the picture of innovation rather than invention, the weed instead of the flower. In my picture it’s the dead of winter and I am in the dark in a Ramada Inn in Schenectady, New York. A telephone is ringing with my wake-up call at 6 a.m., which is 3 a.m. in California, where I flew in from last night. I don’t know yet where I am, or where that damn ringing is coming from, but within the hour I’ll be in front of hostile strangers selling them on me, my company, and its strange products, which they have no idea they need.

If I persist, selling like this for 10 years, and I do it better and better each time, and I build a team to do everything else better and better each time, then I get the townhouse. Not because of any flowery flash of genius in some academic hothouse.

And that is exactly my experience of building Australia's largest information security consulting firm from the ground up. That's Bob's lesson number 1 - "Selling Matters."

"Don't Hire - Recruit", and "Be an Entrepreneur, Not a Visionary" are two others that have resonated with my journey; but they're all great lessons. I cannot recommend highly enough that you read it, think about it, and put it into action.