A Market Size Formula for the Security Assurance of Everything

Last year, I wrote an article entitled "Penetration testing market analysis: Where is all the revenue?" looking at the Australian penetration testing market, and estimating the size of the market at $200 - 300 Million.  Since then I've had any number of requests to extend the analysis, to answer the question of how big the US penetration testing market is; of how big the global penetration testing market is; of how big the global security assurance market is; and various other slicings and dicings of the data.

One of the more interesting questions that came up was whether a high-level percentage figure could be identified to then provide a sense of the security-relevant market potential of new areas of development.  I thought I'd play with some numbers and see what popped out, and decided to share it here to solicit thoughts from anyone else interested in the topic.  It's important to note that this is definitely not an economically or statistically rigorous approach to the topic; but rather is taking a handful of numbers and smashing them together to see what pops out, and to see if perhaps there's a meaningful trend that we can interpret.  

Whereas my analysis of the penetration testing market was bottom up, when we're looking at something the size of the global IT market, it's simply too big to do that way, so we need to start from the top and work down.

At the top, we have some really big numbers.  Gartner has estimated that the worldwide spend on enterprise IT was $2,700 Billion in 2012.  (Note that I'm not entirely sure whether this figure includes or excludes personnel costs, which could throw a spanner in the works for the rest of this piece... but just go with it for now).

In terms of how security fits into these big numbers, Gartner has also provided some analysis on that, suggesting that in 2010, approximately 5% of the enterprise IT budget was spent on security, with that 5% breaking down further to:

  • Personnel (37%)
  • Software (25%)
  • Hardware (20%)
  • Outsourcing (10%)
  • Consulting (9%)

(And yes, that adds up to 101%; obviously that's the result of rounding; we can live with it)

If 5% of the $2,700 Billion market was spent on security, that would give us about a $135 Billion IT security market.  At first glance this looks high, since most estimates have the security market at between $75-100 Billion, but one notable difference is the inclusion of internal staff - "personnel" - in that figure.  Adjusting to take that out, the market size becomes $98.5 Billion, which is spot on with most other estimates.  Could just be luck, but it's a nice starting point to at least have a little internal consistency in our numbers.

Taking it one step further, the consulting figure (9%) would imply a consulting market size of $12.15 Billion, which seems pretty reasonable (for comparative data points, IBIS World has the Australian IT Security Consulting market at $2 Billion, and the US IT Security Consulting market at $5 Billion, so to add another $5 Billion for 'rest of world' seems about right, and hey presto... same number).

Security assurance activities are mostly going to fall within the 'consulting' bucket, but there will likely be some cross-over.  Some companies have internal penetration testing teams (so it would fall into 'personnel'), others will spend big on automated scanners and the like (so it would fall into 'software' and 'hardware') and others may categorise it as some kind of managed service (which would put it into 'outsourcing').  

My estimate would be that at least 30% of IT Security Consulting spend goes towards security assurance activities.  So that's 30% assurance of 9% consulting of 5% of enterprise budget of $2,700 Billion, and crunching that all together gives us a figure of about $3.65 Billion as the security assurance consulting global market.  (I think it would be higher if associated products like vulnerability assessment tools/scanners and the like were included).  The good news is that this figure is also pretty well aligned with other research out there about market sizing.

It's also notable that the budget figure we're using - 5% - is from 2010.  More recent estimates have thrown out numbers that range from a little higher (5.6% - FT.com 2011) to a lot higher (7.5% - Wisegate 2013).  The 7.5% figure would make the security assurance consulting global market closer to $5.5 Billion, which is plausible, but probably stretching it a bit so I'm inclined to be conservative and stick with 5% as a macro-level average... but certainly note that as budgets rise, there is a substantial impact on the security market.

To go from the macro- global level, to a country level, let's look at Australia and see what happens.  Borrowing a data set from SMS Management & Technology's market presentation, their merger of data from Gartner, Forrester, and their own analysis, puts the Australian enterprise IT market size at $47.1 Billion.  Note that this excludes personnel costs.  5% on IT security would mean $2.355 Billion.  Adjusting for the personnel missing, and then just taking out the consulting chunk, we would have an IT security consulting market of about $340 Million, and a security assurance consulting market of about $100 Million.  That's lower than I've previously estimated from a bottom-up view (my estimate is $200-300 Million) but I think in part that's a function of the fact that we actually have a pretty substantial and dynamic security assurance market in Australia, which could easily account for 50% of the consulting spend rather than 30% that I've apportioned globally.  

The final leap of faith here is to look at the ultimate 'trickle down' from a macro level market size, to the security assurance consulting market we are operating in.  And the magical number appears to be something in the range 0.14% - 0.20% of a macro level IT market size, trickles down to security assurance.

Trickle.jpg

So, and here comes the magic, that would mean we have a handful of prospective security assurance consulting markets out there including:

Mobile Ecosystem - Tablet market ~$35 Billion, Smartphone market ~$150 Billion, Application market $25 Billion - implied security assurance consulting market $300 - 400 Million.  

Internet of Things - IDC estimated market size $4.8 Trillion (Read that number again.  That's Trillion.) - implied security assurance consulting market between $6 - 10 Billion.

I'll leave it there.  Partly because I have to go and start an Internet of Things security company right now.

Sendmail, Sensory Networks & PacketLoop - Pondering Interesting Transactions

Sendmail - Watch this space 

ProofPoint - who are serial acquirers in the cyber-security industry - acquired Sendmail for about $23 Million in cash, paying a revenue multiple of something like 10, and a profit multiple of n/a since by the sounds of the announcement, Sendmail as a commercial enterprise has been losing money pretty consistently.  

sendmail.png
"For the fourth quarter of 2013, Proofpoint expects Sendmail to have an immaterial impact on revenue while widening the company's non-GAAP net loss by approximately $2 million or $0.06 per share, as the company takes on the costs associated with this new team and begins to build a recurring revenue stream."  (http://finance.yahoo.com/news/proofpoint-inc-acquires-sendmail-inc-201000890.html)
"Sendmail brings a global community of open source users and a compelling set of enterprise customers, but little in the way of near-term recurring revenue due to their legacy business model built around the sale of appliances and perpetual licenses."  (http://finance.yahoo.com/news/proofpoint-inc-acquires-sendmail-inc-201000890.html)

So why are they buying it?  It seems the strategy is primarily about supply chain protection and/or integration:

"Noting that ProofPoint's enterprise protection solution is built on Sendmail's MTA, ProofPoint CEO Gary Steele said, "Acquiring Sendmail gives Proofpoint ownership of this definitive industry-standard technology...""  (http://www.fool.com/investing/general/2013/10/01/proofpoint-makes-another-acquisition.aspx)

Although the opportunity could well also be larger than that.  There is certainly precedent for taking a semi-open-source software product and surrounding it with commercial services and support (with Snort/Sourcefire and Nessus/Tenable being two prime examples in the cyber-security industry) and creating significant value in the process.  Key to success will be ensuring the community continues to participate in the open source project, and see that the overarching commercial organisation that is now supervising them, is an organisation whose values they align to.  That ProofPoint has already started reaching out the community (eg http://www.sendmail.com/sm/open_source/community_letter/) is a positive start to that relationship.

