Cybersecurity Practice

New survey reveals $2 trillion

market opportunity for
cybersecurity technology and
service providers
Cyberattacks are proliferating, causing trillions of dollars of damage every year. The
cybersecurity industry has a chance to step up and seize the opportunity.
by Bharath Aiyer, Jeffrey Caso, Peter Russell, and Marc Sorel

© Colin Anderson Productions pty ltd/Getty Images

October 2022
 As the digital economy grows, digital crime grows threat volumes will almost double from 2021 to
with it. Soaring numbers of online and mobile 2022.3 According to the survey, nearly 80 percent of
interactions are creating millions of attack oppor­ the observed threat groups operating in 2021, and
tunities. Many lead to data breaches that threaten more than 40 percent of the observed malware, had
both people and businesses. At the current rate of never been seen previously. These dynamics point to
growth, damage from cyberattacks will amount to significant potential in an evolving market. Currently
about $10.5 trillion annually by 2025—a 300 percent available commercial solutions do not fully meet
increase from 2015 levels.1 customer demands in terms of automation, pricing,
services, and other capabilities—which this article
In the face of this cyber onslaught, organizations will explore in further detail. As a result, the gap today
around the world spent around $150 billion in 2021 between the $150 billion vended market and a fully
on cybersecurity, growing by 12.4 percent annually.2 addressable market is huge. At approximately
However, set against the scale of the problem, even 10 percent penetration of security solutions today,
this “security awakening” is probably insufficient. A the total opportunity amounts to a staggering
survey of 4,000 midsized companies suggests that $1.5 trillion to $2.0 trillion addressable market

Exhibit 1

The global cybersecurity

The global cybersecurity total
total addressable
addressable market
marketmay
may reach
reach$1.5
$1.5trillion
trillion to
to
$2.0 trillion,
$2.0 trillion, approximately
approximatelyten
ten times
times the size of the
size of the vended
vendedmarket.
market.

Global cybersecurity market size, 2021, $ trillion

1.5–2.0 Total addressable Current

Segment market, $ billion penetration, %
Data protection 50–100 30–35
Governance, risk, and compliance 50–100 30–35
Email security and awareness 50–100 10–15
Cloud security 50–100 1–5
Network security 50–100 15–20
Identity and access management 50–100 20–25
Security consulting 100–200 15–20
10× Web security 100–200 5–10
IoT/OT1 100–200 1–5
End point security 100–200 5–10
Application security 100–200 1–5
Security and operations management 400–500 1–5
MSSP2/outsourcing 400–500 5–10

0.14–0.15

Vended Total addressable

market market

Internet of Things/operational technology.

1
2
Managed security service provider.
Source: McKinsey Cyber Market Map 2022

1
Steve Morgan, “2022 Cybersecurity Almanac: 100 facts, figures, predictions, and statistics,” Cybercrime Magazine, January 19, 2022.
2
Growth is compounded.
3
The biggest cyber security threats coming in 2022, Coro.

