Gartner has predicted that worldwide information security spending will reach $86.4 billion in 2017; a seven percent growth over the year. Spending is expected to increase to $93 billion in 2018.
The fastest growing sector is security services; especially in IT outsourcing, consulting and implementation services. The only area where growth is likely to slow down is hardware support services, which are becoming less necessary with the continuing adoption of virtual appliances, public cloud and Security as a Service (SaaS) solutions.
Much of the growth is thus expected to come from upgrading the IT infrastructure to a perceived more secure posture than by simply buying additional security products.
“Improving security is not just about spending on new technologies,” said Sid Deshpande, principal research analyst at Gartner. “As seen in the recent spate of global security incidents, doing the basics right has never been more important. Organizations can improve their security posture significantly just by addressing basic security and risk related hygiene elements like threat centric vulnerability management, centralized log management, internal network segmentation, backups and system hardening,” he said.
Faster growth is likely to come from the security testing market, particularly in relation to application security testing as part of DevOps. This is no surprise to RJ Gazarek, Product Manager at Thycotic. “Thycotic research on DevOps security practices,” he told SecurityWeek, “has shown that more than 60% of DevOps organizations are not managing credentials in scripts in any way. This is a major security problem that needs to be addressed immediately, especially as more breaches are making the news, and people realize that the way into an organization is to find the department with the weakest security practice and get to work infiltrating.”
Neither the growth nor the areas of growth surprise Nathan Wenzler, chief security strategist at AsTech. “If we watch how the trend of attacks has gone over the past several years, we see more and more criminals moving away from targeting servers and workstations, and toward applications and people,” he explained.
“As an industry, we’ve gotten better and better about protecting devices; but now the focus has to turn to other assets, and thus, the increase in spending Gartner is forecasting in DevOps and services. Essentially, wherever the criminals go, corporate spending is soon to follow,” Wenzler said.
There is, however, one area in which Gartner sees actual product growth: data leak prevention (DLP). The belief is that fears over the far-reaching and severe implications of the EU General Data Protection Regulation (GDPR) is spurring, and will continue to spur, DLP purchasing through 2018.
GDPR will come into force in May 2018. From that date onward, any company anywhere in the world that handles the personal information of European citizens could be liable for a fine of up to 4% of global turnover if they do not adequately protect that data. “The EU General Data Protection Regulation (GDPR) has created renewed interest, and will drive 65 percent of data loss prevention buying decisions today through 2018,” says Gartner.
Where companies already have some form of DLP already in place, Gartner believes that interest is now focused on enhancing the DLP control: “specifically, integrated DLP such as data classification, data masking and data discovery.” These will all be required for GDPR compliance, both in protecting the data and being able to retrieve it for removal if required by the user concerned.
However, some security experts believe that Gartner is being too conservative in its spending growth estimates. “Gartner has taken a very conservative evaluation on information security spending that it will grow by only 7%,” Joseph Carson, chief security scientist at Thycotic, told SecurityWeek. I believe that the actual number will be much higher given that many aggressive regulations will come into enforcement in 2018, including the EU General Data Protection Regulation (GDPR).
“This,” he continued, “will force many companies to increase spending on information security and response to avoid becoming either victims or receiving massive financial fines for failure to protect and secure. As we have seen, Maersk reports the cost of the June cyber-attack to be in excess of $300 million. With many other companies counting the losses of both WannaCry and NotPetya, they will likely prefer to prevent these from occurring rather than clean up the mess, resulting in huge financial losses.”
But it’s not all good news for North American and European vendors. Gartner also points out that China’s recently approved cybersecurity law means that by 2020, 80% of large Chinese business security expenditure will be on locally produced products. This will be at the expense of U.S.-manufactured network security products.
In recent years, Asia/Pacific has been a dynamic market, growing by 24% in 2016. Gartner now predicts that, because of the more competitive pricing of Chinese solutions, end-user spending growth in Asia/Pacific will return to single-digit yearly growth from 2018 onward.