Extrapolating the US penetration testing market size

One of the questions I have had a bit following on from my analysis of the Australian penetration testing market, is the implied size of the global penetration testing market.  Or at least, the size of the US penetration testing market, on the assumption that it is going to be the largest.  With a few minutes to spare, I thought I would try to kludge together a number that at least seems plausible given the (admittedly very few) external reference points available.

IBIS World released a research report in August 2012 (the "IT Security Consulting in the US Market Research Report") which provides a couple of free snippets of data - a revenue figure of $5 Billion, and, interestingly, the statement that "there are no companies with a dominant market share in this industry" - which is exactly the conclusion I came to when looking at the Australian penetration testing market.

So there's our first data point:  The US IT Security Consulting Market (2012) is estimated at $5 Billion.  

5bil.png

Global Industry Analysts, Inc have estimated the 2013 global information security products & services market at $104 Billion, and RNCOS has estimated the global IT security market at $96 Billion (both figures from this interesting analysis of the Turkish IT security market).  Not wildly dissimilar numbers which is always a nice start.  A PricewaterhouseCoopers report in 2011 apparently put the estimated market size at $60 Billion, so a bit smaller, but with forecast growth, probably closer to a $75 Billion estimate by 2013.  Gartner has put the global market at $55 Billion in 2011 with a forecast growth path that would imply something like $67 Billion for 2013. 

The US is estimated to make up close to half of all cyber-security spending globally.  Which seems quite plausible when one considers the size of both defence-led Government cyber-security expenditure, and also the size of the economy.  That would put the US cyber-security market into the vicinity of $35-45 Billion for 2013.

35bil.png

One potentially useful stat we can gather from the above, is that IT security consulting, is ~10-15% of the overall IT security market size.

So how do Australia's numbers compare?

This fairly old data set from 2009 has Gartner estimating the Australian IT security market size being about $250 Million.  Let's add on 20%-year-on-year growth since then, and we're at $500 Million-ish today.  Given my previous analysis of the Australian penetration testing market put it at $200-300 Million on its own, I think this is a pretty low estimate.  A 2008 estimate by IDC forecast the market would hit $1.5 Billion by 2011, which actually sounds a bit more workable.

1point5.png

If this is correct, and if my previous penetration testing market estimates are plausible, then at a macro level, organisations are spending 10-20% of their security budget on penetration testing and vulnerability assessment.  This feels a bit high (probably reflecting the fact that less is being spent than the bottom-up estimate of penetration testing expenditure would suggest), and also seems not to match with the US estimate of 10-15% of IT security spend going to consulting.  Given this would contain a great deal of 'non-penetration testing' consulting services, for penetration testing alone, let's go with something closer to 5% to be a bit more conservative.

1to3.png

So as rubbery as these data sets may be, they would suggest that the US penetration testing market is in the $1.5 - 3 Billion range... Which makes it 8-10 times the size of the Australian market, which given the size of the US economy (GDP $15.094 Trillion) is a larger order of magnitude than that, larger than the Australian economy (GDP $1.37 Trillion), would seem to make sense.

And just to recap my favourite point once again... "there are no companies with a dominant market share in the [IT security consulting] industry".  As I said at the end of the Australian analysis, this is a great market to be a part of; and on a global scale that is no different.

Why cyber-security capability in Australia is hot right now

In short, cyber-security is growing; and Australia is growing.  To provide a bit more data and analysis to back this up, I'll present a couple of current and topical reference points.

CSIS-stat.png

For 'exhibit A' I would point to the Ultra Electronics preliminary results presentation released at the start of March 2013.  For those who don't know of Ultra Electronics, they are a UK-listed defence, security, transport and energy company with operations around the world.  According to their website, they have "twenty-five businesses, which deliver over one hundred distinct market niches", which makes it interesting to look at the parts of their business that they see are growing, and which geographies they see growth in also.

In their preliminary results presentation, Ultra includes a list of "regions where we see growth", as follows:

  • ‡Australia 
  • ‡Brazil 
  • ‡China 
  • ‡India 
  • ‡Indonesia 
  • ‡Libya 
  • ‡Middle East 
  • ‡Turkey

Australia is obviously well positioned in that group of countries due to its political stability, strong legal framework, similar business environment, and strong positive relationship between the government and the governments of the countries-of-origin of the majority of the serial acquirers in the cyber-security space (US, UK, Japan, and others).

This is solidly confirmed by the 'Ease of Doing Business' rankings put together by the International Finance Corporation / World Bank.  Australia comes 10th (out of 185 ranked countries).  By comparison, the other countries in that list come 130th (Brazil), 91st (China), 132nd (India), 128th (Indonesia), 71st (Turkey), and 22nd (Saudi Arabia, the highest ranked Middle East country).  Libya is unranked. 

Ultra also includes details in their preliminary results presentation of positive service-line revenue drivers, as follows: 

  • Anti-Submarine Warfare
  • Cybersecurity generally and ECU specifically
  • Airport IT
  • Power management and
  • Nuclear energy

So two out of the five are IT related; and cyber-security is acknowledged as being a positive revenue driver in its own right.  

Putting the two things together, the cyber-security market in Australia is a growing business area, in arguably the 'easiest' of the identified growth economies to do business in.  This alignment is rare and valuable.

For 'exhibit B', I refer to the article with a lead-in on the front-page of the Australian Financial Review today, 27th March 2013, titled 'Telstra’s cyber security strategy for growth'. The article references Telstra COO Brendan Riley as saying that "...Telstra had begun bolstering its local team of cyber security experts as a major selling point for its $1.3 billion cloud computing and network services business."

This is relevant from two different perspectives.

Firstly it provides a clear indication of the need to have a visible cyber-security strategy for any large ICT service provider.  From a market positioning perspective, large ICT providers cannot be seen to be ignoring the importance of cyber-security as a future driver of growth.

Secondly, it provides an indicator of the need for cyber-security operations within companies such as Telstra, not for the purpose of provide stand-alone cyber-security services, but rather as part of a broader 'secure IT' push.  It is not enough for a company such as Telstra to have a cyber-security division providing these services; the market is now expecting every service provided by Telstra to have a rigorous level of security applied as part of business-as-usual.  Such an approach significantly changes the scale of the resourcing challenge these organisations will have.

When discussing resourcing and recruitment challenges, the must-read report continues to be 'A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters' (http://csis.org/files/publication/101111_Evans_HumanCapital_Web.pdf), released by the CSIS Commission on Cybersecurity for the 44th Presidency (USA), in November 2010, which discusses in depth the shortage of both quality and quantity in the cyber-security personnel marketplace.  

As the CSIS Commission Report so eloquently puts it:

"cybersecurity is similar to 19th century medicine - a growing field dealing with real threats with lots of self-taught practitioners, only some of whom know what they are doing."

In such an environment the value of proven cyber-security teams - who know what they are doing - is clear. And the market peak for cyber-security is a long way off, as 'IT Security' is replaced by 'Secure IT', significantly magnifying both the market size and the market need.