2 New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers
 (Exhibit 1). This does not imply the market will reach midmarket companies in a way it often doesn’t to
such a size anytime soon (current growth rate is large enterprises. What might remain a silent breach
12.4 percent annually off a base of approximately at a larger organization is often a significant, overt
$150 billion in 2021), but rather that such a massive disruption at a smaller one. For example, a Texas-
delta requires providers and investors to “unlock” based midsize steel structure manufacturer was
more impact with customers by better meeting the forced into bankruptcy in May 2019 when ransom­
needs of underserved segments, continuously ware permanently encrypted both its tooling and
improving technology, and reducing complexity—and financial accounting software. Ransoms can be out
the current buyer climate may pose a unique moment of reach, while information retrieval and recovery
in time for innovation in the cybersecurity industry. services are timely and difficult. Moreover, the trust
of customers can prove difficult to recover once
The underpenetration of cybersecurity products a company has been breached. In fact, according to
and services is, on the face of it, the result of the previous McKinsey research on the importance of
below-target adoption of cybersecurity products digital trust, in the past 12 months nearly 10 percent
and services by organizations—which suggests of respondents reported stopping business with a
that the budgets of many if not most chief information supplier after learning of a data breach.
security officers (CISOs) are underfunded. Cyber­
security providers must meet the challenge by Midmarket entities are often targeted by criminals
modernizing their capabilities and rethinking their looking to exploit unsophisticated security tooling.
go-to-market strategies. These companies, for example, may miss threats
such as EternalBlue, an exploit developed by the US
To maximize the opportunity, providers must get a National Security Agency and later used by
grip on the factors shaping the market, the segments Wannacry ransomware. Many smaller entities use
most likely to grow, and the services customers a single-backup strategy, which can leave them
need. Here we set out four areas likely to be the focus susceptible to attacks from ransomware such
of such discussions: cloud technologies, pricing as PureLocker.
mechanisms, artificial intelligence, and (particularly
in the midmarket) managed services. With strategic The proliferation of ransomware attacks targeting
planning in these areas, and a robust approach to SMBs and midmarket companies means that even
implementation, cybersecurity providers can make those that don’t currently employ or engage a
themselves more competitive and get a slice of security team have a responsibility to act. Fortunately,
the $2 trillion pie. the SMB segment is becoming truly addressable
by cybersecurity products and services for the first
time, thanks to emerging economies of scale.
Growing cybermarket potential
Why does the cybermarket offer such significant The impetus from regulation
potential right now? We see five key drivers. At least 45 states and Puerto Rico introduced or
considered more than 250 bills or resolutions
More attacks targeting smaller companies that deal significantly with cybersecurity.4 Federal
From a demand perspective, fast-growing smaller initiatives include the US National Defense
organizations are exposed to proliferating digital Authorization Act, Executive Order 14028,5 and the
touchpoints and ecosystem relationships. In addition, extension of the False Claims Act to include the
malware such as ransomware can pose an existential misrepresentation of an organization’s cybersecurity
threat to small and midsize businesses (SMBs) and program and qualifications.

4
Cybersecurity Legislation 2021, National Conference of State Legislatures, July 1, 2022.
5
Improving the Nation’s Cybersecurity: NIST’s Responsibilities, May 2021.

New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers 3
 Based upon McKinsey’s client conversations, federal CISOs are as serious as ever about closing the
cybersecurity contracting requirements are (log) visibility gap
trickling down to thousands of SMB and midmarket Moves to ramp up log processing are critical
contractors. The US Securities and Exchange because just three years ago the average enterprise
Commission (SEC) is discussing new rules on breach saw only 30 percent of what was happening. Finding
notifications. Compliance challenges grow more more needles in the haystack will probably require
onerous as ecosystems proliferate. The Department more commitment—in particular, in areas such as AI,
of Defense’s Cybersecurity Maturity Model which can spot cyberthreats and malicious
Certification (CMMC), for example, underscores activities. For providers, AI will force a rethinking of
the critical importance of holistic cybersecurity, technology and how they bring it to market.
much of it beyond the reach of SMBs and the mid­
market unless they get help from vendors. Over the past three years, companies have boosted
their share of total log volume visibility from about
Rules around the world are equally stringent. The 30 percent to about 50 percent on average and are
European Union’s General Data Protection pushing toward 65 to 80 percent over the next three
Regulation, for example, may levy fines of up to years (Exhibit 2).7 SMBs and the midmarket have
4 percent of global turnover against companies been slightly more active than larger enterprises,
that fail to protect their customers.6 and future growth in visibility use cases is predicted

Exhibit 2

Chief information security officers

officers expect
expect enterprise
enterprisevisibility
visibility and log
consumption to
consumption to rise,
rise, but
but performance
performancewill
will vary.
vary.

Share of total log volume monitored across enterprise network by company size,1 %

Small Midsize Enterprise

100 100
75th percentile

80 80
Median

60 60

40 40

20 20
25th percentile

0 0
3 years Present 3 years 3 years Present 3 years 3 years Present 3 years
ago from now ago from now ago from now

Question: What percentage of total log visibility would you estimate your security operations center SIEM (security information and event management)
1

currently has in total across the enterprise network? N = 1 73.

