New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers (2024)

(9 pages)

As the digital economy grows, digital crime grows with it. Soaring numbers of online and mobile interactions are creating millions of attack oppor­tunities. Many lead to data breaches that threaten both people and businesses. At the current rate of growth, damage from cyberattacks will amount to about $10.5 trillion annually by 2025—a 300 percent increase from 2015 levels.1Steve Morgan, “2022 Cybersecurity Almanac: 100 facts, figures, predictions, and statistics,” Cybercrime Magazine, January 19, 2022.

In the face of this cyber onslaught, organizations around the world spent around $150 billion in 2021 on cybersecurity, growing by 12.4 percent annually.2Growth is compounded. However, set against the scale of the problem, even this “security awakening” is probably insufficient. A survey of 4,000 midsized companies suggests that threat volumes will almost double from 2021 to 2022.3The biggest cyber security threats coming in 2022, Coro. According to the survey, nearly 80 percent of the observed threat groups operating in 2021, and more than 40 percent of the observed malware, had never been seen previously. These dynamics point to significant potential in an evolving market. Currently available commercial solutions do not fully meet customer demands in terms of automation, pricing, services, and other capabilities—which this article will explore in further detail. As a result, the gap today between the $150 billion vended market and a fully addressable market is huge. At approximately 10 percent penetration of security solutions today, the total opportunity amounts to a staggering $1.5 trillion to $2.0 trillion addressable market (Exhibit 1). This does not imply the market will reach such a size anytime soon (current growth rate is 12.4 percent annually off a base of approximately $150 billion in 2021), but rather that such a massive delta requires providers and investors to “unlock” more impact with customers by better meeting the needs of underserved segments, continuously improving technology, and reducing complexity—and the current buyer climate may pose a unique moment in time for innovation in the cybersecurity industry.

1

New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers (1)

The underpenetration of cybersecurity products and services is, on the face of it, the result of the below-target adoption of cybersecurity products and services by organizations—which suggests that the budgets of many if not most chief information security officers (CISOs) are underfunded. Cyber­security providers must meet the challenge by modernizing their capabilities and rethinking their go-to-market strategies.

To maximize the opportunity, providers must get a grip on the factors shaping the market, the segments most likely to grow, and the services customers need. Here we set out four areas likely to be the focus of such discussions: cloud technologies, pricing mechanisms, artificial intelligence, and (particularly in the midmarket) managed services. With strategic planning in these areas, and a robust approach to implementation, cybersecurity providers can make themselves more competitive and get a slice of the $2 trillion pie.

Growing cybermarket potential

Why does the cybermarket offer such significant potential right now? We see five key drivers.

More attacks targeting smaller companies

From a demand perspective, fast-growing smaller organizations are exposed to proliferating digital touchpoints and ecosystem relationships. In addition, malware such as ransomware can pose an existential threat to small and midsize businesses (SMBs) and midmarket companies in a way it often doesn’t to large enterprises. What might remain a silent breach at a larger organization is often a significant, overt disruption at a smaller one. For example, a Texas-based midsize steel structure manufacturer was forced into bankruptcy in May 2019 when ransom­ware permanently encrypted both its tooling and financial accounting software. Ransoms can be out of reach, while information retrieval and recovery services are timely and difficult. Moreover, the trust of customers can prove difficult to recover once a company has been breached. In fact, according to previous McKinsey research on the importance of digital trust, in the past 12 months nearly 10 percent of respondents reported stopping business with a supplier after learning of a data breach.

Midmarket entities are often targeted by criminals looking to exploit unsophisticated security tooling. These companies, for example, may miss threats such as EternalBlue, an exploit developed by the US National Security Agency and later used by Wannacry ransomware. Many smaller entities use a single-backup strategy, which can leave them susceptible to attacks from ransomware such as PureLocker.

The proliferation of ransomware attacks targeting SMBs and midmarket companies means that even those that don’t currently employ or engage a security team have a responsibility to act. Fortunately, the SMB segment is becoming truly addressable by cybersecurity products and services for the first time, thanks to emerging economies of scale.

The impetus from regulation

At least 45 states and Puerto Rico introduced or considered more than 250 bills or resolutions that deal significantly with cybersecurity.4Cybersecurity Legislation 2021, National Conference of State Legislatures, July 1, 2022. Federal initiatives include the US National Defense Authorization Act, Executive Order 14028,5Improving the Nation’s Cybersecurity: NIST’s Responsibilities, May 2021. and the extension of the False Claims Act to include the misrepresentation of an organization’s cybersecurity program and qualifications.

