Earlier this year there were various predictions - including from the CEO of information-security technology vendor FireEye - that spending on cybersecurity would slow down in 2016. I was unconvinced when I initially heard the negative predictions, and, to this day, I remain skeptical; my feelings were recently reinforced by a conversation withSteve Morgan, the CEO and Founder of research firm Cybersecurity Ventures. Morgan authored a report last month that noted that, in fact, cybersecurity spending appears to be growing, rather than shrinking. He even predicts that spending will increase to a total of over $1-Trillion over the next five years, up from $77-Billion annually in 2015.
How could CEOs in the industry be so far off? Why is information security spending so hard to track and predict? Morgan and I discussed several reasons:
1. A large portion of information security related spending it not accounted for as being information-security related. Consider, for example, that an organization developing a software package for internal use might spend money from its development budget on technology to scan code for vulnerabilities - the expenditure, however, may never be tracked back to an information-security budget.
2. Similarly, Value Added Resellers (VARs) and consultants doing security work don't always define products and services as "security." For example, a networking project may include the purchase of security components that are simply categorized as part of the overall project. Sometimes, even when the products are attributed to a security need and budget, the associated services are not. For example, if networking consultants install and configure firewall (not that doing so is recommended), their work may never be categorized as a security spend.
3. Smaller businesses do not report revenue to analysts, and there are many such businesses in the information-security space. It is hard to know how much is being spend by smaller businesses on security technology and services - especially if they purchase from smaller cybersecurity providers as is often the case, especially when it comes to services, which are often performed by individuals or local boutique consulting companies rather than national (or even regional) firms.
4. Consumer spending on information-security is often impossible to track. How can analysts possibly know, for example, when, after a malware infection, someone pays a consultant to wipe and restore-to-factory-settings his or her computer or smartphone.
5. In today's world, lawyers, accountants, insurance agents, and other professionals not directly involved in the information security profession often provide advice related to information security concerns. In some cases they bill for their time - but, rarely categorize the type of charge as being for information security.
6. Because information security changes so rapidly there are many startups and younger firms displacing older firms in specific deals, areas, and markets, as well as bigger firms trying to cash in on the action. The downward pressure that FireEye felt earlier this year, for example, could come from pressure from firms like IBM and Cisco, or from any of the many startups that have entered the market in recent years.
7. Cybersecurity professionals shifting focus may divert some revenues from older, more-established firms to newer, smaller firms which are less likely to report sales figures to analysts. Older firms tend to sell products that improve on areas of security for which customers already have some solution, and many startups introduce products that address risks for which customers have no defense at all. As I discussed in an interview in Forbes, this is one of the reasons that I chose to create SecureMySocial rather than pursue various other product ideas I had contemplated. Once prospects understand that they have unaddressed risks they may divert resources from "improvement projects" to "get something in place projects" - thereby extending sales cycles and delaying or reducing other purchases. Such actions may give older firms the impression that there is a downtrend in spending, but what is truly happening is simply a redirection of spending.
8. Some large information security providers don't break out information security revenues from their consulting revenues. Some big technology firms, for example, consider security to be a part of everything that they do, so they don't separate it into its own category.
The bottom line - It is possible, if not likely, that cybersecurity spending is growing, not shrinking, and will continue to do so for quite some time, and that any measurements of cybersecurity spending that indicate otherwise may be missing significant spending growth in areas for which proper accounting is difficult to achieve.