Source: McKinsey Cyber Market Map 2022

6
An earlier version of this article incorrectly stated that the European Union’s General Data Protection Regulation may levy fines of up to 2 percent
of global turnover, when 2 percent only represents the possible fine for “less severe” violations. The “most severe” violations may fine up to
4 percent of revenue.
7
McKinsey Cyber Market Map Survey.

4 New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers
A global cybersecurity talent shortage
means that IT leaders often have
little choice but to do business with
third-party service partners.

to be stronger among these smaller companies. The bottom line? Across all segments, forecasted
SMBs expect to widen their deployment of end point changes in allocated security spending is increasing
detection and response (EDR) tooling, to use as a percentage of services between internal and
single panes of glass that ingest and monitor their third-party services. So long as talent remains
cloud environments, and to rely on managed- a problem, outsourced services will be essential
service partners (such as providers of managed for companies that need to support strong
detection and response services) for more security outcomes.
sophisticated activities.
Higher levels of customer engagement
A surprising aspect of the current market landscape Until recently, many organizations that required
is the significant extent to which the slowest-moving cyber protection were not fully engaged with the
enterprises are trailing their faster-moving peers. challenges they faced. Often, they saw the cost
Bottom-quartile enterprises report lifting their log and complexity of action as greater than the need
volume visibility by just 6 percent over the past three for it. Now, with attacks becoming more frequent,
years and forecast a meager 5 percent rise in the the risk–benefit equation has changed. With
next three. By comparison, the best performers, security and privacy concerns being elevated to
particularly in the SMB segment, increased their log the C-suite across industries, geographies, and
coverage by between 25 and 35 percent in the past enterprises whatever their size, both providers and
three years and plan to accelerate those efforts over investors have opportunities. We see potential
the next three. for innovation in prices and bundles, geographic
coverage, target customer groups, integration,
Talent shortages and service offerings and off-the-shelf analytics.
An existing global cyber-talent shortage, com­
pounded by the intensification of digital threats like
ransomware during the COVID-19 pandemic, has Providers can excel on four fronts
created further growth opportunities for service To gauge the market opportunity, McKinsey used
providers as CISOs and talent partners struggle to a bottom-up model: an assessment of key players
fully staff their organizations. Structural dynamics and validation against industry logic and our
are also boosting demand for vended solutions. As conversations with clients. We also surveyed 500
companies build out their protections, buyers cybersecurity buyers and interviewed 50 market-
increasingly expect products to come bundled with leading vendors. The combined insights, tracked in
offerings that ensure both short-term services (for McKinsey’s Cyber Market Map, show that spending
instance, implemen­tation) and long-term ones on products and services from vendors is set to
(ongoing security). rise 13 percent annually up to 2025—a significant

New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers 5
 uptick from 10 percent growth over the past three accommodating but also specializing in hybrid and
to five years. Key changes to previous market multicloud architectures.
forecasts include not only faster growth, with
services increasing much faster than products, but Where cloud providers offer cybersecurity solutions,
also a significant opportunity in the SMB segment. the tooling on offer in many cases is not a compre­
hensive substitute to the capabilities of cybersecurity
For providers, the message is clear. Current specialists—at least in the enterprise segment.
market dynamics give them a chance to boost their Organizations that adopt multicloud strategies or
penetration of both existing accounts and the maintain critical on-prem workloads will in all
unvended space. This growth will be spurred by an likelihood persistently need best-of-breed solutions.
evolving threat landscape and talent shortages—a The challenges that vendors are expected to help
gap of at least 600,000 in the United States alone.8 resolve include ease of implementation, day-to-day
To maximize the opportunity, we see potential for ease of use, integration and coverage across
action on four fronts. environments, and agility and flexibility in attack
environments. If information about an attack
Ride the coattails of the cloud transformation detected in one cloud provider environment is not
Public-cloud migrations will continue to define conveyed immediately to other cloud environments,
enterprise technology strategies for the next several for example, that lapse would amount to a
years (Exhibit 3). Providers (especially product tooling failure.
providers) should thus consider not only

Exhibit 3

Highly regulated industries

Highly regulated industries are
are migrating
migratingto
topublic
publiccloud
cloudfour
fourtimes
timesfaster
faster than
less regulated
than industries.
less regulated industries.

