Companies are spending more to safeguard their digital assets, but cybercrimes are still growing in frequency and severity. What's needed now isn't more security, but better security. Here's how the shift is likely to play out.
Morgan Stanley Blue Papers, a product of our Research Division, involve collaboration from analysts, economists and strategists across the globe and address long-term, structural business changes that are reshaping the fundamentals of entire economies and industries around the globe.
Given the growing severity and frequency of cyberattacks, it's no surprise that organizations of all sizes are spending more money to shore up their digital defenses. The market for cybersecurity products and services is expected to surpass $60 billion in 2016, and that figure could double by 2020.
Unfortunately, more security doesn't necessarily mean better security. In fact, the current strategy of most organizations—layering on many different technologies—is not only proving ineffective, it is overly complex and expensive. “The status quo is not sustainable," says Keith Weiss, head of U.S. software coverage for Morgan Stanley. Even as companies spend more on security, losses related to cybercrime have nearly doubled in the last five years.
What's needed, say security experts, is a new paradigm.
A recent Morgan Stanley Blue Paper, “Cybersecurity: Rethinking Security," examines why and how digital security could evolve in the next several years—and what these changes mean for investors.
“We think the security software industry is reaching a tipping point of maturity, where we will see a faster pace of consolidation than we've seen in the past," says Weiss.
Consolidation is a predominant theme in the next few years, to be sure. In the longer term, however, look for incremental security dollars to move from on-perimeter solutions to better security at the device level and in the cloud.
To understand the prevailing winds in cybersecurity, investors should first consider the growth of digital assets and connectivity since the turn of the century. This goes beyond financial services or eCommerce. Even the most basic brick-and-mortar businesses (think: coffee shop or restaurant) rely on digital systems to order supplies, process payments and manage their finances online. Medical records, tax data and intellectual property are vulnerable to breaches.
Meanwhile, Internet-connected industrial systems control and manage critical infrastructure, such as the national energy grid. Indeed, the U.S. government has identified cybersecurity as “one of the most serious economic and national security challenges we face as a nation;" its spending on cybersecurity is expected to reach $19 billion in the 2017 fiscal year.
While organizations reinforce their digital fortresses, many are under constant attack from increasingly sophisticated criminals. Last year saw the largest data breach ever, a doubling of the number of Zero-Day attacks, a record nine mega-breaches (more than 10 million records compromised), and yet another increase in crypto-ransomeware attacks, in which a victim's most critical files are held hostage.
For large enterprises, security breaches can result in tens of millions of dollars in losses, both direct and indirect. When small companies are hacked, the damage can be irreparable. A National Cyber Security Alliance study found that 60% of small businesses close their doors within six months of a data breach.
Further raising the stakes is the proliferation of mobile devices and the Internet of Things—everything from household appliances and medical devices to driverless cars could be vulnerable to hackers.
The most common approach to safeguarding digital assets is “defense in depth," adding more and more layers—and products—to effectively build bigger walls and patch holes in on-premise security. In an October, 2015, Morgan Stanley survey of chief information officers, most said they had bought or planned to buy more than 15 different security technologies.
While some level of redundancy is needed, this strategy is overly complex and relies largely on human judgment—at a time when security experts are in short supply—to make the distinction between real threats and false alarms. “There is a fire hose of information coming at security professionals at any given time," said one technology professional interviewed by Morgan Stanley. Another observed: “The vast majority of detection mechanisms are about finding that one critical piece of information and building on top of that information."
Technology professionals are calling for more automation and greater visibility across enterprises. They want integrated solutions that can detect and abate breaches more efficiently and cost-effectively.
For nearly a decade, niche security providers have taken market share from the largest vendors, but Morgan Stanley analysts expect this trend to reverse. “Consolidation, visibility and automation require scale," says Weiss. “As such, we believe the big will get bigger, counter to current trends of 'best-of-breed' seeing greater share."
The most likely outcome: The largest security providers will gain traction as enterprises move away from à la carte solutions to more-efficient platforms. Consolidation could result in the largest five security vendors growing their market share from 26% today to 40% within the next few years. That translates to 20% to 30% revenue growth through 2020.
That said, consolidation won't happen to the extreme. “Some security requirements are particularly unique and target different buyers," says Melissa Gorham, who covers enterprise software for Morgan Stanley. “This means several subsectors within security will likely continue to exist in the near future."
Also, larger enterprises will want to avoid putting too much into the hands of a single vendor. “Enterprises may be comfortable moving their security vendor list from 20 to 10," Gorham says, “but it's unlikely that they'll move from 20 to 1 or 2."
Even as organizations move to streamline security in the near term, the industry may see a more meaningful shift over the next 5 to 10 years, as device makers and cloud services offer more substantial security. “We see two sets of winners in this area—those well positioned to provide cloud-based security and those well positioned for security for the cloud," says Gorham.
The largest cloud vendors don't “aspire to be security companies," Weiss says. Cloud-delivered security currently represents a sliver of the market, less than $4 billion in spending. Even so, look for them to continue to enhance their security offerings to attract more customers. “By enhancing their security, cloud providers are attempting to remove a major point of friction in the enterprise sales process," Weiss adds. “Interestingly, for many companies, and most small businesses, the public cloud may provide a higher level of security than they could otherwise afford through a third-party vendor."
Similarly, semiconductor companies may soon play a bigger role in improving, automating and standardizing device-level security architecture. “We think growth in Internet of Things applications, and the massive increase in remote network access and sensitivity of associated data, will lead embedded-chip security to be applied in many more verticals," says Francois Meunier, who covers telecom equipment and semiconductors for Morgan Stanley.
So while the largest security companies are poised to benefit from industry consolidation in the near term, enterprises may shift more of their technology dollars to chip-secured devices and fortified cloud services.