CIO remains constructive on the prospects for security spending growth to outpace the broader IT market. (UBS)

How big is the cybersecurity market?
The size of the global market was close to USD 145bn in 2020. We expect the industry's average annual growth to be about 10% between 2020 and 2024 thanks to steadily higher enterprise IT spending and stronger adoption of cloud security. This should take the addressable market to USD 220bn by 2024, in our view. Cybersecurity is also one of the most defensive segments within IT; due to its importance, spending on it has continued to grow at a high-single-digit rate in recent years at a time when broader enterprise IT spending has limped along at low-single-digit rates. This has limited the earnings downside for the segment, as was seen during the tech downturn in 2020.


While this is a large market, it is highly fragmented, with ten separate market segments. We further note that unlike much of enterprise technology, each market segment is further fragmented, with no single dominant vendor. The cybersecurity market is also being upended by innovation. New business models are required to defend against ever-growing cyber complexity, resulting in the creation of new solutions. COVID-19, for instance, accelerated many digital trends like cloud, thanks to emerging trends such as work-from-home. As a result, we expect cloud security to be the fastest-growing crowd segment, given that the penetration rate across key large segments, such as firewalls, remains relatively low. And as an average enterprise deploys more than 50 security tools, we see larger opportunities for comprehensive and cross-functional products that should eventually drive consolidation among both vendors and existing security tools. Likewise, we see potential for frontier technology to be embedded within cybersecurity to drive the development of these offerings.


Security services are the largest segment of the overall security market and include consulting, hardware support, and other services. As cloud adoption by companies of all sizes grows, cloud security has had the fastest growth rate.


As noted, we remain constructive on the prospects for security spending growth to outpace the broader IT market. Even at current levels, security spending is less than 5% of overall technology spending (excluding smartphones), based on data from Gartner. Furthermore, in the US, corporations on average spend roughly 5% of revenue on information technology, implying that they invest significantly less than 1% of revenue back into their businesses. In our view, security should continue to gain a bigger share of the IT spending wallet, given the multitude of challenges faced by chief information security officers (CISOs).


How will generative AI transform the cybersecurity market?
While we think the rise of generative AI is irreversible, its success also raises questions around compliance and cybersecurity. We are entering a new era where much more data will be created by AI (AI-generated content, or AGC for short). That is an evolution from the starting point of the platform-generated content (PGC) and the user-generated content (UGC) that followed. At the same time, generative AI can also help the industry by accelerating innovation around data management and security.


First, let’s address the security risks from the growth of generative AI. Generative AI is based on training large language models (LLMs), a process that involves huge data sets (many generative AI applications today have almost 200–500mn parameters with some exceeding 1 trillion parameters), which also means that the data risk is significant. These risks include a lack of transparency (including irrelevant sources), collection of user privacy data, exposure of proprietary data, downside from extended storage of data, and other data breaches and leaks.


The good news is that major cybersecurity vendors are accelerating innovation and are ready to tackle incremental complexity arising from generative AI. This, in our view, is another supporting driver for the industry’s near-term growth prospects.


Furthermore, generative AI, as an enabling technology, should help the cybersecurity industry drive more innovation. Generative AI can particularly help during the development process, such as the creation of synthetic data or anonymized data copies to test the robustness of cybersecurity applications. Another positive is in coding, where generative AI can not only assist with writing code but also help search existing codes for app vulnerabilities and offer contextualized recommendations for remediation. For example, leading software vendor Microsoft leveraged generative AI and introduced Microsoft Security Copilot to optimize incident response, threat hunting, and security reporting for users, as well as integrated insights and information from its other applications.


That said, we see AI as a two-edged sword for cybersecurity. On one hand, AI should be a highly effective tool in defending against cyberattacks and also detecting and remediating damages from successful breaches. However, hackers have been quick to deploy AI tools in their efforts. Some AI-driven hacking efforts have been relatively simple, such as the use of AI to generate vast quantities of phishing emails, or the brute-force guessing of passwords.


Generative AI is used by bad actors in more advanced ways. Just as generative AI can be used by developers to write software codes, hackers have put AI to work in developing new computer viruses or altering existing malware to be more effective. AI tools are also used to find and exploit vulnerabilities in IT infrastructure by examining vast amounts of data that may expose an overlooked risk.


In summary, generative AI may pose some risks for data privacy. But if the risks are addressed properly and the technology is leveraged for new innovation, we view the technology positively overall, and it should act as an incremental growth driver.


Main contributors: Sundeep Gantori and Kevin Dennean


Read the full reportTechGPT: Select laggard opportunities in cybersecurity 11 October 2023.