This analysis is by Bloomberg Intelligence Senior Industry Analyst Mandeep Singh and Bloomberg Intelligence Associate Analyst Damian Reimertz. It appeared first on the Bloomberg Terminal.
Despite the uncertain economic backdrop, security may become a larger portion of IT budgets amid growing geopolitical tension and potential use of generative AI for cyberattacks. Security has always been a non-discretionary portion of such budgets, typically making up 5-10%, yet we believe more spending on cloud security is essential for companies to protect against sophisticated breaches.
Shifting to cloud software from appliances
Public cloud is projected to grow the most in the 2022 $96 billion security products market and might increase its overall share to 67% in 2027 from 56% in 2022 amid the shift to the cloud. Appliances remain a major portion of overall network security sales, where cloud penetration is only about 22%. That’s in stark contrast to identity and access management, at 61% of sales. Identity doesn’t have any appliance revenue and is deployed using cloud and on-premise software.
The inefficacy of signature-based antivirus software for protecting PCs and mobile devices resulted in a faster shift to cloud on the endpoint-security side, where incumbents Broadcom and Trellix (merger of McAfee Enterprise and FireEye after its Mandiant spinoff) continue to lose market share to cloud companies such as CrowdStrike and SentinelOne.
Cloud penetration still in early stages
The adoption of cloud software in large security segments such as firewalls is still in early stages relative to other large market segments like enterprise resource management (ERM) and customer relationship management (CRM). We believe the pandemic and its resultant increase in remote work have accelerated the migration of workloads to the public cloud, which in turn has created an inflection in the adoption of cloud-security products.
The CRM software market is the farthest along, with about 80% cloud penetration. In contrast, network security remains largely deployed via appliances and on-premise software.
Remote work spurs step-up in cloud security
Though security software and services is a much smaller addressable market compared with infrastructure and application software, an increase in ransomware and other sophisticated cyberattacks, coupled with the accelerated migration of workloads to public cloud, has been a tailwind to security spending. We believe overall security spending, including services, could reach over $290 billion by 2026, consistent with IDC, as cloud-security adoption is aided by rising allocations in non-discretionary IT budgets as well as the displacements of legacy, on-premise products.
If the pace of migration to the public cloud, spurred by the pandemic, continues, cloud security as a percentage of overall revenue may reach at least 50% across all markets. This includes firewall, which has the lowest rates of adoption within network security.
Disrupting share leaders in security
The shift to cloud-based security software may create new market leaders that supplant incumbent providers such as Cisco, Broadcom (Symantec), Trellix, Palo Alto Networks, Check Point and Fortinet. Those companies could see sales cannibalization for their appliances and on-premise software amid their pivots to cloud products. CrowdStrike stands out among pure-play cloud-security providers and recently surpassed $2.7 billion in annual recurring revenue (ARR), with good visibility for its fiscal 2026 target of $5 billion due to its expanding suite of products.
No security company has more than $10 billion in annual sales, unlike other infrastructure and application software segments, where hyperscale cloud providers including Amazon.com, Microsoft, Google and Salesforce.com have run-rates of more than $30 billion.
Security could outpace IT spending by 200 Bps
Despite the uncertain macro backdrop, security might continue to become a larger portion of IT budgets, as companies seek to fend off the reputational and business risks that can be created by sophisticated cyberattacks. Security has always been a non-discretionary portion of IT budgets, typically it accounts for 5%-10% of the IT budget, but we believe more spending on cloud security will be essential for companies to protect themselves against breaches. Attacks span a wide range of areas including networks, identity, email and endpoint devices.
Security outlays might outpace the overall high-single-digit growth in system infrastructure software spending by at least 200 bps through 2027.