Based upon McKinsey’s client conversations, federal cybersecurity contracting requirements aretrickling down to thousands of SMB and midmarket contractors. The US Securities and Exchange Commission (SEC) is discussing new rules on breach notifications. Compliance challenges grow more onerous as ecosystems proliferate. The Department of Defense’s Cybersecurity Maturity Model Certification (CMMC), for example, underscores the critical importance of holistic cybersecurity, much of it beyond the reach of SMBs and the mid­market unless they get help from vendors.

Rules around the world are equally stringent. The European Union’s General Data Protection Regulation, for example, may levy fines of up to 4 percent of global turnover against companies that fail to protect their customers.6An earlier version of this article incorrectly stated that the European Union's General Data Protection Regulation may levy fines of up to 2 percent of global turnover, when 2 percent only represents the possible fine for “less severe” violations. The “most severe” violations may fine up to 4 percent of revenue.

CISOs are as serious as ever about closing the (log) visibility gap

Moves to ramp up log processing are critical because just three years ago the average enterprise saw only 30 percent of what was happening. Finding more needles in the haystack will probably require more commitment—in particular, in areas such as AI, which can spot cyberthreats and malicious activities. For providers, AI will force a rethinking of technology and how they bring it to market.

Over the past three years, companies have boosted their share of total log volume visibility from about 30 percent to about 50 percent on average and are pushing toward 65 to 80 percent over the next three years (Exhibit 2).7McKinsey Cyber Market Map Survey. SMBs and the midmarket have been slightly more active than larger enterprises, and future growth in visibility use cases is predicted to be stronger among these smaller companies. SMBs expect to widen their deployment of end point detection and response (EDR) tooling, to use single panes of glass that ingest and monitor their cloud environments, and to rely on managed-service partners (such as providers of managed detection and response services) for more sophisticated activities.

2

New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers (2)

A surprising aspect of the current market landscape is the significant extent to which the slowest-moving enterprises are trailing their faster-moving peers. Bottom-quartile enterprises report lifting their log volume visibility by just 6 percent over the past three years and forecast a meager 5 percent rise in the next three. By comparison, the best performers, particularly in the SMB segment, increased their log coverage by between 25 and 35 percent in the past three years and plan to accelerate those efforts over the next three.

Talent shortages and service offerings

An existing global cyber-talent shortage, com­pounded by the intensification of digital threats like ransomware during the COVID-19 pandemic, has created further growth opportunities for service providers as CISOs and talent partners struggle to fully staff their organizations. Structural dynamics are also boosting demand for vended solutions. As companies build out their protections, buyers increasingly expect products to come bundled with offerings that ensure both short-term services (for instance, implemen­tation) and long-term ones (ongoing security).

A global cybersecurity talent shortage means that IT leaders often have little choice but to do business with third-party service partners.

The bottom line? Across all segments, forecasted changes in allocated security spending is increasing as a percentage of services between internal and third-party services. So long as talent remains a problem, outsourced services will be essential for companies that need to support strong security outcomes.

Higher levels of customer engagement

Until recently, many organizations that required cyber protection were not fully engaged with the challenges they faced. Often, they saw the cost and complexity of action as greater than the need for it. Now, with attacks becoming more frequent, the risk–benefit equation has changed. With security and privacy concerns being elevated to the C-suite across industries, geographies, and enterprises whatever their size, both providers and investors have opportunities. We see potential for innovation in prices and bundles, geographic coverage, target customer groups, integration, and off-the-shelf analytics.

Providers can excel on four fronts

To gauge the market opportunity, McKinsey used a bottom-up model: an assessment of key players and validation against industry logic and our conversations with clients. We also surveyed 500 cybersecurity buyers and interviewed 50 market-leading vendors. The combined insights, tracked in McKinsey’s Cyber Market Map, show that spending on products and services from vendors is set to rise 13 percent annually up to 2025—a significant uptick from 10 percent growth over the past three to five years. Key changes to previous market forecasts include not only faster growth, with services increasing much faster than products, but also a significant opportunity in the SMB segment.

