Unlocking Opportunity in the Cybersecurity Market
In this state of the industry report, systems integrators will gain insights into current cyber trends and threat vectors, plus the latest market developments, challenges and much more.
Several years ago there was much talk of the convergence of physical security and information technology. This transformation brought a host of new opportunities and risks for end users and systems integrators alike as it also meant that physical security became inextricably linked with cybersecurity.
For practitioners, opportunity now exists to penetrate the vast and growing cybersecurity market in addition to the physical security market.
Both sectors are expanding, with the cybersecurity industry totaling more than $119 billion in 2018, growing at a CAGR of 14.5% (Mordor Intelligence), while the physical security industry is valued at more than $34 billion, growing at an annualized rate of 8.5% (Memoori).
Risk for industry operators stems from the ramifications of falling behind the curve and relying on antiquated solutions to address the vulnerabilities of customers who need to embrace technology to stay competitive in an increasingly digitized world.
While opportunity abounds in the broader security industry, it is important to maintain leading-edge capabilities. The absence of growth in today’s environment could be an indicator that a security company’s product or service offering is not making the grade with customers.
Ahead, we’ll examine how the rise in Internet of Things (IoT) applications and connected devices are fueling demand for new service providers, how new legislation is impacting the marketplace and where systems integrators can make their mark with end customers. A sidebar provides an overview of the increased M&A activity during the past year.
Delivering New Value
Heightened device connectivity, expansion of IoT usage and rising Cloud migration have fueled demand for advanced cybersecurity solutions that reduce vulnerabilities and counter network attacks.
As businesses across all sectors continue to digitize IT infrastructure to drive efficiencies and deliver value to customers, cyber criminals and nation-state actors have utilized increasingly sophisticated tactics and strategies to steal mission-critical data and information.
Quite simply, as cameras, access control systems and alarms are connected to the Internet, the corresponding need for cybersecurity becomes immediate. Without proper cybersecurity, attackers may access a company’s network via its online security system to access company secrets, intellectual property and data.
Consequently, the ability to bring both traditional physical security and cybersecurity capabilities for customers’ benefit is becoming a requisite skillset for today’s systems integrators. These security solution providers must evolve their internal capabilities or partner with cybersecurity providers to create a compelling customer value proposition in today’s rapidly changing environment.
Those companies able to keep pace and provide more automated and better integrated security solutions can rapidly build enterprise value and command premium valuations from acquirers.
Leading providers of physical security solutions are addressing the convergence of physical security and cybersecurity. Notable examples of companies embracing this opportunity are ADT, Convergint Technologies and Converged Security Solutions.
Rise of MSSP Market
Increasing interoperability of IoT applications and connected devices have fueled demand for managed security service providers (MSSPs). With nearly 7.7 million IoT devices connected to the Internet every day, according to NetScout, there are an abundance of network vectors for bad actors to penetrate.
The prevalence of increasing cyber threats has contributed to the $35 billion forecasted MSSP market value by 2022, according to Cyber Defense Magazine. MSSPs often offer a more cost-effective solution than building out in-house IT infrastructure support, especially for small to medium-sized businesses (SMBs).
Providers of outsourced real-time threat prevention, network and firewall protection, and data encryptions can optimize operators’ digital business processes. MSSPs have fostered increasing demand among SMBs, as 29% of IT security operations were supported by MSSPs in 2018, compared to 21% in 2017, according to Ponemon Institute.
Labor market dynamics in the cybersecurity industry have also contributed towards MSSP growth, as the industry is expected to experience 3.5 million unfilled positions by 2021, according to The Herjavec Group. The shortage of available talent has caused many operators to employ MSSPs, especially among smaller operators that lack the resources to hire full-time IT expertise.
Operators have increasingly allocated spending toward security awareness training to mitigate employee-induced breaches and cyber attacks. MSSPs will frequently provide security awareness training as a part of its suite of services, a market that is expected to reach $10 billion by 2027, according to Cybersecurity Ventures, a leading researcher and publisher.
Partnership with MSSPs create an opportunity for traditional security integrators to resell these services to their customers without the requisite investment in a security operations center (SOC).
Examples of some of the larger MSSPs include SecureWorks, Verizon and AT&T. Many emerging and rapidly growing companies also provide managed security services including VirtualArmour, Arctic Wolf and Proficio.
Specialized Integration Services
The digitization of operational technology (OT) among critical infrastructure and industrial operators has promoted increased automation, efficiency and data transparency. The continual convergence of IT and OT has driven advancements in industrial control systems (ICS) through the integration of data analytics and machine learning capabilities.
CYBERSECURITY M&A ACTIVITY SURPASSED $53B IN 2019
Transaction activity in the physical and cybersecurity industries underlies the strong growth rates and opportunities for the sectors independently and on a converged basis. In 2019 there were 260 announced cybersecurity transactions totaling $53.1 billion in disclosed deal value. Strategic buyers continue to comprise the majority of transactions (68.7%), while private equity buyers (31.3%) have displayed continued interest in utilizing add-on acquisitions to expand the offerings and the geographic reach of portfolio companies, which accounted for nearly 23% of total transactions.
In the physical security sector there were 182 deals in 2019, representing an increase of 27.3% vs. 2018. Strategic buyers also represented the majority of deal activity with 64.3% of total transaction volume. Private equity buyers continue to have heightened interest in buy-and-build growth strategies with add-on deals accounting for 30.4% of total transaction volume while platform investments accounted for 12.6%. Transaction volume in the sector is supported by growing initiatives toward regulatory adherence and data privacy as strategic buyers seek operators offering compliance services as one of their core competencies.