 

Sensory Networks - A mixed result

 The same day as the Sendmail transaction, it was announced that Intel is acquiring Australian cyber-security tech company Sensory Networks for $21.5 Million (http://www.smh.com.au/it-pro/business-it/intel-to-acquire-australian-tech-company-sensory-networks-for-21-million-20131001-hv1un.html).  Intel is listed on the Sensory website as a partner, so as with the Sendmail acquisition, it could simply be case from Intel's perspective of protecting the supply chain.

sensory.png

I have a soft spot for Sensory Networks as it was on Matt Barrie's recommendation that a number of our earliest team members at SIFT were recruited, and without exception they turned out to be some of the best and brightest minds in security that I have had the privilege to work with.  That being said, early media reports of the Sensory Networks sale really wanted to be able to present it as a success story, but that became progressively more difficult when additional context was added to the deal and the company.  

Like the fact Sensory had raised about USD $30M in venture capital to get to this point.  Like the fact Sensory was not a 'start-up', but had been running since 2003.  Like the fact Sensory started life as a hardware company (and by all accounts was excellent at it, from an engineering standpoint) and in 2009 changed tack to be software focused.  And the fact that at the date of the transaction the company had only five (5) employees.

Does anyone actually make any money in a deal like this?  It's an interesting question, and the answer is... It depends.

It depends on a few things, like:

  • The terms under which the venture capitalists invested
  • The degree to which the early shareholders were diluted in the various funding rounds
  • The importance of the remaining key employees and their ability to renegotiate equity plans over time
  • Other technical things like whether it's an asset sale or a share sale, and what the balance sheet of the company looks like

The first of those is probably the most significant.  Essentially, a venture capitalist is likely to get 'Preferred Stock' rather than 'Common Stock'.  One of the benefits of this preferred stock is that it will generally have 'liquidation preferences' attached to it.  At the simplest level, the 'preference' referred to in the name of the stock, is that it gets paid before the common stock.  There are a few different approaches to preferred stock (broadly known as 'Straight Preferred', 'Participating Preferred', or 'Partially Participating Preferred' - http://venturebeat.com/2010/08/16/beware-the-trappings-of-liquidation-preference/), but the crux of the issue is the same... basically, if you've got preferred stock, you will generally get back the cash you put in, prior to the common stockholders getting anything.  And if you put in $30M, and the company sells for $20M, that means there is zero left for anyone holding non-preferred shares.

Now to be clear, I don't have inside information on any of these transactions, and don't know what the terms were in any of the agreements.  It's likely that the share register at Sensory changed a great many times over the years as funds were raised, investors came and went, founders departed, the employee share scheme ebbed and flowed (since it is in everyone's interests to ensure the key team members remain motivated and incentivised to make the company succeed), and perhaps at the end a few people were holding enough of the right shares to do reasonably well after years of hard work... But it's also possible that nobody did.

My intention here is simply to highlight the fact that for aspiring tech entrepreneurs out there who heard the figure "$21.5 Million" and thought "Pay Day! I'm starting a company!", life often isn't that simple.  While it's fairly self-evident that a company going bust doesn't make the founders rich, it's less self-evident that a company being sold for an eight-figure sum, also may not make the founders a fortune.

I do hope that the team who worked so hard, for so long, to build the technology and the business of Sensory, did reasonably well out of this.  Looking to build an engineering-heavy cyber-security hardware company in Australia in the early 2000s was ambitious and courageous, and they contributed significantly to the cyber-security talent pool that we now have.

 

PacketLoop - The next generation

A month before the Sensory Networks and Sendmail transactions, it was announced that Arbor Networks (www.arbornetworks.com) acquired PacketLoop (www.packetloop.com) - see http://www.arbornetworks.com/recent-in-the-news/4983-news-packetloop for official press release.  While both innovative cyber-security technology companies, in many ways, PacketLoop is the antithesis of the Sensory Networks story.  It was started in 2011 and sold just 2 years later, and as far as I know, was bootstrapped throughout that period, without external venture capital involvement (although I could be wrong in that assumption).     

packetloop.png

For those who are new to the industry, it is worth noting that the PacketLoop team have experience in this area - their previous cyber-security consulting firm ThinkSecure was sold to Infoplex in 2007 (http://www.computerworld.com.au/article/188385/infoplex_acquires_thinksecure_/).  

The great thing about this transaction from my perspective, is that PacketLoop is genuinely innovative, IP-driven, and Australian.  The company has focused on research and development, and getting the product right before taking it hard to market.  The attraction of PacketLoop to Arbor can only have been the IP - while I'm sure they have some clients and revenue, an acquisition at this early stage of the company's genesis is about getting access to the technology.  And that is really exciting, a great credit to Scott Crane, Michael Baker and others involved, and also is a really powerful message to others that it can be done.

The financial details of the deal haven't been made public and I don't know what they are, but I hope the founders and others have done well out of it, and I am also very confident that the deal would have been structured to provide significant incentive to stay and build the company further with Arbor's support and backing - which is great for the industry, the technology, and for cyber-security research and development in Australia. 

Transaction Analysis - Cyber-Security M&A

With a handful of recent transactions (eg NTT acquiring Solutionary; and Malwarebytes acquiring ZeroVulnerabilityLabs), we have just gone over the 650 transaction level in our database of cyber-security industry M&A.  Given that, I thought it was about time for another post teasing out some of the trends and intelligence that this data set has to offer.

Geographic - Transaction Size

The average transaction size, 2004-2013, for cyber-security companies with the following US / non-US transaction profile is as follows:

  • Non-US Buyer / Non-US Seller         $ 93 Million
  • Non-US Buyer / US Seller               $ 198 Million
  • US Buyer / Non-US Seller               $ 295 Million
  • US Buyer / US Seller                      $ 420 Million

So the more 'US' you can get into your transaction, the bigger the number tends to get.  If you have a cyber-security product and want to maximise the return, heading to the US and getting venture capital funding is probably still your best option.

Buyer Industry Sector & Influence on Multiples

We have worked through the transaction data and categorised the buyers into one of a few groups: 

  • Defence industry
  • IT industry
  • Cyber-security industry
  • Professional services
  • Private equity / venture capital
  • Other

A couple of interesting observations from the transaction data, when analysed in this context:

  • Defence industry buyers pay the lowest revenue multiples, slightly below the private equity / venture capital community.  Realistically, this is likely to be more of a reflection of the difference in acquisition targets between the buyer groups, with the defence industry focused on services-intensive companies, and many of the other groups (eg the IT industry, and the cyber-security industry) are completing lots of acquisitions of product-led companies.
  • Cyber-security companies pay the largest multiples, by a significant margin.  The average profit multiple paid by the IT industry, the defence industry, and the private equity / venture capital community, varies by less than 10%.  The average cyber-security company-led acquisition multiple is over 6 times higher.  As per the above, this is primarily a function of the types of companies being acquired, with many cyber-security company-led transactions being of relatively early stage product companies, with significant R&D and sales and marketing expenses, but a relatively low base of revenue and profit, resulting in extremely high multiples.

This again demonstrates the importance of understanding the market, and particularly of the market as it pertains to your company.  The types of companies being acquired, and the level of maturity of those companies, varies significantly between buyer groups, and the prices paid vary accordingly.  

Outlying Transaction Valuations & Effect

While this blog isn't intended to be a tutorial on maths terminology, I'll just briefly revisit the distinction between the 'mean' (commonly called the 'average') and the 'median'.  The mean is calculated by simply summing all of a set of numbers together and dividing by the number of numbers.  

eg:  1, 1, 2, 2, 9

Gives a total of 15, and 5 numbers, so a mean of 3.