For providers, the message is clear. Current market dynamics give them a chance to boost their penetration of both existing accounts and the unvended space. This growth will be spurred by an evolving threat landscape and talent shortages—a gap of at least 600,000 in the United States alone.8Olivia Rockeman, “Hackers’ path eased as 600,000 US cybersecurity jobs sit empty,” Bloomberg, March 30, 2022. To maximize the opportunity, we see potential for action on four fronts.

Ride the coattails of the cloud transformation

Public-cloud migrations will continue to define enterprise technology strategies for the next several years (Exhibit 3). Providers (especially product providers) should thus consider not only accommo­dating but also specializing in hybrid and multicloud architectures.

3

New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers (3)

Where cloud providers offer cybersecurity solutions, the tooling on offer in many cases is not a compre­hensive substitute to the capabilities of cybersecurity specialists—at least in the enterprise segment. Organizations that adopt multicloud strategies or maintain critical on-prem workloads will in all likelihood persistently need best-of-breed solutions. The challenges that vendors are expected to help resolve include ease of implementation, day-to-day ease of use, integration and coverage across environments, and agility and flexibility in attack environments. If information about an attack detected in one cloud provider environment is not conveyed immediately to other cloud environments, for example, that lapse would amount to atooling failure.

Organizations that adopt multicloud strategies or maintain critical on-prem workloads will in all likelihood persistently need best-of-breed solutions.

In many security-related markets, characterized by large numbers of tools, entire categories of orchestration players (such as those that orchestrate security and the identity of users) have been created to simplify the combination of parallel processes. Antifraud programs, for instance, require so many different sets of tooling to manage different geographies that a new category has emerged to manage workflows. In another example, in the cloud, orchestration coordinates workflows and the deployment and management of data across multiple public and private clouds, software-as-a-service (SaaS) providers, managed data centers, and on-prem infrastructure enterprises. All of these demands for increased visibility are potential entry points for providers.

Finally, regulation also creates a cloud-related opportunity for providers. Highly regulated verticals are migrating to the cloud about four times more quickly than low-regulated verticals are. This could help unlock new markets, particularly in highly regulated Europe, and be a key differentiator for multinationals that must navigate complex cross-border data flows, local regulations and data sovereignty, and geopolitical issues that spike cyber and data risk.

Create a pricing model for the midmarket

Many cyber solutions are mispriced for SMBs. Larger organizations can pre-pay or buy in bulk to obtain volume discounts, but many SMBs and midmarket companies are less able to negotiate hard for these services. Large enterprises have an abundance of metrics, historical data, and reference points. SMBs and midmarkets, however, often lack information on how much they and others have spent. Consumption-based pricing models (for example, per gigabyte) can add flexibility but also risk: if an organization doesn’t know what good security looks like, will it burn through its budget just looking for needles in haystacks? Instead, customers increasingly reward vendors that use outcome-based or more “plannable” pricing models, such as per workload.

One cause of the pricing mismatch is simple economies of scale. SMBs and midmarket companies have a smaller base of employees over which to spread cyber-tooling costs, so they face a decision: either pay a disproportionate price per employee—by a factor of three to five or more than larger companies do, depending on the tooling category—or forego some security controls entirely.

Better automation, AI, and machine learning

The steepest innovation curve is for developing the brains of next-gen products and managed security services. Fully autonomous intelligent cyber-defense platforms (for example, end-to-end automated SIEM/SOAR9Security orchestration, automation, and response (SOAR) and security, information, and event management (SIEM). detection and response pipelines) are challenging to engineer and validate to the point where they are fully trusted by operators. Providers should therefore strive to enable high-fidelity assisted intelligence that makes human analysts more efficient be it through leveraging advanced analytics or building tight integrations with other security platforms (Exhibit 4).

4

New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers (4)

Many next-gen algorithms for AI and machine learning (ML), while not yet ready for autonomy, are getting close. Rule libraries are increasingly refreshed from open sources and built on common standards, such as Yara. Eventually, one human being, operating as a remote or virtual resource to serve multiple companies, will reduce the cost of MDR solutions and boost the margins of providers.

To reach this target state of optimized low-cost services, managed-service providers can focus on the brains of next-generation security products by concentrating innovation in areas such as data source integration and neural/logic engines. Enhancing and building data source integrations could yield indirect revenue opportunities and widen access to larger ecosystems—for example, as part of an open extended detection and response (XDR) concept. Spreading investment in neural/logic engines across both cutting-edge AI and static rules libraries will ensure that R&D efforts are measurably productive.

