This analysis was conducted by Bloomberg Intelligence Senior Industry Analyst Mandeep Singh and Bloomberg Intelligence Associate Analyst Damian Reimertz. It first appeared on Bloomberg Terminal.
Despite the economic uncertainty, security is likely to become a bigger part of IT budgets amid political tensions and the use of artificial intelligence (AI) to launch cyberattacks. Security is always an optional part of such budgets, making up 5-10%, however we believe that spending more on cloud security is essential for companies to protect against breaches in the long term.
Switching to cloud software from electronic devices
The public cloud is expected to grow the most in the 2022 security market of $96 billion and may increase the overall share to 67% in 2027 from 56% in 2022 within the cloud. Appliances remain the largest share of all Internet security sales, with cloud penetration at around 22%. This is in stark contrast to recognition and opportunity management, at 61% of sales. Identity has no hardware costs and is implemented using cloud and on-premises software.
The inadequacy of signature-based antivirus software to protect PCs and mobile devices led to a rapid shift to the cloud on the security side, while the likes of Broadcom and Trellix (the merger of McAfee Enterprise and FireEye after its Mandiant spinoff) continue to lose market share to cloud companies like CrowdStrike and SentinelOne.
Cloud penetration is still in its infancy
The adoption of cloud software in key areas of security such as firewalls is still at an early stage compared to other key market segments such as Enterprise Resource Management (ERM) and Customer Relationship Management (CRM). We believe that this epidemic and the increasing number of remote services has contributed to the migration of many services to the public cloud, which has created a problem in the implementation of cloud security solutions.
The market for CRM software is vast, with about 80% cloud penetration. In contrast, network security is still largely implemented through hardware and on-premise software.
Working remotely allows for the security of the cloud
Although security software and services is a relatively small market to sell compared to infrastructure and application software, the rise of ransomware and other advanced cyberattacks, as well as the exodus of many services to the public cloud, has led to a reduction in security spending. We believe that total security spending, including services, will exceed $290 billion by 2026, according to IDC, as the adoption of cloud security is supported by rising allocations in non-premium IT budgets and the migration of on-premise products.
If the trend of migration to the public cloud, led by the pandemic, continues, cloud security as a percentage of total revenue may reach 50% in all markets. This includes firewalls, which have the lowest rates of installation within network security.
Disrupting sector leaders in security
The evolution of cloud-based security software could create new market leaders that will replace incumbents such as Cisco, Broadcom (Symantec), Trellix, Palo Alto Networks, Check Point and Fortinet. Those companies can see sales of their hardware and software on-premises as part of their pivots to cloud computing. CrowdStrike is a well-known cloud security provider and recently surpassed $2.7 billion in annualized revenue (ARR), with good visibility on its 2026 revenue target of $5 billion due to increased product offerings.
No security company has more than $10 billion in annual sales, unlike other parts of the software and hardware industry, while hyperscale cloud providers including Amazon.com, Microsoft, Google and Salesforce.com have valuations of more than $30 billion.
Security can exceed IT costs by 200 Bps
Despite the many challenges, security will continue to be a major part of IT budgets, as companies seek to avoid the reputational and business risks that can arise from cyber breaches. Security has always been an unwise part of IT budgets, accounting for 5%-10% of the IT budget, but we believe that more spending on cloud security will be necessary for companies to protect themselves from breaches. Attacks travel across multiple platforms including networks, identities, email and end devices.
Security issuance is likely to continue to grow at single digits for software applications below 200 bps through 2027.