The flaw with using a 'mean' is that while it may be true to say the 'average' of that set of numbers is 3, the fact is also that 80% of the numbers are below the average, since it is skewed upwards by the larger number at the end.  Means are susceptible to being skewed by outliers.

The 'median' is basically just the value of the middle number when the numbers are arranged in order.  In this case, the median is 2.  What that number says is that 50% of the data is equal to or less than that number; and 50% of the data is equal to or greater than that number.  Generally speaking, that's going to be a more useful number.

How big a difference can this really make?  Let's take the example of transactions with a Cyber Security company as the acquirer.  The multiples data looks like this:

security company data.png

Obviously a profit multiple of 38.49 is nothing to be sneezed at, but 117.08 as an average profit multiple is pretty crazy.  How is it possible that the averages could be that high?  Transactions like this:

These transactions skew the averages up rapidly, particularly in an environment where not every transaction has data available.  (ie, if price data was available for all 650 transactions, it would have much less of an impact; but with price data only available for maybe 10% of transactions, and the rest being 'not disclosed', it can have a big influence).

Multiples by Year - There's Really No Bubble

The average revenue multiple from 2004 until 2006, was a shade over 14.

The average revenue multiple from 2007 until 2009, was a shade under 3.

The average revenue multiple from 2010 until mid-2013, was almost exactly 3.

Profit multiple data similarly hasn't changed markedly over the period 2007 to mid-2013. 

In other words, back in the early days of cyber security, there were fewer transactions being completed, but the ones that did complete tended to be for high valuations - for example, Juniper's acquisition of NetScreen (https://www.networkworld.com/edge/news/2004/0209juniscreen.html) and Symantec's acquisition of Brightmail (see above).  

 

transactions-by-year.png

There are now many more transactions, but the valuations have remained steady.   That's not a bubble - that's just a healthy market with strong demand for valuable companies.

 

Security Company Earnings Reports - Nuggets of Gold (Part 2)

I received some great feedback on my thoughts on the highlights of the Symantec, Checkpoint and Fortinet earnings calls, so through popular demand have continued working my way through security company earnings calls.  In this edition, one of the newer and sexier market players: Sourcefire

Of course, IT security is to 'sexy' what Eddie "the Eagle" Edwards was to ski jumping, so I still wouldn't necessarily be opening with your latest 'penetration testing' gag at the bar later tonight.  Unless the bar happens to be hosting a Star Trek party, in which case, make hay while the sun shines.

Anyway, on with the review.

Sourcefire 

http://seekingalpha.com/article/1387331-sourcefire-management-discusses-q1-2013-results-earnings-call-transcript

sourcefire.png

"Revenue for the first quarter of 2013 came in at $56.2 million, an increase of 21% over the year-ago period."

That's why they're the sexy ones.  21% year-on-year growth.

"21% was below our expectation."

Wow, expectations were high.  But then, when your PE Ratio is 339 (http://ycharts.com/companies/FIRE/pe_ratio), I guess that's what happens to expectations.

"Our U.S. Commercial and International business revenue grew a combined 37% over the same period last year."

Great numbers.  Unsustainable, but good to get them when you can.

"We believe our U.S. Federal business was impacted by funding uncertainties related to sequestration and the continuing resolution that wasn't approved until March 26, resulting in a year-over-year decline of 36%."

OK, should have seen that coming.  Good news first, then the bad news.  A 36% year-over-year decline is huge.  (For those who don't immediately recognise that a 36% loss is much worse than a 37% gain is good, remember that to get back that 36% loss, will require in excess of a 50% gain.)

"This approach starts by first acknowledging that there are 3 distinct phases of security from a defender's point of view. You have heard us refer to this as the attack continuum: a before, during and after phases of an attack."

Which sounds eerily similar to 'Protect, Detect and React' which we've been saying for decades.  Old wine, new bottles.

"Our cybersecurity solutions... address the full attack continuum across all attack sectors and respond at any time, all the time in realtime... This is in contrast to traditional security layers that only operate at a point in time... They have no capability versus a threat later in time."

I think I need to re-read Stephen Hawkings' A Brief History of Time to understand this.  Any time, all the time, in real time, not at a point in time, but definitely later in time.  Got it.  On a serious note, it is interesting to see how the amount of investment being poured in to solutions aimed at detecting pre-existing breaches in an environment; effectively acknowledging the fact that organisations simply cannot prevent the breaches from occurring. 

"Our [Advanced Malware Protection] solution [FireAMP] has capabilities and scope that will have the competition playing catch-up for years"

From what I've seen and read, I think FireAMP is indeed going to be a powerful tool in the security business.  As with all the latest-and-greatest technologies, however, the question will be whether anyone in Australia has the capability to implement it, configure it correctly, and manage/monitor it the way it is intended.  Otherwise it will be the next very expensive paperweight to hit our desks.

"As we continue to scale our International operations, we will benefit from the tax structure implemented last year and believe we can drive our long-term effective tax rate below 30%."

Seems pretty conservative.  Apple have managed to get theirs down to under 2%, with a "Dutch Sandwich" and some Catch-22-esque workmanship resulting in some of Apple's legal entities not being resident anywhere.  

"We don't traditionally break out our International business. I can tell you that it was strong across the board. We added 40 resellers in Q1 and a little bit more than half of them were International. In fact, half of them were in Asia-Pacific. That business is really starting to pick up for us."

Obviously Asia-Pacific is a lot broader than just Australia, but it's interesting to see how many companies are reporting strong demand and growth from this region.  It certainly matches the demand and growth in the domestic information security services sector, and I continue to believe that the services market in particular is growing faster than the supply-side can keep up with.

A question from the floor:

"And regarding the balance sheet, could you give us some color around the trends in deferred revenue? It was flattish quarter-to-quarter. Any color on that?"  

Boom!  Two uses of the buzzword-of-the-moment 'color' in one go!  I am still yet to hear it used at all in Australia, but maybe I'm moving in the wrong circles.  It can only be a matter of time.

In response to a question about which companies the FireAMP product competes with (this is long, but worth reading):

"In terms of who we compete with, there are a number of players in kind of the advanced network space that are out there, and a lot of people who claim they're out there as well. I think you look at the core anti-virus guys, a lot of them will say they're dealing with events now, where you look at newcomers, they're a bunch of startups out there. You have guys like FireEye as well. They're all kind of swirling around the problem right now looking for a solution. I would say that relative to any of them that are out there right now, there are -- some companies are taking a purely network-based approach, some are taking a purely end-point-based approach. Many of them -- well, very few of them consider the totality of networks endpoints, mobile devices and virtual environments. And of all the companies that are out there really, we're the only guys who consider them all. We use one unified detection infrastructure to analyze everything that comes in. We operate on a continuous capability model using streaming telemetry from the devices that we're connected to. And what that means effectively, if you look that this versus any of them that are out there, they all operate in what we call a point in time. They're presented with a piece of data. They make the decision either good or bad, and if they're wrong, they completely miss it and have no opportunity to go back there and do something about it again. We have continuous capability where we can see all the time, in realtime, not just the structure of advanced malware, but also its operations and behavior. And really, at the end of the day, we believe we're a disruptive player in this space because we're one of the first movers and we have a fully scoped solution that addresses the entire problem set that is out there."