Expand managed services and create a midmarket-friendly solution

Demand for full-service offerings is set to rise by as much as 10 percent annually over the next three years. Providers should thus seek to develop bundled offerings that take advantage of hot-button use cases. And they ought to focus on outcomes, not technology.

A potentially rewarding approach would be to adopt co-creative models with managed-service providers (MSPs) to build workbench solutions. This would require investments in R&D and development tooling (for example, APIs) that allow MSPs to connect your platform to theirs rather than the other way around. Partnering will make it possible to create centers of excellence, which will lead to faster implementation and more efficient operations. The resulting improvement in customer outcomes will feed into the performance metrics of providers, and a more robust service layer will create a runway to master product market fit.

Rather than the common laundry list approach, vendors should adopt a clear MSP partnership strategy. Where necessary, they should invest in building collaborative sales capabilities with their partners. (In several cyber-partner programs, 20 percent of the partnerships generate 80 percent of the partners’ revenues.) Finally, vendors must articulate industry-specific use cases with tweaks to their products’ user interfaces and user experi­ences, as well as potential MSP and partner channel sales and marketing.

Winning companies will work with SMB-focused channel partners and optimize their marketing. That approach could involve partnerships with small-business software providers (such as tax prep software and cloud email and storage) and with vertical SaaS providers (such as payroll management and point-of-sales services). In some cases, it will make sense to replatform offerings as lighter-weight SaaS-first solutions, catering to buyers already deep in the trenches of SaaS transformations in other enterprise applications and platform realms.

The continuing digitization of the global economy, ever-increasing numbers of cyberattacks, and regulatory pressure on companies to protect their data present cybersecurity providers with a compelling opportunity. Amid talent deficits and the desire to boost log visibility, SMBs and midmarket players in particular are focused on implementing more advanced solutions.

With billions of dollars of revenues set to flow into the market in the next three years, providers should seize the moment. That means optimizing engage­ment with the cloud, developing a pricing model for the midmarket, embracing innovation, and expanding managed-service offerings to create midmarket-friendly solutions. In short, it means finding productive combinations of product, price, and services that vendors can tailor to target segments and are flexible enough to scale. If the industry can meet these priorities, it can start to create the momentum that will increase its penetration across segments and put the $2 trillion prize in play.

Bharath Aiyer is an associate partner in McKinsey’s Southern California office; Jeffrey Caso is an associate partner in the Washington, DC, office; Peter Russell is a consultant in the New York office; and Marc Sorel is a partner in the Boston office.

The authors wish to thank Hannah Chen, Bartlomiej Kazimierski, and Kevin Telford for their contributions to this article.

Explore a career with us

Search Openings

New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers (2024)

FAQs

What is the market opportunity for cybersecurity? ›

Revenue in the Cybersecurity market is projected to reach US$185.70bn in 2024. Security Services dominates the market with a projected market volume of US$97.30bn in 2024. Revenue is expected to show an annual growth rate (CAGR 2024-2029) of 7.92%, resulting in a market volume of US$271.90bn by 2029.

How big is the cybersecurity as a service market? ›

It has been estimated that the addressable market in cybersecurity might reach almost USD 1.5 trillion to almost USD 2.1 trillion. The priorities of shielding businesses have become of prime importance for the market players. Let us understand how cyber security is becoming an important aspect for various businesses.

What are the top 3 targeted industries for cyber security? ›

Overall, the top five industries targeted by cyberattacks are:
  • Finance (50% of attacks)
  • Healthcare (20%)
  • Government & Public Sector (18%)
  • Food (4%)
  • Utilities (4%)
Apr 19, 2024

What will be the biggest challenge faced by cybersecurity professionals in the next year? ›

1. Ransomware Attacks. Ransomware is one of the biggest cyber security challenges that concerns us in the digital world. In the year 2021- 2022, there were an unparalleled number of ransomware attacks, and this trend is still to continue in 2024.

Which industry is a bigger target to cybersecurity? ›

Healthcare Industry: A High-Stakes Target

The healthcare sector has become a prime target for cybercriminals. As per a study, the global healthcare cybersecurity market is projected to reach 35.3 billion by 2028, emphasizing the growing recognition of the sector's vulnerability (Marketsandmarkets, 2023)1.

Is the cybersecurity industry growing? ›

The cybersecurity market is growing and changing at a rapid pace, leading to major opportunities for vendors, heightened confusion for buyers and new challenges for CISOs. Business is booming for both cybercriminals and cybersecurity tech companies.

