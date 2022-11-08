One man's trash is another man's treasure. Cybercriminals may be making out like bandits, but at least there's an upside — for investors and entrepreneurs. The industry charged with stopping them, or at least mitigating the worst of their excesses is growing at a healthy 12.4 percent clip annually and was worth US$150B last year.

The figures are contained in a new paper by Bharath Aiyer, Jeffrey Caso, Peter Russell, and Marc Sorel from McKinsey and Co called "New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers."

According to the authors, what they describe as the current "security awakening" is likely insufficient for the task.

"A survey of 4,000 midsized companies suggests that threat volumes will almost double from 2021 to 2022. According to the survey, nearly 80 percent of the observed threat groups operating in 2021, and more than 40 percent of the observed malware, had never been seen previously. These dynamics point to significant potential in an evolving market."

They find limitations across the board but call out particular weaknesses around automation, pricing and services which leads them to conclude that the gap between the current capabilities of the cybersecurity sector and the total addressable market is huge.

"At approximately 10 percent penetration of security solutions today, the total opportunity amounts to a staggering $1.5 trillion to $2.0 trillion addressable market."

While current solutions for data protection, governance risk and compliance and identity and access management have achieved 25 percent to 35 percent market penetrating, other markets are barely services.

Market penetration for cloud security, IoT, application security and security and operations management barely registers with less than 5 percent market penetration in each case.

Who's to blame?

The authors note, "The under penetration of cybersecurity products and services is, on the face of it, the result of the below-target adoption of cybersecurity products and services by organisations—which suggests that the budgets of many if not most chief information security officers (CISOs) are underfunded. "

Among the key market drivers, McKinsey sees an increase in attacks targeting mid-range and smaller companies, more aggressive regulatory intervention, and more engaged customers.

"Until recently, many organisations that required cyber protection were not fully engaged with the challenges they faced. Often, they saw the cost and complexity of action as greater than the need for it. Now, with attacks becoming more frequent, the risk-benefit equation has changed."

"With security and privacy concerns being elevated to the C-suite across industries, geographies, and enterprises whatever their size, both providers and investors have opportunities," they said.