A good summary of their positioning and how they see the market.  If FireEye is being included as a competitor, I assume RSA NetWitness, Solera Networks, Australian start-ups like Packetloop, and US-based companies that as far as I know haven't made it to our shores such as Damballa and Invincea should be included in there too.  It's becoming a crowded market and logically will consolidate pretty heavily over the next 1 - 2 years (noting that Blue Coat recently bought Solera Networks; and of course RSA reasonably recently bought NetWitness).  

For those in the IT security professional services industry, providing implementation, configuration, support and management around these 'next generation' tools is a huge opportunity.  While not all the products and vendors in this space will continue to be here in a few years' time, the amount of venture capital being thrown at this part of the market should guarantee short term viability at least.

Attribution, Economics, and 'The Criminality Premium'

I started putting together a piece on the concept of a 'criminality premium' some time ago, but was drawn to other topics for a while after.  I was brought back to it again after reading a blog by Phil Kernick, of CQR Consulting, titled "Attribution is Easy."  I'm not sure whether the title is intended to be serious or to provoke debate, but if you're really interested in attribution, the US held hearings into the topic before the Subcommittee on Technology and Innovation, Committee on Science and Technology of the United States House of Representatives, in 2010.  While obviously a few years old now, the content remains excellent and is a must read for cyber-security folks.

My personal favourite is this submission: Untangling Attribution: Moving to  Accountability in Cyberspace, by Robert K. Knake, International Affairs Fellow in Residence, The Council on Foreign Relations

The following diagram from Knake's submission presents a neat and tidy summary of the key challenges in attribution, varying by the type of incident/attack one is trying to attribute.  I would suggest that attribution isn't "easy", but in some cases is a problem with sub-elements which can definitely be resolved.

attribution.png

While the CQR blog entry example of Alice and Chuck, and Chuck peering over Alice's fence with a telephoto lens, is hardly the epitome of 'cyber war', the mechanism of attribution - based on the "small number of capable actors" (ie who could see the designs) and "using out-of-band investigative and intelligence capabilities" is a pretty good match for the above.  

The CQR blog also included the following line which raised my eyebrows:

"This is an economic market working perfectly - if it is cheaper to steal the design than license it, economic theory drives theft, until the cost of theft is greater than the cost of licensing." 

While the underlying economic premise here may well be correct, it is only true in a world where the only 'cost' of theft to the thief, is the actual financial cost of the resources used to steal.  The lack of consideration of the potential for either civil or criminal liability for copyright breach (and whatever other miscellaneous crimes may have occurred in the process), renders the example of little use in the real world.

Where this does become relevant, however, is in the consideration of the concept of a 'criminality premium', which first arose after a discussion about crowd sourced security testing, and bugcrowd (for whom I am an Advisor).  

The realisation that I had, is that crowdsourcing testing aligns the reward process for the good guys, with the reward process for the bad guys.  That is, the bad guys don’t get 'paid' (ie, don't receive an economic reward) for the time they invest in finding venerabilities in systems; they only get 'paid' when they find the vulnerability (generally, through exploiting it).  Crowdsourcing aligns the reward system so that the good guys get rewarded for doing the same thing as the bad guys.  

This, in turn, got me wondering about whether this economic similarity in reward structure somehow helps level the playing field because the good guys no longer have the economic advantage of stability of earnings (ie getting paid for time, rather than results) and instead are paid like the bad guys - on delivery of results.

Taking this a step further, if we're presenting the same fundamental task (finding security weaknesses), and the same economic incentive structure to both the good guys and the bad guys, then the only reason someone would choose between the two is the size of the reward.  I also assume that it is not as simple as just converging the size of the 'good guy' reward pool with the potential size of the criminal 'reward pool', but that logically there is a 'criminality premium', in that given two choices:

  1. Earn $50 legally;
  2. Earn $50 illegally for doing exactly the same thing;

Anyone making rational decisions will choose 1, as there is a 'cost' that must be considered associated with (2) associated with the potential for punishment for the illegal act.

Therefore, the question is simply how big we think this criminality premium is.  If you have a database of 40,000 credit card numbers, which for argument's sake are worth about 50c each on the black market, the potential 'payment' for accessing that database and selling the contents, is $20,000.

How much do you need to pay, for the person identifying the vulnerability allowing access to that data, who is economically rational, to choose the legal disclosure path rather than the illegal disclosure path?  (Acknowledging that this concept requires almost everyone in the world having a tacit ongoing bug bounty program!)

$5,000?  Seems unlikely.

$10,000?  Must be getting close.  $10,000 without any worries about the feds kicking in your door would seem a better idea than $20,000 from illegal exploitation of that data set (since there are all the usual 'non-payment' risks that also arise in the black market). 

$15,000?  Surely.

If we can successfully remove the economic incentive to be a 'black hat' rather than a 'white hat', we're just left with the criminally insane and the purely vindictive (ie not economically motivated) attackers to worry about.  

And whether organisations have a grip on the potential economic value of their data to an attacker, in order to  put together a program that is sufficient to take economically rational hackers out of the pool of bad guys, is a different question again.

Security Company Earnings Reports - Nuggets of Gold (Part 1)

All reports referenced below, and all quotes, are from Seeking Alpha - free registration required to read them.

In this first set, I've looked at Symantec, Checkpoint, and Fortinet.  In later blogs I'll look at others including Sourcefire, Qualys, Imperva, Websense, Vasco, and probably some others.​

If I had to summarise the three below, this would be pretty close:​

  • Symantec is like the New York Yankees.​  Big budget, used to win the World Series routinely, now has an ageing roster who spend lots of time on the DL, but somehow seem to still find a way to genuinely compete.  Not a bad team, even if they don't look as razzle-dazzle as they once did.
  • Checkpoint is like the Oakland Athletics.  A good team in a smaller market (compared to the Yankees), that historically has focused a bit more internally than externally (with pretty good results most of the time).​
  • Fortinet is like the Washington Nationals.  Lots of brash young players with extraordinary talent, who occasionally ​play the game too ​hard (eg http://mlb.mlb.com/video/play.jsp?content_id=27097807&c_id=mlb).  But the fact is, a few years from now, when the Yankees roster is completely different, the Nationals roster will be much the same, and they will be awesome.

Don't follow baseball, so don't understand the above?  For more color, read below.  Oh, and you'll also discover the joy of the word 'color' as a tool of management-speak.​

Symantec

symantec.png

http://seekingalpha.com/article/1412431-symantec-management-discusses-q4-2013-results-earnings-call-transcript?part=single

"We delivered better-than-expected results for the quarter and year... We grew 3% organically, the largest organic growth rate in 5 years." 

I can't help but think that when 3% organic growth is the largest rate in 5 years, the company is in need of some electro-shock therapy.

[As a cross-reference, the Fortinet transcript mentions that analysts' average growth forecast for the industry is 6-10%.  Growing at below that trend line, is not a great sign.]

"FY '13 also was the start of the transformation of Symantec."

Ah, right.  The aforementioned electro-shock therapy.

"We're in the middle of rightsizing our management structure."

Do people still euphemistically use the word rightsizing?  Are we not supposed to notice that nobody has ever 'rightsized' a team and made it bigger?

"We expect to eliminate between 30% and 40% of our management positions."

Like I said.  Rightsizing is a one way street.

"We will have fewer, bigger jobs for our best and brightest. We are also attracting world-class talent from the outside..."

