Only 16 Categories for the Entire Cybsersecurity Industry?
With a little effort it is possible to shoehorn 2,615 cybersecurity vendors into sixteen categories as I have done above.
I have long maintained that the cybersecurity industry is growing at a 24% compound annual growth rate (CAGR). I remember in 2003 at Gartner we pegged the total market at $2 billion, which was a big deal at the time. Then in 2013 Gartner put the industry at $84 billion or so. Yet during that period I do not recall any analyst firm predicting more than 9% growth for a year. Two billion growing to 84 billion in ten years is a 34% CAGR. The big publicly traded security vendors regularly turn in revenue growth numbers of 24-35%.
I set out to build a bottom-up model that would give me a handle on industry growth. First step, which I am getting closer and closer to every year, is to find and enumerate every vendor in every category. I expose the latest data in Security Yearbook 2021.
Vendors by Category
I use the categories listed above which include the Big Five: Network, Endpoint, Data, Identity, and GRC. Each of these categories has more than 240 vendors. Data Security has the most, 379, because the category includes so many technologies from encryption, to certificate authorities, to secure enclaves, to secure file transfer, to DRM/IRM, to secure communications.
Next comes Network Security with 376 vendors. These are all the firewalls, VPNs, IPS, secure web gateways, WAFs, netflow, and in-line devices. Even though the industry is challenged by the move to the cloud which threatens the viability of traditional security appliance vendors, there are new vendors like Perimeter 81, Netskope, Cato Networks, and Zscaler, cropping up every year.
Identity and Access Management comes next with 348 vendors. There are so many because there are so many ways to authenticate a user or device: two factor tokens, voice and fingerprints, facial recognition, and even gate and typing patterns. Finger printing devices or embedding digital certificates are other ways to identify users and their computers/phones.
Of the Big Five categories Endpoint Security has the fewest vendors (240). I attribute this to the slow improvement Microsoft is making in the security of Windows and their apps. Even though every month reveals new devastating vulnerabilities in Microsoft products, they are taking security seriously and Windows Defender is eating into traditional anti-virus markets. Free is hard to compete with.
Astute readers will ask, Where is “Cloud Security?” Where is “Zero Trust?” Those are not so much categories as “approaches.”
Vendors that bill themselves as “Cloud Security” come in two flavors: they provide solutions for cloud deployments or they deliver their service from the cloud. Examples of the first are all the work load protection, application protection, cloud security configuration management, and cloud firewalls. Examples of the second are cloud GRC platforms for managing all the reporting and documentation required for compliance, or cloud SIEMS where logs are sent to the provider’s servers instead of on-prem. Since they all fall into other categories I have no Cloud Security Category.
Zero Trust solutions fall into either Data Security, IAM or Network Security. The first use of the term Zero Trust was actually for cloud storage. It called on users not to trust their cloud storage provider to encrypt their data. Instead, encrypt it locally before uploading.
Most ZT solutions are just modern ways to deploy web single-sign-on. A handful, the SASE (Secure Access Service Edge), and ZT Network Access solutions, are pure Network Security through cloud proxies or micro-segmentation.
Can I derive market growth data by identifying all the vendors that make up a space? I am trying. Most analyst firms either do a top down analysis or they rely on surveys. A top-down analysis works like this: Take all the vendors that have to report their revenue because they are publicly traded. Make some assumption about what percent of their sales are security. Then assume those players have the majority of the market and apply some factor to estimate the rest of the industry.
The other way is to send a survey to all the vendors in the space and ask them outright for their revenue numbers. Two problems with this. If you are a small analyst firm like IT-Harvest you will not get any responses. It is burdensome to respond to these surveys, especially if they are done four times a year. Only IDC, Gartner, and Forrester, can command this kind of participation. The other problem is that vendors fudge the numbers. I know one vendor that would report revenue as if every sale was at list price instead of actual price reflecting discounts.
I hope to rely on publicly available data only. So yes, quarterly reporting from public companies. But also the change in employment quarter to quarter as reflected by number of employees listed on Linkedin. Those numbers are hard to fudge. Sure, if you were a company of 100 employees you could generate ten new fake accounts each year to show 10% growth. But why do something that could hurt your brand or risk getting slapped down by LinkedIn for violating their terms?
I am not there yet. The first half of 2020, for instance, was unusual because practically every vendor expected a 34% decline in US GDP to result in fewer sales. They cut back on investing in new hires. Yet demand did not fall off for most security products. Why would it? The threats are only increasing. So revenue grew at most vendors while employment was static or natural turnover caused employment to fall.
My model is based on revenue per employee and needs a lot of tuning and testing before it is ready to apply to my dataset. I will be exposing the model so that customers of my market data can see the underlying assumptions.
All that said, the market is growing as fast as it ever has in my 21 years as a research analyst. I am going to continue to document that growth and all the changes every year in Security Yearbook.