How big is the cybersecurity market in 2024? ›

Global Cybersecurity Market Size (2024 to 2029)

The global cybersecurity market is expected to be worth USD 379.75 billion by 2029 from USD 239.04 billion in 2024, growing at a CAGR of 9.7% between 2024 to 2029.

What is the forecast for the cybersecurity market? ›

KEY MARKET INSIGHTS

The global cyber security market size was valued at USD 172.32 billion in 2023 and is projected to reach USD 424.97 billion in 2030, exhibiting a 13.8% CAGR during the forecast 2023-2030. North America accounted for a market value of USD 67.77 billion in 2022.

How high in demand is cybersecurity? ›

More than 1 million cyber security jobs will be available by 2023, but less than 400,000 cybersecurity professionals will be trained by then. Cyber security is an ever-growing industry. It is projected to grow by 11% in 2023 and by 20% in 2025.

What are the 3 P's of cyber security? ›

But now, the long-standing People-Process-Product triad comes to mind. “The three Ps” phrase is so prolific, it's used for many other models, in medicine, personal performance, marketing, and first aid. The People-Process-Product model is useful in many areas of life.

What is the number 1 cybersecurity threat? ›

Malware is the most common type of cyberattack, mostly because this term encompasses many subsets such as ransomware, trojans, spyware, viruses, worms, keyloggers, bots, cryptojacking, and any other type of malware attack that leverages software in a malicious way.

What are the big 4 in cyber security? ›

In the grand scheme of prospective providers, the choices are primarily split between the “Big 4” (Deloitte, PwC, Ernst & Young, and KPMG) or boutique providers. On the surface one might think that the Big 4 must be the best options because they are the biggest contenders.

What will cybersecurity look like in 5 years? ›

More attention on prevention and preparedness. In the next five to ten years, prevention and preparedness will be more vital than ever. If 2023 taught the cybersecurity industry anything, it's that proactively planning for a cybersecurity incident or data breach is critical.

What is the next big thing in cybersecurity? ›

Trend 1: Increased Focus on AI and Machine Learning in Cybersecurity. In 2024, AI and Machine Learning (ML) are set to play a more critical role in cybersecurity. AI's advanced data analysis capabilities are increasingly used for identifying and predicting cyber threats, enhancing early detection systems.

What is the biggest weakness in cyber security? ›

Top Cybersecurity Vulnerabilities
  • Zero-Day Vulnerabilities. ...
  • Unpatched Software. ...
  • Application Misconfiguration. ...
  • Remote Code Execution. ...
  • Credential Theft. ...
  • Security-Based Software. ...
  • Wi-Fi Security. ...
  • Firewalls.
Jan 22, 2024

What is the market forecast for cyber security? ›

The global cyber security market size was valued at USD 172.32 billion in 2023 and is projected to reach USD 424.97 billion in 2030, exhibiting a 13.8% CAGR during the forecast 2023-2030. North America accounted for a market value of USD 67.77 billion in 2022.

What is the cybersecurity market? ›

Market Definition

Cybersecurity is the process of defending computer networks, systems, applications, and data from online threats, illegal access, loss, or theft. It includes a range of tools, procedures, and methods intended to protect data and stop tampering with or abuse digital assets.

What is the current demand for cyber security? ›

The demand for cyber security jobs has risen significantly over the past few years. More than 1 million cyber security jobs will be available by 2023, but less than 400,000 cybersecurity professionals will be trained by then.

What is the market value of cyber security? ›

Report AttributesDetails
Market size value in 2021USD 217.65 Billion
Revenue forecast in 2030USD 504.46 Billion
CAGR9.7% from 2022 - 2030
Base year2021
6 more rows

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Frankie Dare

Last Updated:

Views: 5371

Rating: 4.2 / 5 (73 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Frankie Dare

Birthday: 2000-01-27

Address: Suite 313 45115 Caridad Freeway, Port Barabaraville, MS 66713

Phone: +3769542039359

Job: Sales Manager

Hobby: Baton twirling, Stand-up comedy, Leather crafting, Rugby, tabletop games, Jigsaw puzzles, Air sports

Introduction: My name is Frankie Dare, I am a funny, beautiful, proud, fair, pleasant, cheerful, enthusiastic person who loves writing and wants to share my knowledge and understanding with you.