OK, so 30-40% of management positions are gone, and of the positions remaining, externals will take some, so we're basically saying that probably a full HALF of Symantec's management will be removed in the coming year.  Wow.

"...[we're seeing] double-digit growth in our information security business"
"...[we're seeing] double-digit growth in Business Critical Services as demand for high-touch infrastructure protection services continues to grow"
"...[we're seeing] double-digit growth that we're seeing out of areas like encryption, Managed Security Services."
"Our Trust Services business continues to grow very nicely for us."
"...as to the Endpoint Security business, that's closer to flat."

Realistically, nothing too surprising here.  Many of the fastest growth companies in the market are in the 'detect' space right now (rather than 'protect' or 'react'), and Managed Security Services and infrastructure protection services are growing well everywhere.  It would be a tough part of the market to try to operate in, to cover both mums-and-dads anti-virus all the way through to high-end MSS for financial institutions.  

Checkpoint

checkpoint.png

http://seekingalpha.com/article/1358591-check-point-software-technologies-management-discusses-q1-2013-results-earnings-call-transcript

"In the first quarter, revenues reached $322.7 million, representing an increase of 3% compared to $313 million in the first quarter of 2012."

As per Symantec, growing at 3% in a market growing 6-10%, isn't great... but of course that's always part of the challenge of being the big guy.  It's much harder to grow proportionally as quickly as all the start-ups nibbling at your market.  And of course Symantec is much bigger still.

"Revenue distribution by geography for the quarter was as follows: Americas contributed 45% of revenues; Europe was 38%; and Asia Pacific, Japan, Middle East and Africa regions contributed the remaining 17%."

This matches up pretty well to the rule of thumb that the Americas (primarily the USA) accounts for close to half of global cyber-security spend.

Regarding not having closed some "super high end deals" (which is later clarified to relate to these devices: http://www.checkpoint.com/products/61000-appliances/index.html):

"Competitive-related, no, I don't think that any of these deals -- I mean, all these deals that there are now are still open, and I think that, that part of the market is currently not very competitive to keep the deals we are seeing."

This doesn't surprise me.  As 'hot' as the security market is, and as many companies are pouring into it, it is still the case that a large part of security spend is not allocated through a competitive process; or if it is at first, it is not for some period of time after that.  Organisations are - in many cases - picking their security partners and sticking with them, until or unless there is an unequivocal reason to change (with a major breach being a big one).

"I don't think that there's any new competitors. Our market is competitive and always been competitive."

See above.

In response to a question about the future of network security, cloud etc:

"...some of that around mobility and data security, these are definitely areas we're working on and this is an area that will show some nice innovation during the rest of the year. So this is clearly an area that we are working on. "

On the 'Threat Emulation' system... This is a bit long, but worth reading:

"Threat Emulation is an exciting blade, which addresses a very fast-growing segment of the marketplace. "
"We just announced it a few weeks ago, and very, very new. In terms of how our solution is different. First, I think our immediate competitors don't have something comparable to that, and I think the unique value that we provide in the Threat Emulation space is the fact that it's all integrated into one system and the fact that we actually have prevention. If you look at many other emulation kind of solutions, they analyze the files pretty much offline, and if there is a threat found, then manually, someone had to go and look for the file. What we have is a realtime in-line system. You get an e-mail. If the e-mail is unknown, if the e-mail is not recognized... we'll take that e-mail, send it to the Threat Emulation engine. The Threat Emulation engine, by the way, can be a cloud service that we provide or it can be an appliance that a large enterprise would like to install locally. It runs the document in the sandbox, looks for the different behaviors, and then it either tells the main system, pass the e-mail, nothing was found, or it tells the e-mail something was found, stop the e-mail, don't transfer that. And that's a very, very powerful thing. Again, none of the other competitors has a realtime system like that."

This is definitely a part of the market that every major security vendor wants to be in.  The rapid growth of the segment (which didn't really exist just a few years ago), and the success of companies and products such as FireEye, RSA NetWitness, Solera, Sourcefire FireAMP and more, makes the only real decision for companies like Checkpoint, McAfee, Cisco and Symantec: Build or Buy?

Fortinet

fortinet.png

http://seekingalpha.com/article/1387761-fortinet-management-discusses-q1-2013-results-earnings-call-transcript

"...we did not see a major change in the competitive environment and no significant deals were lost to competitors."

See comment in Checkpoint analysis about the nature of the competitive environment.  Yes, it's crowded.  Yet, it's competitive.  But that doesn't mean a huge amount of business isn't being locked up without too much competitive conflict.

"So we believe the security industry remain healthy, though growing at a slower rate than what was previously estimated. On average, research firm have the growth rate of now secured to be somewhere between 6% to 10% year-over-year"

A good stat to baseline growth against.  

"Fortinet hold more certifications than any other security vendor"

I have no idea how to test/validate this, so I'll accept it as is.  An impressive statement given their relative youth in the market.

"On the innovation front, we introduced a new product that strengthen our advantage across our core market. This includes a new FortiGuard cloud-based sandboxing and IP reputation service, designed to help protect against advanced persistent threats. Using behavioral attributes to detect malware by executing them within a virtual environment."

See above commentary re: Checkpoint's Threat Emulation system.  I'm actually not sure who was first into this market, and it's too early to say who is best, but regardless, expect it to feel like Attack of the Clones in the next 12-24 months.

"we also continued to invest in sales headcount and marketing activities to support long-term growth"

See Symantec.  There are going to be a bunch of sales managers available pretty soon.

"Q1 billings were $148.5 million during the first quarter, an increase of $11.5 million or 8% year-over-year."

That's a bit healthier.  Nicely done.

"EMEA billings grew 8% despite the continued macro uncertainty there. And APAC grew very nicely at 25% with good traction in Japan, Southeast Asia and India."

Wow.  25% is indeed a very healthy growth rate.  Not sure what the base was, but shows there is still a pretty significant unsatisfied market need.

"In the Americas, we won a 7-figure deal with a large U.S. based wireless carrier where we replaced Palo Alto Networks. We were selected because of our superior reliability, scalability and overall firewall performance."
"[on a different deal]...we beat out Check Point, Juniper, Palo Alto Networks and Cisco in this deal, based again on performance and breadth of functionality we offer..."
"[on a different deal]...we beat Cisco, Check Point, McAfee and Blue Coat in this deal..."

These statements are interesting because Symantec and Checkpoint seemed to not really want to name or discuss competitors at all.  Whereas Fortinet just get straight into competitor-smack-down.  As Robbie Williams says, "sing when you're winning."

"give you some color"

This one was everywhere.  Seven appearances in the transcript, and they weren't talking about the flashing lights on the firewalls.   I read it in the Checkpoint discussion too (3 appearances) and Symantec (2 appearances).  Sounds like the latest buzzword.  Excellent.  It seems that "can you give us some color about..." basically means "can you give us some detail about..."  But the people who say the former, rather than the latter, I assume get well rewarded for their command of management linguistics.  Is it just a coincidence that the more the word 'color' is thrown about, the higher the company's year-to-year growth?  

"In terms of the strategy, I think the strategy is pretty obvious. Look, the product is advantaged in one particular context, and that is, it can do more with higher performance, far more reliable, far more scalable."

Great clarity.  You don't get that a lot.