Share of total workloads by disposition, %

Less regulated More regulated

18
+24% +105%
Public cloud 29 28
32 36 37
16

Private cloud 19 20
23
26 21
47
Corporate data center 34 35
29 25
23

Co-located/managed 18 16 14 19 18 16

3 Present 3 3 Present 3
years years years years
ago from now ago from now

Note: More-regulated industries include banking, insurance, government; less-regulated industries include manufacturing, software, media, and education.
Figures may not sum to 100%, because of rounding.
Source: McKinsey Cyber Market Map 2022

8
Olivia Rockeman, “Hackers’ path eased as 600,000 US cybersecurity jobs sit empty,” Bloomberg, March 30, 2022.

6 New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers
In many security-related markets, characterized Create a pricing model for the midmarket
by large numbers of tools, entire categories of Many cyber solutions are mispriced for SMBs.
orchestration players (such as those that orchestrate Larger organizations can pre-pay or buy in bulk to
security and the identity of users) have been created obtain volume discounts, but many SMBs and
to simplify the combination of parallel processes. midmarket companies are less able to negotiate
Antifraud programs, for instance, require so many hard for these services. Large enterprises have an
different sets of tooling to manage different abundance of metrics, historical data, and reference
geographies that a new category has emerged to points. SMBs and midmarkets, however, often
manage workflows. In another example, in the lack information on how much they and others have
cloud, orchestration coordinates workflows and the spent. Consumption-based pricing models (for
deployment and management of data across example, per gigabyte) can add flexibility but also
multiple public and private clouds, software-as-a- risk: if an organization doesn’t know what good
service (SaaS) providers, managed data centers, security looks like, will it burn through its budget just
and on-prem infrastructure enterprises. All of looking for needles in haystacks? Instead, customers
these demands for increased visibility are potential increasingly reward vendors that use outcome-
entry points for providers. based or more “plannable” pricing models, such as
per workload.
Finally, regulation also creates a cloud-related
opportunity for providers. Highly regulated verticals One cause of the pricing mismatch is simple
are migrating to the cloud about four times more economies of scale. SMBs and midmarket companies
quickly than low-regulated verticals are. This could have a smaller base of employees over which to
help unlock new markets, particularly in highly spread cyber-tooling costs, so they face a decision:
regulated Europe, and be a key differentiator for either pay a disproportionate price per employee—
multinationals that must navigate complex cross- by a factor of three to five or more than larger
border data flows, local regulations and data companies do, depending on the tooling category—
sovereignty, and geopolitical issues that spike or forego some security controls entirely.
cyber and data risk.

Organizations that adopt

multicloud strategies or maintain
critical on-prem workloads will
in all likelihood persistently need
best-of-breed solutions.

New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers 7
 Better automation, AI, and machine learning Many next-gen algorithms for AI and machine
The steepest innovation curve is for developing the learning (ML), while not yet ready for autonomy, are
brains of next-gen products and managed security getting close. Rule libraries are increasingly
services. Fully autonomous intelligent cyber-defense refreshed from open sources and built on common
platforms (for example, end-to-end automated standards, such as Yara. Eventually, one human
SIEM/SOAR9 detection and response pipelines) are being, operating as a remote or virtual resource to
challenging to engineer and validate to the point serve multiple companies, will reduce the cost of
where they are fully trusted by operators. Providers MDR solutions and boost the margins of providers.
should therefore strive to enable high-fidelity
assisted intelligence that makes human analysts To reach this target state of optimized low-cost
more efficient be it through leveraging advanced services, managed-service providers can focus on
analytics or building tight integrations with other the brains of next-generation security products
security platforms (Exhibit 4). by concentrating innovation in areas such as data

Exhibit 4
An expanding
An expandingattack
attack surface
surface is driving
drivinginnovation
innovationinincybersecurity.
cybersecurity.

