A Market Size Formula for the Security Assurance of Everything

Last year, I wrote an article entitled "Penetration testing market analysis: Where is all the revenue?" looking at the Australian penetration testing market, and estimating the size of the market at $200 - 300 Million.  Since then I've had any number of requests to extend the analysis, to answer the question of how big the US penetration testing market is; of how big the global penetration testing market is; of how big the global security assurance market is; and various other slicings and dicings of the data.

One of the more interesting questions that came up was whether a high-level percentage figure could be identified to then provide a sense of the security-relevant market potential of new areas of development.  I thought I'd play with some numbers and see what popped out, and decided to share it here to solicit thoughts from anyone else interested in the topic.  It's important to note that this is definitely not an economically or statistically rigorous approach to the topic; but rather is taking a handful of numbers and smashing them together to see what pops out, and to see if perhaps there's a meaningful trend that we can interpret.  

Whereas my analysis of the penetration testing market was bottom up, when we're looking at something the size of the global IT market, it's simply too big to do that way, so we need to start from the top and work down.

At the top, we have some really big numbers.  Gartner has estimated that the worldwide spend on enterprise IT was $2,700 Billion in 2012.  (Note that I'm not entirely sure whether this figure includes or excludes personnel costs, which could throw a spanner in the works for the rest of this piece... but just go with it for now).

In terms of how security fits into these big numbers, Gartner has also provided some analysis on that, suggesting that in 2010, approximately 5% of the enterprise IT budget was spent on security, with that 5% breaking down further to:

  • Personnel (37%)
  • Software (25%)
  • Hardware (20%)
  • Outsourcing (10%)
  • Consulting (9%)

(And yes, that adds up to 101%; obviously that's the result of rounding; we can live with it)

If 5% of the $2,700 Billion market was spent on security, that would give us about a $135 Billion IT security market.  At first glance this looks high, since most estimates have the security market at between $75-100 Billion, but one notable difference is the inclusion of internal staff - "personnel" - in that figure.  Adjusting to take that out, the market size becomes $98.5 Billion, which is spot on with most other estimates.  Could just be luck, but it's a nice starting point to at least have a little internal consistency in our numbers.

Taking it one step further, the consulting figure (9%) would imply a consulting market size of $12.15 Billion, which seems pretty reasonable (for comparative data points, IBIS World has the Australian IT Security Consulting market at $2 Billion, and the US IT Security Consulting market at $5 Billion, so to add another $5 Billion for 'rest of world' seems about right, and hey presto... same number).

Security assurance activities are mostly going to fall within the 'consulting' bucket, but there will likely be some cross-over.  Some companies have internal penetration testing teams (so it would fall into 'personnel'), others will spend big on automated scanners and the like (so it would fall into 'software' and 'hardware') and others may categorise it as some kind of managed service (which would put it into 'outsourcing').  

My estimate would be that at least 30% of IT Security Consulting spend goes towards security assurance activities.  So that's 30% assurance of 9% consulting of 5% of enterprise budget of $2,700 Billion, and crunching that all together gives us a figure of about $3.65 Billion as the security assurance consulting global market.  (I think it would be higher if associated products like vulnerability assessment tools/scanners and the like were included).  The good news is that this figure is also pretty well aligned with other research out there about market sizing.

It's also notable that the budget figure we're using - 5% - is from 2010.  More recent estimates have thrown out numbers that range from a little higher (5.6% - FT.com 2011) to a lot higher (7.5% - Wisegate 2013).  The 7.5% figure would make the security assurance consulting global market closer to $5.5 Billion, which is plausible, but probably stretching it a bit so I'm inclined to be conservative and stick with 5% as a macro-level average... but certainly note that as budgets rise, there is a substantial impact on the security market.

To go from the macro- global level, to a country level, let's look at Australia and see what happens.  Borrowing a data set from SMS Management & Technology's market presentation, their merger of data from Gartner, Forrester, and their own analysis, puts the Australian enterprise IT market size at $47.1 Billion.  Note that this excludes personnel costs.  5% on IT security would mean $2.355 Billion.  Adjusting for the personnel missing, and then just taking out the consulting chunk, we would have an IT security consulting market of about $340 Million, and a security assurance consulting market of about $100 Million.  That's lower than I've previously estimated from a bottom-up view (my estimate is $200-300 Million) but I think in part that's a function of the fact that we actually have a pretty substantial and dynamic security assurance market in Australia, which could easily account for 50% of the consulting spend rather than 30% that I've apportioned globally.  

The final leap of faith here is to look at the ultimate 'trickle down' from a macro level market size, to the security assurance consulting market we are operating in.  And the magical number appears to be something in the range 0.14% - 0.20% of a macro level IT market size, trickles down to security assurance.

Trickle.jpg

So, and here comes the magic, that would mean we have a handful of prospective security assurance consulting markets out there including:

Mobile Ecosystem - Tablet market ~$35 Billion, Smartphone market ~$150 Billion, Application market $25 Billion - implied security assurance consulting market $300 - 400 Million.  

Internet of Things - IDC estimated market size $4.8 Trillion (Read that number again.  That's Trillion.) - implied security assurance consulting market between $6 - 10 Billion.

I'll leave it there.  Partly because I have to go and start an Internet of Things security company right now.