Extrapolating the US penetration testing market size

One of the questions I have had a bit following on from my analysis of the Australian penetration testing market, is the implied size of the global penetration testing market.  Or at least, the size of the US penetration testing market, on the assumption that it is going to be the largest.  With a few minutes to spare, I thought I would try to kludge together a number that at least seems plausible given the (admittedly very few) external reference points available.

IBIS World released a research report in August 2012 (the "IT Security Consulting in the US Market Research Report") which provides a couple of free snippets of data - a revenue figure of $5 Billion, and, interestingly, the statement that "there are no companies with a dominant market share in this industry" - which is exactly the conclusion I came to when looking at the Australian penetration testing market.

So there's our first data point:  The US IT Security Consulting Market (2012) is estimated at $5 Billion.  

5bil.png

Global Industry Analysts, Inc have estimated the 2013 global information security products & services market at $104 Billion, and RNCOS has estimated the global IT security market at $96 Billion (both figures from this interesting analysis of the Turkish IT security market).  Not wildly dissimilar numbers which is always a nice start.  A PricewaterhouseCoopers report in 2011 apparently put the estimated market size at $60 Billion, so a bit smaller, but with forecast growth, probably closer to a $75 Billion estimate by 2013.  Gartner has put the global market at $55 Billion in 2011 with a forecast growth path that would imply something like $67 Billion for 2013. 

The US is estimated to make up close to half of all cyber-security spending globally.  Which seems quite plausible when one considers the size of both defence-led Government cyber-security expenditure, and also the size of the economy.  That would put the US cyber-security market into the vicinity of $35-45 Billion for 2013.

35bil.png

One potentially useful stat we can gather from the above, is that IT security consulting, is ~10-15% of the overall IT security market size.

So how do Australia's numbers compare?

This fairly old data set from 2009 has Gartner estimating the Australian IT security market size being about $250 Million.  Let's add on 20%-year-on-year growth since then, and we're at $500 Million-ish today.  Given my previous analysis of the Australian penetration testing market put it at $200-300 Million on its own, I think this is a pretty low estimate.  A 2008 estimate by IDC forecast the market would hit $1.5 Billion by 2011, which actually sounds a bit more workable.

1point5.png

If this is correct, and if my previous penetration testing market estimates are plausible, then at a macro level, organisations are spending 10-20% of their security budget on penetration testing and vulnerability assessment.  This feels a bit high (probably reflecting the fact that less is being spent than the bottom-up estimate of penetration testing expenditure would suggest), and also seems not to match with the US estimate of 10-15% of IT security spend going to consulting.  Given this would contain a great deal of 'non-penetration testing' consulting services, for penetration testing alone, let's go with something closer to 5% to be a bit more conservative.

1to3.png

So as rubbery as these data sets may be, they would suggest that the US penetration testing market is in the $1.5 - 3 Billion range... Which makes it 8-10 times the size of the Australian market, which given the size of the US economy (GDP $15.094 Trillion) is a larger order of magnitude than that, larger than the Australian economy (GDP $1.37 Trillion), would seem to make sense.

And just to recap my favourite point once again... "there are no companies with a dominant market share in the [IT security consulting] industry".  As I said at the end of the Australian analysis, this is a great market to be a part of; and on a global scale that is no different.

Crowdsourcing & the Prisoner's Dilemma

One of the common questions that gets raised in the crowdsourced testing process (eg Bugcrowd) is how it's possible to manage the risk of a tester identifying vulnerabilities, then disclosing them or selling them or using them, outside the parameters of the officially sanctioned test.

While it is presenting an alternative to penetration testing in many cases, it is somewhat more useful to consider the model in the context of the bug bounty programs run by companies like Google.  

The reason for the distinction is that bug bounty programs are aimed at achieving two related, but distinct, goals:

  1. To have vulnerabilities that would have been identified anyway (ie through unauthorised testing, or through incidental testing for a third party), be responsibly disclosed; and
  2. To have additional vulnerabilities identified by encouraging additional testing, and corresponding responsible disclosure.

That first group is often not considered as a goal of a penetration test - the likelihood that any system of interest is constantly being subject to security analysis by Internet-based users with varying shades of grey- or black- hats, seems to often to be overlooked.  

With the risk of stating the obvious, the reality is that every vulnerability in a given system, is already in that system.  Identifying vulnerabilities in a system does not create those weaknesses - but it is true that it may increase the risk associated with that vulnerability as it transitions from being 'unknown' to being 'known' - depending on who knows it.  

Feel free to spread this video around.

To use Donald Rumsfeld's categorisation, we could consider the three groups as follows:

  1. Known Knowns: Vulnerabilities we know exist and are known in the outside world (publicly disclosed or identified through compromise);
  2. Known Unknowns: Vulnerabilities that we know exist, and are unsure if they are known in the outside world (either identified by us; or privately disclosed to us);
  3. Unknown Unknowns: Vulnerabilities that we don't know exist, and are unsure if they are known in the outside world (which is the state of most systems, most of the time).

What crowdsourcing seeks to do, is to reduce the size of the 'unknown unknown' vulnerability population, by moving more of them to the 'known unknown' population so that companies can manage them.  The threat of a 'known unknown' is significantly lower than the threat of an 'unknown unknown'.

Which brings us to the risk that a vulnerability identified through a crowdsourced test, is not reported, and hence remains an 'unknown unknown' to us.  The risk of non-disclosure of vulnerabilities identified through a crowdsourced test is effectively mitigated by game theory - it is somewhat similar to the classic 'Prisoner's Dilemma'

The Prisoner's Dilemma is a classic of game theory, demonstrating why individuals may not cooperate, even if it is in their best interests to do so.  The Dilemma goes like this:

"Two members of a criminal gang are arrested and imprisoned. Each prisoner is in solitary confinement with no means of speaking to or exchanging messages with the other. The police admit they don't have enough evidence to convict the pair on the principal charge. They plan to sentence both to a year in prison on a lesser charge. Simultaneously, the police offer each prisoner a Faustian bargain. If he testifies against his partner, he will go free while the partner will get three years in prison on the main charge. Oh, yes, there is a catch ... If both prisoners testify against each other, both will be sentenced to two years in jail."

Effectively, the options are as presented in this table:

prisonersdilemma.png

The beauty of the dilemma, is that as they cannot communicate, each prisoner must evaluate their own actions without knowing the actions of the other.  And for each prisoner, they get a better outcome by betraying the other prisoner.  For Prisoner A looking at his options, if Prisoner B keeps quiet, Prisoner A has the choice of 1 year in jail (if he also keeps quiet) or no jail time at all (if he testifies against Prisoner B). Hence, testifying gives a better outcome.  And if Prisoner B testifies against him, Prisoner A has the choice of 3 years in jail (if he keeps quiet) or 2 years in jail (if he also testifies)... again, testifying gives a better outcome.

Hence, economically rational prisoners will not cooperate, and both prisoners will serve 2 years in prison, despite that appearing to be a sub-optimal outcome.

What does this have to do with crowdsourcing?

In crowdsourcing there are obviously far more than 2 participants; but the decision table we are interested in, is as it is relevant to any particular tester.  The situation they face is this:

crowdtest2.png

Essentially, each tester only knows the vulnerabilities they have identified.  They do not know who else is testing, or what those other testers have discovered.

Only the first tester to report a vulnerability gets rewarded.

Any tester seeking to 'hold' an identified vulnerability for future sale/exploitation (as opposed to payment via the bounty system) has to be confident that the vulnerability was not identified by anyone else during the test, since otherwise they are likely to end up with nothing - the vulnerability gets patched, plus they don't get any reward.  