For example, in 2019 NAVEX Global, a premier ethics and compliance software and services firm acquired leading risk management software solutions provider LockPath, which offers extensive eGRC solutions for companies of various sizes. The transaction significantly enhances NAVEX’s eGRC offerings, integrating both compliance services and risk management solutions. Compliance services providers employ highly trained professionals with requisite certifications. Examples of companies addressing the compliance market include Coalfire, Security-Metrics, A-LIGN and CynergisTek.
However, it has also broadened the penetrable vectors for cyber criminals to access ICS and supervisory control and data acquisition systems (SCADA), resulting in 60% of critical infrastructure companies reporting a breach in these networks, according to McKinsey & Co.
Rising geopolitical tensions have contributed toward elevated cybersecurity risks among electricity, oil & gas, mining and public works operators, fostering heightened demand for robust and fully deployable OT and ICS security solutions. Industrial and critical infrastructure operators increasingly combat the challenge of improving the security of legacy OT systems that are integrated into modern IT networks.
Historically, these operators have lagged sectors such as financial services and healthcare in relation to its allocation of their budget toward security. In addition, the severe shortage of qualified cybersecurity professionals has stalled OT operators — businesses dependent on ICS and other OT — efforts to construct and improve the security of operating systems.
As a result, outsourced MSSPs that offer automated and interoperable platforms have attracted increased demand as OT operators look to build resilient operations to prevent and minimize any system disruption caused by a cyber attack.
OT operators continue to face mounting cyber attacks, with half of industry operators reporting an attack against its OT infrastructure that led to downtime in plant or operational equipment in 2019, according to Tenable.
System downtime, business disruption and revenue loss are the costliest consequences of a successful cyber attack, with the average cost of lost business for organizations across all sectors in 2019 amounting to $1.4 million, according to IBM Security.
Providers of OT and ICS security advisory and integration services are specialized and in high demand by customers in today’s market. Examples of service providers in this space include Siemens, Rockwell Automation, Honeywell and Booz Allen Hamilton.
Lowdown on Legislative Action
Rising cyber attacks on businesses and consumers have prompted lawmakers to enact legislation targeting the protection and sharing of personal data. Europe’s General Data Protection Regulation (GDPR) created a pathway for consumer privacy protections when it became law in 2018, and the newly implemented California Consumer Privacy Act (CCPA) draws several parallels to its European counterpart.
The CCPA grants California consumers the right to know what personal data is collected, delete personal information held by businesses, opt out of the sale of personal information, and the right to nondiscrimination in terms of price or service when exercising a privacy right.
The act is projected to protect over $12 billion worth of personal information that is used for advertising in California each year, according to Berkeley Economic Advising and Research.
Regulatory penalties regarding data breach incidents and data privacy violations have encouraged businesses across all industries to refine their cybersecurity operations.
Cyber operators providing resilient data security platforms and regulatory expertise are poised to capture increased demand as CCPA compliance costs are projected to reach up to $16.5 billion by 2030. In addition, data privacy regulations such as CCPA and GDPR have contributed toward the growth of the Enterprise Governance, Risk and Compliance (eGRC) market, which is expected to exceed $51 billion by 2024, growing at a compound annual rate of 10.3%, according to Markets and Markets.
Elsewhere, the National Governors Association (NGA) is urging the passage of legislation to provide dedicated cybersecurity grant funding for states and localities. This year, several pieces of legislation before the Congress are intended to lay the groundwork for increased funding and resources to help states develop and implement innovative cybersecurity practices, help to build resources and human capital, better detect and analyze cyber threats, as well as help to enhance partnerships among different levels of government, according to the NGA.
The NGA is calling on Congress to pass legislation this year, such as S.1065/H.R. 2130, the State Cyber Resiliency Act, S.1846 the State and Local Government Cybersecurity Act of 2019 and H.R 5823 the State and Local Cybersecurity Improvement Act.
The NGA’s move was prompted by the steep rise of recent cyber incidents, intrusions and disruptions across the nation. As an example, the rate of ransomware incidents increased significantly in 2019 due to organizations’ existing security weaknesses and the development of increasingly sophisticated attack mechanisms specifically designed to exploit those weaknesses, according to a 2020 report by cybersecurity firm Fortified Health Security.
Titled “The State of Cybersecurity in Healthcare,” the report estimates at least 966 government agencies, educational establishments and healthcare providers were impacted by ransomware attacks last year. They estimate the potential costs to be more than $7.5 billion.
Specifically, they say 89 universities, colleges and school districts were impacted with operations at up to 1,233 individual schools potentially affected.
Now more than ever it is critical for today’s systems integrators to invest in people, process and technology to address the physical and cybersecurity needs of their customers. Those that do may be rewarded with higher growth rates, stronger margins and increasing enterprise value.
Thomas McConnell is a Managing Director of Denver-based investment banking firm Capstone Headwaters. He can be reached at (303) 951-7125 or via email at [email protected].
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Security Is Our Business, Too
For professionals who recommend, buy and install all types of electronic security equipment, a free subscription to Commercial Integrator + Security Sales & Integration is like having a consultant on call. You’ll find an ideal balance of technology and business coverage, with installation tips and techniques for products and updates on how to add to your bottom line.
A FREE subscription to the top resource for security and integration industry will prove to be invaluable.