IDC Forecasts Security Spending Will Reach $133.7B in 2022

cybersecurity spending

Market research firm IDC forecasts that security spending on hardware, software, and services will reach $133.7 billion in 2022.

The security market should deliver a compound annual growth rate (CAGR) of 9.9 percent through 2022. By then, security spending will be 45 percent greater than the $92.1 billion forecast for 2018.

Security services will be both the largest ($40.2 billion in 2018) and the fastest growing category of worldwide security spending. Managed security services will be the largest segment within the services category, delivering nearly half of the category total in 2022.

Security software takes the second spot, with spending expected to total $34.4 billion in 2018. Endpoint security software will be the largest software segment throughout the forecast period. This will be followed by identity and access management software and security and vulnerability management software.

Hardware spending will be led by unified threat management solutions, followed by firewall and content management.

Banking Leads Other Industries in Security Spending

Banking will make the largest investment in security solutions, growing from $10.5 billion in 2018 to $16.0 billion in 2022. Security-related services, led by managed security services, will account for more than half of the industry’s spend throughout the forecast.

The second and third largest industries will be discrete manufacturing and federal/central government ($8.9 billion and $7.8 billion in 2018, respectively). They will follow a similar pattern with services representing roughly half of each industry’s total spending.

The industries that will see the fastest growth in security spending will be telecommunications (13.1 percent CAGR), state/local government (12.3 percent CAGR), and the resource industry (11.8 percent CAGR).

“Security remains an investment priority in every industry as companies seek to protect themselves from large-scale cyber attacks and to meet expanding regulatory requirements,” said IDC Customer Insights and Analysis Program Director Eileen Smith.

“While security services are an important part of this investment strategy, companies are also investing in the infrastructure and applications needed to meet the challenges of a steadily evolving threat environment,” she added.

The United States will be largest market for security solutions with total spending of $39.3 billion this year. The United Kingdom will be the second largest geographic market in 2018 at $6.1 billion. Rounding out the top five are China ($5.6 billion), Japan ($5.1 billion), and Germany ($4.6 billion).

Study Finds $250B Economic Benefit from NIST Encryption Standard

encryption standardThe NIST advanced encryption standard (AES) has had at least a $250 billion global economic impact over the past 20 years, a new report concluded.

AES uses a cryptographic algorithm that was approved for federal government use in 2001. It has since been widely adopted by private industry.

As a result, AES protects everything from classified data and bank transactions to online shopping and social media apps.

For the report, RM Advisory Services relied on a survey of encryption users and developers of encryption hardware or software.

Search for New Encryption Standard

In 1997, NIST launched its effort to identify a new standard encryption algorithm for the federal government. It recognized that the 20-year-old Data Encryption Standard (DES) was growing vulnerable in the face of advances in cryptanalysis and computing power.

Following an open international competition, in 2000 NIST announced its proposal for the replacement standard. Rijndael, an algorithm that was submitted by two cryptographers from Belgium, Vincent Rijmen and Joan Daemen, was selected.

The unclassified, publicly disclosed encryption algorithm used in the AES standard is available royalty free, worldwide. And it is used by the US government in its FIPS standard and voluntarily by private organizations worldwide.

The development process involved the collaboration of the worldwide cryptography community. The AES program continues to create economic value by transferring know-how into the network of communications and transactions.

“AES has been tremendously successful at helping to establish trust in IT systems around the world,” said NIST’s Charles Romine. “We are pleased with how it has stood the test of time in its ability to provide security in a wide range of commercial products and public and private systems.”

CVE Program Takes Heat from Republican Lawmakers

CVE programRepublican leaders of the House Energy and Commerce Committee are calling for changes to the CVE program, which provides common identifiers for known cybersecurity vulnerabilities.

Common Vulnerabilities and Exposures (CVE) program is sponsored by the Department of Homeland Security (DHS) under contract with MITRE.

The lawmakers want DHS to transition the CVE program from a contract-based funding model to a cost-neutral dedicated program, project, or activity line item in the department’s annual budget. In addition, they want DHS and MITRE to perform biennial reviews of the program’s stability and effectiveness.

CVE Is Critical Cyber Infrastructure

“The CVE program has become inextricably integrated with cybersecurity practices during its nearly 20-year existence. Yet the documentation produced to the Committee suggests that neither DHS nor MITRE fully recognize CVE’s status as critical cyber infrastructure,” wrote Energy and Commerce Committee Chairman Greg Walden (R-OR), Oversight and Investigations Subcommittee Chairman Gregg Harper (R-MS), Communications and Technology Subcommittee Chairman Marsha Blackburn (R-TN), and Digital Commerce and Consumer Protection Subcommittee Chairman Bob Latta (R-OH) in letters to DHS and MITRE.

“The historical practices for managing the CVE program are clearly insufficient. Barring significant improvements, they will likely lead again to challenges that have direct, negative impacts on stakeholders across society,” the lawmakers noted.

“The Committee understands and appreciates that DHS and MITRE have already undertaken reforms to try and address the issues that prompted the Committee’s initial request. However, many of these reforms target symptoms that stem from what the Committee considers to be underlying root-causes – the contract-based nature of the program and the lack of oversight – which have yet to be addressed. For DHS and MITRE to address these deep-seated issues, they will have to make significant changes to the very foundation of the CVE program.”

The committee gave DHS and MITRE until September 10 to respond to the lawmakers’ recommended changes.

DHS Falls Short in Achieving its Cybersecurity Mission, Says GAO

mainframe computers

The Department of Homeland Security (DHS) has fallen short in fulfilling its mission to lessen cybersecurity risks on federal and private-sector computer systems and networks, judged the Government Accountability Office (GAO) in a recent report.

In particular, DHS has failed to develop metrics to measure and report on the effectiveness of its cyber risk mitigation activities or the IT security posture of the eight critical infrastructure sectors for which it is the lead federal agency, the report found.

The department’s National Cybersecurity and Communications Integration Center has failed to develop metrics and methods to evaluate its performance against statute-defined implementing principles.

Also, DHS’s National Cybersecurity Protection System had only partially met its objectives of detecting and preventing intrusions, analyzing malicious content, and sharing threat information.

The department has not identified all of its cybersecurity position, has not assigned codes to filled and vacant positions, and has not determined critical skill requirements for those positions.

“Until DHS fully and effectively implements its cybersecurity authorities and responsibilities, the department’s ability to improve and promote the cybersecurity of federal and private-sector networks will be limited,” the GAO concluded.