Since Bugcrowd tests to date have had large numbers of participants, and have found that over 95% of vulnerabilities are reported by more than one tester, this is a risk that will rarely pay off.

As a result, economically rational testers will disclose the vulnerabilities they find, as quickly as possible.  

For organisations getting tested, cliched as it is, the crowd truly does provide safety in numbers.

Disclaimer: I'm an Advisor to Bugcrowd.  

Penetration testing market analysis: where is all the revenue?

I was recently sitting at the Australian Technology Park having a cup of coffee with Casey Ellis, co-founder of Bugcrowd, chatting about upcoming investor presentations.  We worked our way on to market sizing, and found that we had both had the same experience when attempting to do a 'bottom up' sizing of the penetration testing market in Australia.  The problem that we both came across, was that even using fairly conservative numbers as to the amount companies are spending on penetration testing, the amount of theoretical penetration testing revenue sloshing about in the market simply does not align with the revenue of the service providers in this space, or simply with the number of testers providing these services.

[Incidentally, I had brief flashbacks to my case-study interviews with strategy consulting firms before I started SIFT... where I had awesome questions like: 

  • "Estimate the size of the market for salmon in the United Kingdom"; and
  • "Estimate the number of PCs imported to Australia each year".]

Back to the penetration testing market... 

200-300.png

Let's start with the big guys.

ASX 20

Of the ASX20, which includes companies in financial services, materials/mining, energy, consumer staples, telecommunications and healthcare, my back-of-the-envelope estimates would suggest that the biggest spenders would spend about $4 million annually on penetration testing, and the lowest spenders would spend about $100K annually.  Putting together the expenditure of the whole group, I estimate it works out at pretty close to a neat $20 million across the 20 companies.

And of course, the ASX20 is - as its name suggests - just the 20 largest companies by market capitalisation on the ASX.  There are a total of 2,157 companies listed on the ASX (when I downloaded the list a moment ago), all of whom you could argue have some degree of obligation to their shareholders to ensure the security of their data and systems, with penetration testing being a pretty common response to that obligation.  For argument's sake, lets say less than half of them do anything, so 1,000 companies.  And let's assume that averaged across that many organisations, the average spend on penetration testing is $50K per annum.  That's another $50 million into the annual penetration testing market.

Let's look at some other big-spending sectors where some reasonably neat figures are available (about the size of the sector; if not the amount spent):

Financial Services

I'd estimate that about 60-70% of the ASX20 spend is coming from the financial services companies in the group who were some of earliest adopters of penetration testing as a service, and continue to be the 'anchor tenant' for the industry.

According to APRA, at the end of 2012, there were 19 Australian banks, 8 foreign subsidiary banks, and 40 branches of foreign banks.  On top of these, there were 91 credit unions and 9 building societies.  There are also a handful of 'miscellaneous' companies like payments clearing, 'specialist credit card institutions' and 'purchased payments facilities' who are also significant market participants.

So that's an extra 170-ish financial services companies who are probably getting penetration testing completed to a greater or lesser extent.  Even if we rule out the 'branches of foreign banks' (as many of them will have their penetration testing managed by the global head office and hence delivered from overseas), we've still got about 130.  Chop out the group already counted in the ASX20, and we've got about 125.  Now let's be super-conservative and say that they will spend only 10% of the amount that the larger companies will spend; or a meager $100K per institution.  That's another $12.5 million into the annual penetration testing market.

Take a moment to consider that according to the Australian Bureau of Statistics, at the end of the 2010-11 year, there were over 164,000 businesses in Australia classified as 'financial and insurance services'.  In the calculations above we covered about 200 of them; admittedly the biggest, but it still leaves a vast number who have data to protect, and some of whom certainly have some penetration testing done.  (If just 2% of them spend just $5K each, that's another $15 million into the budget).

Government

Federal, State and even Local Government are covered by a range of policies explicitly requiring independent penetration testing.  One of the most succinct is that of the Victorian Government - SEC STD: Penetration testing which states that:

vicgov.png

According to vic.gov.au's Contacts & Services directory, there are 521 distinct entities within the Victorian Government, for which 259 unique URLs are provided.  For example, the letter 'A'...  

vicdepts.png

As per policy, each of these needs at least annual independent penetration testing.  Let's use our average across the set (covering both infrastructure and applications) of just $20K per annum.  That gives us about another $6 million for our penetration testing budget.

To avoid the pain of digging out the numbers for all the other states and territories, let's make a broad assumption that all the other state and territory governments added together, sum to three times the size of Victoria's, in terms of Internet-facing infrastructure (which given it include NSW & QLD, plus the rest, seems reasonable).  Let's also assume that they have a similar intent to test everything annually.  So that's another $18 million to the budget.  That number feels high, so let's include all local government, councils etc across the country as well in that figure.

And of course there is also Federal Government.  It's possible to download a list of all registered contracts with keywords like 'penetration testing' or 'security testing' at https://www.tenders.gov.au/?event=public.CN.search, but these lists are woefully incomplete when trying to get a picture of the size of the market.  The Federal Government side of things is also somewhat obscured by the fact that at least some of the vulnerability assessment and penetration testing completed is performed by the Defence Signals Directorate (DSD).  Rather than tie myself in knots trying to work it through, I'll take a short-cut and assume it's the same as Victoria: $6 million annually, across all government agencies including the Defence Department.

E-Commerce / Payments

The Payment Card Industry Data Security Standard (PCI DSS) requires penetration to be completed at least annually for in-scope systems and organisations. 

There are approximately 200,000 websites in the .au domain space with 'shopping cart' functions.  Mmany of those will be using PCI compliant externally-hosted shopping carts so probably don't get penetration testing completed themselves.  But let's say just 10% of e-commerce websites with 'shopping cart' functions get penetration tested each year.  That's 20,000 websites.  Most of these are probably pretty small, so let's say they are just $10K penetration tests.  That's another $20 million in the budget.

We'll assume that the vast number of companies covered by PCI DSS, but who don't have a distinct 'shopping cart' function so aren't included in the figures above, are covered elsewhere in one of the figures we've already looked at.

Education 

There are 44 universities in Australia, and another half-a-dozen miscellaneous self-accrediting higher education institutions (ie theological colleges, maritime college etc), giving us a nice neat 50.

There are then at least another 100 state and territory accredited educational organisations, plus TAFEs and the like.  There are thousands of schools.

Given universities'... errr... 'creative' student population, they have a bigger need than most of the others here.  Let's assume $100K per annum for the universities, which is $5 million in total to the budget.

For the thousands of schools, TAFEs, and other miscellaneous bodies, it's hard to know where to start, so let's just allocate the entire sector $25 million and be done with it.  If there are 5,000 schools across the country that's only $5K of testing per school, so pretty conservative, although I'm cognisant of the fact that far-flung country-shed classrooms are unlikely to be having this testing done.

Information & Communications Technology (inc Software)

One of the larger consumers of penetration testing services is the broad and large ICT industry - and in this I also include companies developing software for sale to others, who therefore have a requirement for security assurance of that product prior to taking it to market.  It is also the fourth largest industry sector contributing to Australian GDP and employs 291,000 people in Australia. According to the Australian Bureau of Statistics, at the end of the 2010-11 year, there were 18,854 businesses operating in the Information, Media & Technology classification

Let's just say 1% of these companies, spend $100K annually on penetration testing.  That's close enough to another $20 million.

