Is Security Spending Keeping Pace?
In my last two blog posts, I looked at the trend lines vis a vis data breaches from a number of annual reported breaches and compromised records, including factoring out the impact of major whale breaches. The caveat of course is this is based on what's publicly reported. The US — unlike Europe with GDPR — has a patch work of breach notification laws with varying levels of enforcement that makes it very possible for breaches to go unreported. What I found in my analysis was that if you throw out the big whale breaches that may skew the numbers, it turns out that the number of reported breaches has basically flat lined the last few years, but the number of compromised records more than doubled in 2016 — growing by 128% — and has grown 10% and 3% in 2017 and 2018 respectfully.
In millions -- this shows the compromised records if you factor out the 20 largest breaches.
See my previous blog post for how I got these numbers.
So how does the spending in cybersecurity solutions track to the breach trend lines? Probably the best two sources are analyst firms Gartner and IDC.
Gartner said in late 2018 that cybersecurity spend will grow at a 12% clip from 2017 to 2018 and will grow 9% from 2018 to 2019. And per Gartner, actual cybersecurity spending hit $100 billion in 2017. The detail breakdown by segment is shown in a table below.
Assuming there is a 1-2 year lag of applying budgets to the problems being experienced, the 12% from 2017-18 makes sense in light of 128% growth in non-whale breaches we saw from 2015-16, and the 9% spending growth from 2018-19 parallels the 10% non-whale breach growth from 2016-2017.
IDC said in early 2019 that security spend in 2019 will be $103 billion. This is growth of 9.4% from 2018.
So both Gartner and IDC have cybersecurity spending growing 9% from 2018 to 2019, and both have the market at over $100 billion (Gartner has it hitting in 2017 while IDC has it hitting $100 billion in 2019).
The growth in cybersecurity spending of 9% is actually 3x the growth in overall IT spending, which Gartner pegs at 3.2% from 2018 to 2019. So clearly cybersecurity is a "top intend to spend" which is good to know.
But is the spend enough? Probably not given the massive number of compromised records (the chart below includes the top 20 big whale breaches) that we have seen the the last three years — 6.3 billion in 2016, 7.9 billion in 2017 and 5 billion 2018. The chart below clearly says we need to do better in fighting this problem.
And the reality is that we probably are grossly underestimating the actual number of compromised records that have been hacked. The first year of GDPR, which mandates breach notification, the EU reported nearly 90,000 incidents. Most firms that track US breaches (which again are based on public disclosure, and in the US we don't have a federal breach notification regulation) calculate that the number of US breach incidents is anywhere from 1,000-3,000. So if the EU is reporting 30x the number of incidents in a similar sized economy, then the US stats are grossly under reported.
So my guess is that we are probably not spending enough given the threat especially in light that the threat at least in the US is woefully under reported.
But on the flip side, are we actually spending in the right way on cybersecurity? i.e. is it analogous to saying are we funding our military to fight a WW2 type land battle in Europe when the dynamics of today's battlefield has totally changed?
When I was CEO at Centrify, an Identity and Access Management (IAM) firm, we pointed out that various analyses of breaches (such as the Verizon Data Breach Investigations Report aka DBIR) would often show that 60-80% of breaches were due in part from stolen or compromised user credentials (often through phishing). But if you were to look at the Gartner data above, it turns out that only 10% of budgets is and was being spent on protecting Identities, so potentially is the issue is not that we are not spending enough, but are we spending in the right areas?
I would like to dig into this potential "spend mismatch" at some point, by looking at the more recent reports that calculate the more frequent and types of attack vectors that hackers are taking, and compare that to the cybersecurity defenses and categories that we are spending on. But I seem to find myself harping about breach notification and data protection laws, as it is insane to me that we don't have a central database of what organizations were breached, the number of compromised records, what the attack vectors used were, etc. This would be helpful to have us spot trends and better defend ourselves, and of course get a better sense of the size and scope of the threat we face. And of course, this could give consumers the ability to have a centralized location to see if their records were caught up in a breach and/or if an organization they do business with has been hacked.
So I think I will spend the next few blogs looking at the EU's GDPR, California's Consumer Privacy Act that will be kicking in soon, and recent proposed legislation fby Senator Wyden (the "Consumer Data Protection Act") and Reps Eshoo and Lofgren (the "Online Privacy Act").
[Before I close out this blog, I do want to do a quick sanity test on the numbers reported by Gartner, i.e. are they overstating or understating security spend? Let's take a look at the "network security equipment" category as there are a number of public companies in this area so we can get actual numbers. As per the most recent Gartner Magic Quadrant on firewalls, the four leaders are Palo Alto, Fortinet, Checkpoint and Cisco, with the first three being public. Let's assume the 3 public companies represent 50% of the market, and let's be generous and say all their revenue are in the "network security" category (clearly they have revenue in other areas like "cloud security", but let's not spread their revenue out and just put it one category as network security is the core of their businesses). And let's apply their trailing twelve month revenue (which includes at least half of 2019) and compare it to the 2018 Gartner numbers.
According to Yahoo Finance, Palo Alto's trailing twelve month (TTM) revenue is $2.7 billion. Checkpoint's TTM is $1.97. And Fortinet's TTM is $1.96. So assuming those three have 50% of the network security market, their total revenues in network security are $6.63. Per the table above, Gartner says the network security market is $12.447 billion in 2018. So $6.63/$12.447 is 53%, which is higher than my 50%, but very close, so the Gartner data seems to pass the quick sanity test.]