Cybersecurity patents by type, 2017–21

30 A IoT/OT1 security
B Security operations
and management
C Cloud security
A D GRC/IRM2
Rapidly increasing the speed of technology E End point security
innovation to meet the fast-growing client F Web security
demands and maintain a competitive advantage
G Network security
20 H Data protection
B I Application security
J Identity and access
Patent C management
growth, D K Email security and
CAGR, % awareness training

E H
F
10 G
Mature cybersecurity segments have
I
slowed in terms of patent growth
J as they reach innovation saturation

0
0 20,000 40,000 60,000 80,000
Cumulative patents

Internet of Things/operational technology.

1

Governance, risk, and compliance/integrated risk management.

2

Source: Innography; McKinsey analysis

9
Security orchestration, automation, and response (SOAR) and security, information, and event management (SIEM).

8 New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers
 source integration and neural/logic engines. to their products’ user interfaces and user experi­
Enhancing and building data source integrations ences, as well as potential MSP and partner channel
could yield indirect revenue opportunities and sales and marketing.
widen access to larger ecosystems—for example,
as part of an open extended detection and response Winning companies will work with SMB-focused
(XDR) concept. Spreading investment in neural/ channel partners and optimize their marketing.
logic engines across both cutting-edge AI and static That approach could involve partnerships with small-
rules libraries will ensure that R&D efforts are business software providers (such as tax prep
measurably productive. software and cloud email and storage) and with
vertical SaaS providers (such as payroll management
Expand managed services and create a and point-of-sales services). In some cases, it will
midmarket-friendly solution make sense to replatform offerings as lighter-weight
Demand for full-service offerings is set to rise by SaaS-first solutions, catering to buyers already
as much as 10 percent annually over the next deep in the trenches of SaaS transformations in other
three years. Providers should thus seek to develop enterprise applications and platform realms.
bundled offerings that take advantage of hot-
button use cases. And they ought to focus on
outcomes, not technology.
The continuing digitization of the global economy,
A potentially rewarding approach would be to adopt ever-increasing numbers of cyberattacks, and
co-creative models with managed-service providers regulatory pressure on companies to protect their
(MSPs) to build workbench solutions. This would data present cybersecurity providers with a
require investments in R&D and development tooling compelling opportunity. Amid talent deficits and the
(for example, APIs) that allow MSPs to connect your desire to boost log visibility, SMBs and midmarket
platform to theirs rather than the other way around. players in particular are focused on implementing
Partnering will make it possible to create centers of more advanced solutions.
excellence, which will lead to faster implementation
and more efficient operations. The resulting With billions of dollars of revenues set to flow into
improvement in customer outcomes will feed into the market in the next three years, providers should
the performance metrics of providers, and a seize the moment. That means optimizing engage­
more robust service layer will create a runway to ment with the cloud, developing a pricing model for
master product market fit. the midmarket, embracing innovation, and expanding
managed-service offerings to create midmarket-
Rather than the common laundry list approach, friendly solutions. In short, it means finding
vendors should adopt a clear MSP partnership productive combinations of product, price, and
strategy. Where necessary, they should invest in services that vendors can tailor to target segments
building collaborative sales capabilities with their and are flexible enough to scale. If the industry
partners. (In several cyber-partner programs, can meet these priorities, it can start to create the
20 percent of the partnerships generate 80 percent momentum that will increase its penetration across
Find more content like this on the of the partners’ revenues.) Finally, vendors must segments and put the $2 trillion prize in play.
McKinsey Insights App articulate industry-specific use cases with tweaks

Bharath Aiyer is an associate partner in McKinsey’s Southern California office; Jeffrey Caso is an associate partner in the
Washington, DC, office; Peter Russell is a consultant in the New York office; and Marc Sorel is a partner in the Boston office.

The authors wish to thank Hannah Chen, Bartlomiej Kazimierski, and Kevin Telford for their contributions to this article.

Designed by McKinsey Global Publishing

Scan • Download • Personalize Copyright © 2022 McKinsey & Company. All rights reserved.

New survey reveals $2 trillion market opportunity for cybersecurity technology and service providers 9