The rest

And we haven't even touched industry sectors like healthcare, resources (in the midst of all the 'China APT' news), legal, accounting, professional services, let alone the hundreds of thousands of small and medium sized businesses in this country, at least some of whom are spending some money on penetration testing.  

Adding it all up

pentest-source.png

So using this logic, there's a spend of something like $200-300 million on penetration testing, annually, in Australia.  Given the massive slabs of Australian business that are not covered in the figures above, even with the odd wayward assumption or double counting here and there, it seems reasonable.

610.png

And this is where the trouble starts.  Where is it going?

Many jurisdictions have bodies similar to the ACCC who are responsible for monitoring the misuse of market power.  In some of these jurisdictions, they have put numbers to what 'substantial market power' means, and a 'minimum' threshhold for considering a company to have an influential market position.  The best figures I could find are from Hong Kong, who discuss using 40% as an indicator of 'substantial market power', and 25% as the 'minimum' threshhold before being particularly interested in a company's market position.  Working with these:

  • Taking the 40% figure, we'd be looking for a company with $80-120 million in penetration testing revenue, annually, in Australia.  They don't exist.  No big deal, it just means we don't have a company with 'substantial market power'.
  • Taking the 25% figure, we'd be looking for a company with $50-75 million in penetration testing revenue, annually, in Australia.  They still don't exist.  So we don't have any real competition concerns in the market, which is healthy.
  • For argument's sake, let's take a 10% figure, so we'd be looking for a company with $20-30 million in penetration testing revenue, annually, in Australia.  I'm still doubtful any service provider in Australia operates at that level.

If I'm right, and there is not a single company in Australia with 10% of the penetration testing market, who is delivering all these penetration tests?  Or is it that the numbers above are fundamentally incorrect because organisations just don't do as much penetration testing as they should (under policy, regulation, best practice etc)?

Let's take another angle on this.  Using $200 million as the market size, and a pretty standard average consulting rate of $1,500/day, there are about 133,333 days worth of consulting-level penetration testing to be delivered each year, which would require about 610 full time penetration testers in service provider organisations.  They aren't there either.

One thing I am confident of is that there is also an extremely long tail when it comes to suppliers of these services.  That is, there is a very large set of companies who each provide a very low portion of the services overall consumed in the market.  A great many miscellaneous ICT service providers (of which as per above there are many thousands) provide security related services such as penetration testing to their existing client base, with varying levels of quality.  Because of the large numbers, if 1,000 of these companies provide $100K of penetration testing services each, that could make up $100 million of the market total.

Another interesting question is how big the market would be if everyone was following 'best practice'.  At present, there is far from anything like consistency when it comes to the amount that organisations are spending on IT security, let alone on a sub-set of the topic such as penetration testing.  Near-identical banks can quite plausibly be spending amounts on penetration testing that are out by a factor of 10.  Where one bank spends $2 million; another spends $200,000.  There are also a great many companies - including those no doubt in lists like the ASX 200 - who simply do not have penetration testing completed at any meaningful level.

If all Government agencies were following policies and had every system tested annually; and all PCI-relevant organisations had penetration testing completed annually; and all ICT companies had their software and hardware tested before releasing it to market... etc, then the figures above could easily double to $500 million plus, annually.

under10.png

So we have a $200-300 million market (much of which is probably only now coming to market for the first time), with a half-billion dollar opportunity, with no company in a position of market dominance, and an  under-supply of qualified penetration testers to deliver the services.  

Pretty compelling.  Want to buy a penetration testing company?  Call me.

Why cyber-security capability in Australia is hot right now

In short, cyber-security is growing; and Australia is growing.  To provide a bit more data and analysis to back this up, I'll present a couple of current and topical reference points.

CSIS-stat.png

For 'exhibit A' I would point to the Ultra Electronics preliminary results presentation released at the start of March 2013.  For those who don't know of Ultra Electronics, they are a UK-listed defence, security, transport and energy company with operations around the world.  According to their website, they have "twenty-five businesses, which deliver over one hundred distinct market niches", which makes it interesting to look at the parts of their business that they see are growing, and which geographies they see growth in also.

In their preliminary results presentation, Ultra includes a list of "regions where we see growth", as follows:

  • ‡Australia 
  • ‡Brazil 
  • ‡China 
  • ‡India 
  • ‡Indonesia 
  • ‡Libya 
  • ‡Middle East 
  • ‡Turkey

Australia is obviously well positioned in that group of countries due to its political stability, strong legal framework, similar business environment, and strong positive relationship between the government and the governments of the countries-of-origin of the majority of the serial acquirers in the cyber-security space (US, UK, Japan, and others).

This is solidly confirmed by the 'Ease of Doing Business' rankings put together by the International Finance Corporation / World Bank​.  Australia comes 10th (out of 185 ranked countries).  By comparison, the other countries in that list come 130th (Brazil), 91st (China), 132nd (India), 128th (Indonesia), 71st (Turkey), and 22nd (Saudi Arabia, the highest ranked Middle East country).  Libya is unranked. 

Ultra also includes details in their preliminary results presentation of positive service-line revenue drivers, as follows: 

  • Anti-Submarine Warfare
  • Cybersecurity generally and ECU specifically
  • Airport IT
  • Power management and
  • Nuclear energy

So two out of the five are IT related; and cyber-security is acknowledged as being a positive revenue driver in its own right.  

Putting the two things together, the cyber-security market in Australia is a growing business area, in arguably the 'easiest' of the identified growth economies to do business in.  This alignment is rare and valuable.

For 'exhibit B', I refer to the article with a lead-in on the front-page of the Australian Financial Review today, 27th March 2013, titled 'Telstra’s cyber security strategy for growth'. The article references Telstra COO Brendan Riley as saying that "...Telstra had begun bolstering its local team of cyber security experts as a major selling point for its $1.3 billion cloud computing and network services business."

This is relevant from two different perspectives.

Firstly it provides a clear indication of the need to have a visible cyber-security strategy for any large ICT service provider.  From a market positioning perspective, large ICT providers cannot be seen to be ignoring the importance of cyber-security as a future driver of growth.

Secondly, it provides an indicator of the need for cyber-security operations within companies such as Telstra, not for the purpose of provide stand-alone cyber-security services, but rather as part of a broader 'secure IT' push.  It is not enough for a company such as Telstra to have a cyber-security division providing these services; the market is now expecting every service provided by Telstra to have a rigorous level of security applied as part of business-as-usual.  Such an approach significantly changes the scale of the resourcing challenge these organisations will have.

When discussing resourcing and recruitment challenges, the must-read report continues to be 'A Human Capital Crisis in Cybersecurity: Technical Proficiency Matters' (http://csis.org/files/publication/101111_Evans_HumanCapital_Web.pdf), released by the CSIS Commission on Cybersecurity for the 44th Presidency (USA), in November 2010, which discusses in depth the shortage of both quality and quantity in the cyber-security personnel marketplace.  

As the CSIS Commission Report so eloquently puts it:

"cybersecurity is similar to 19th century medicine - a growing field dealing with real threats with lots of self-taught practitioners, only some of whom know what they are doing."

In such an environment the value of proven cyber-security teams - who know what they are doing - is clear. And the market peak for cyber-security is a long way off, as 'IT Security' is replaced by 'Secure IT', significantly magnifying both the market size and the market need.