The global cybersecurity market has the potential to grow to between $1.5 trillion and $2 trillion in the next few years, 10 times the size of the market today, says a recent report from McKinsey and Company.
Half of that growth potential lies in just two areas: outsourced services such as managed security service providers (MSSPs) and managed detection and response (MDR) providers, and in-house security and operations management.
Identity and access management (IAM) makes up a smaller but significant piece of the pie, with a current total addressable market (TAM) of between $50 billion and $100 billion. A new survey by Liminal finds that the reusable identity market (i.e., federated, SSO and other single-account, multiple-access solutions) by itself had a total addressable market TAM of $32.8 billion in 2022, one that will grow to $266.5 billion by 2027.
McKinsey sets no timeline to reach the $2 billion overall cybersecurity TAM, as there's no guarantee it will happen. Rather, the exponential growth of the cybersecurity market will depend on a few factors: vendors better serving small and medium-sized businesses (SMBs) with new pricing and service models; increased use of security automation to relieve chronic staff shortages; and security tools that are easier to use.
"Currently available commercial solutions do not fully meet customer demands in terms of automation, pricing, services, and other capabilities," says the McKinsey report. "As a result, the gap today between the $150 billion vended market and a fully addressable market is huge.
"At approximately 10 percent penetration of security solutions today, the total opportunity amounts to a staggering $1.5 trillion to $2.0 trillion addressable market," McKinsey adds. "Such a massive delta requires providers and investors to 'unlock' more impact with customers by better meeting the needs of underserved segments, continuously improving technology, and reducing complexity."
A startling outlier
The McKinsey report differs markedly from other recent analyses of the overall cybersecurity market. Reports from Research and Markets and Next Move Strategy Consulting, both cited in MSSP Alert, predicted the market would grow to $300 billion by 2027 and $657 billion by 2030, respectively.
More conservatively, Gartner forecasts that the cybersecurity market will grow to $267 billion by 2026. Statista sees a figure of $262 billion by 2027.
The McKinsey report's figures are an order of magnitude greater. They depend not on steady predictable growth, but on an unpredictable explosion — an explosion that can take place only if, among other factors, the cybersecurity market potential in SMBs is fully realized.
"Many cyber solutions are mispriced for SMBs," observes the report. "SMBs and midmarket companies have a smaller base of employees over which to spread cyber-tooling costs, so they face a decision: either pay a disproportionate price per employee — by a factor of three to five or more than larger companies do, depending on the tooling category — or forego some security controls entirely."
Lean, mean and within reach
One way to capture the SMB market, suggests the McKinsey report, might be to offer stripped-down, more affordable service packages that could be bundled with other business services.
"Winning companies will work with SMB-focused channel partners and optimize their marketing," the report says. "That approach could involve partnerships with small-business software providers (such as tax prep software and cloud email and storage) and with vertical SaaS providers (such as payroll management and point-of-sales services).
"In some cases, it will make sense to replatform offerings as lighter-weight SaaS-first solutions, catering to buyers already deep in the trenches of SaaS transformations in other enterprise applications and platform realms."
Many SMBs may be reluctant to spend more on cybersecurity than they already do, but McKinsey thinks that an increasing number of attacks aimed at smaller businesses, as well as a trend toward more security and privacy regulation, will force the SMBs to shell out more.
"Fortunately, the SMB segment is becoming truly addressable by cybersecurity products and services for the first time, thanks to emerging economies of scale," the report noted. "We see potential for innovation in prices and bundles, geographic coverage, target customer groups, integration, and off-the-shelf analytics."
Automation to make up for staff shortfalls
The seemingly endless shortage of skilled cybersecurity staffers will create opportunity for rapid growth in the managed-security-services sector, McKinsey forecasts. It will also spur demand for even more automation in cybersecurity tools that already incorporate security orchestration and response (SOAR) and similar processes.
"An existing global cyber-talent shortage, compounded by the intensification of digital threats like ransomware during the COVID-19 pandemic, has created further growth opportunities for service providers as CISOs and talent partners struggle to fully staff their organizations," says the McKinsey report. "So long as talent remains a problem, outsourced services will be essential for companies that need to support strong security outcomes."
Service providers should "strive to enable high-fidelity assisted intelligence that makes human analysts more efficient," the report adds. "Eventually, one human being, operating as a remote or virtual resource to serve multiple companies, will reduce the cost of MDR solutions and boost the margins of providers."
The obstacle of complexity
The goal is to make cybersecurity tools easier to use, not just for fully staffed enterprise security teams, but also for the multitasking IT specialists who handle security in many SMBs.
A constant irritation is that security tools remain overly complex and difficult to implement and use, as found in a recent survey by CyberRisk Alliance of CISOs, security managers and IT staffers who were using or considering using identity and access management (IAM) solutions.
"It can be difficult at times to find the balance between a better, streamlined user experience and a high security practice," said one survey respondent.
Among respondents who had partly or fully implemented IAM, 24% cited the complexity of their IAM solution as very challenging, and 27% said the same of the time it took to fully implement IAM. Among respondents who were considering implementing IAM, 29% cited complexity as a challenging obstacle, 32% cited the implementation timescale and 35% cited a lack of resources to support IAM.
"Who wants to spend hours in understanding a product that always requires additional expertise to handle when its objective is to provide efficiency?" complained a respondent.
For greater insight into implementation and management of IAM solutions, please consider attending the Identiverse conference in Las Vegas from May 30 through June 2, 2023.