Just a little light reading on whats going on in Oz.Large $$$$...

Just a little light reading on whats going on in Oz.
Large $$$$ On offer moving forward as the sector grows.
Heres hopeing we get the Lions share.

Australia's cyber security sector has rapidly grown in response to strong demand for its critical servicesAustralia's cyber security sector has come a long way in a short timeUsing data from AustCyber's Digital Census 2020, this chapter paints the most comprehensive picture yet of Australia's cyber security sector. Demand is growing, with Australians spending approximately $5.6 billion on cyber security in 2020 - from both local and international providers - a figure that is expected to increase to $7.6 billion by 2024. The local sector's revenue has grown by $800 million since 2017, to reach an estimated $3.6 billion this year. SMEs generate about a quarter of the cyber sector's revenue in Australia, with the rest directed to diversified professional services providers, technology integrators, mid-tier providers and defence contractors. Gross value added (GVA) of the Australian sector has been estimated for the first time in this report at $2.3 billion.The sector is made up of young cyber security providers, and a workforce that's steadily growingThere are more Australian cyber security providers and workers than ever before. In 2020, approximately 350 providers make up the domestic sector. Among this group of young companies - the average age is 8.5 years and more than 40 per cent were founded in the past five years - there are success stories of companies that have flourished, becoming internationally recognised names.The workforce has grown by 4,000 since 2016, reaching approximately 26,500 people who work for providers or staff internal security teams as businesses and government improve their cyber capabilities.A closer look at the sector reveals that it is characterised by new, innovative SMEs, with more than 88 per cent of providers having fewer than 100 employees. SMEs and larger providers specialising in systems security account for the biggest portion of Australia's cyber security market. Many of their customers are government or defence organisations.States and territories are developing their own communities to foster innovationThe sector is building its network across Australia, with clusters of innovation developing in major cities. AustCyber's National Network of Nodes will accelerate cyber capability development and innovation. Having a presence in states and territories will help to sharpen customer awareness of domestic cyber security capability and attract top talent.Initially, the impact of COVID-19 appears to have hit micro and small providers hardest, while medium-sized companies have recorded an uptick in demand as customers adapt to digital modes of working and develop go-to-market strategies. Despite the short-term disruption to some service delivery, the pandemic is likely to accelerate the long-term transformation of the economy through technology and increased demand for cyber security.Australia spent approximately $5.6 billion on cyber security in 2020, with demand expected to reach $7.6 billion by 2024Demand for cyber security is rapidly growing, with spending increasing by nine per cent each year over the past four years.There are several core drivers of demand. First, digitisation exposes businesses to more threats. Second, the overall threat environment is increasing, with several high-profile attacks - such as against NSW Government agencies, Toll Group and PayID - over the past year. Third, governments and regulators are requiring stronger security for critical infrastructure and systems of national significance.Analysis based on available market data and expert interviews suggests that Australian demand will continue to grow by eight per cent per year, reaching as high as $7.6 billion by 2024. This is a slight reduction on previous growth of nine per cent, reflecting some slowness in the market as a result of the economic conditions caused by the COVID-19 pandemic. But the growth rate is still robust, considering the broader economic recession. The impact of COVID-19 is further explored on page 24. Globally, it is expected that spending on cyber security will reach US$207 billion by 2024.1Figure 1Australia's cyber security spend, 2017-24A$, billionsNote: The spending figures for 2017-24 are higher than estimated in previous SCPs. The higher figures are based on new sources of insight and updated data. The methodology is explained in the appendix.Sources: Gartner, IBISWorld, AustCyber's Digital Census 2020, AlphaBeta analysisGrowth in spending is reflected in the local sector's revenue, which has risen by $800 million since 2017Australian cyber security revenue has grown substantially over the past four years. Between 2017 and 2020, sector revenue grew by $800 million - from $2.8 billion to $3.6 billion.These gains have been made very quickly. Sector revenue grew by an average of eight per cent each year between 2017 and 2020. By contrast, the information, media and telecommunications (IMT) sector's revenue grew by just three per cent each year over the same period.2 Australia's cyber sector revenue growth is increasing at a similar pace to overall spending on cyber security, indicating that the share of imports in the Australian market is relatively stable.As the cyber threat landscape continues to evolve, sector revenue is forecast to continue to grow at about nine per cent each year over the next four years. The sector could reach $5 billion in revenue by 2024, which is nearly double its 2017 level.Note: Australia's cyber security sector includes all cyber security activity that occurs in Australia, where the economic value is added in Australia, including by foreign-owned entities. IMT's growth rate for 2020 was estimated using historical data.Figure 2Australia's cyber security sector revenue, 2017-20A$, billionsNote: Australia's 2020 cyber security sector revenue figures and revenue growth figures are estimated using global spend data as at July 2020.Sources: Gartner, IBISWorld, Austcyber's Digital Census 2020, AlphaBeta analysisStartup success reflects sector's rapid growthAustralia is home to some of the world's fastest growing cyber security providers, many of whom have raised significant amounts of investment while expanding their operations globally.Bugcrowd is a crowdsourced security as a service provider, offering penetration testing, bug bounty programs and vulnerability disclosure to customers across a wide range of industries.The company was founded in Australia in 2012, but moved their headquarters to San Francisco for better access to venture capital, shorter time-to-market and improved network effects.Bugcrowd has raised over US$80 million in funding and investors include Paladin Capital Group, Blackbird Ventures, Rally Ventures, Costanoa Ventures, SalesForce Ventures, Triangle Peak Partners and First State Super. The company employs over 300 staff across their Australian, US and UK offices.Founded in 2015, Secure Code Warrior enables developers to build secure code rather than having to review or retrofit security during or after development. The company also provides gamified developer training and can auto correct code security errors as code is being written.SCW has raised over US$48 million in funding and investors include Paladin Capital, AirTree, Goldman Sachs, ForgePoint Capital and CISCO Investments. The company employs over 150 staff across their Australian, US, UK, Belgium and Iceland offices.Kasada safeguards consumers and businesses from malicious online bots. Their solution protects businesses from automated attacks, botnets and targeted fraud - across web, mobile and API channels. Besides boosting online security, the company increases traffic visibility and improves customer experience.Kasada is one of Australia's fastest growing cyber security startups, reporting 500% revenue growth in 2019. Founded in 2015, Kasada has raised over US$20 million and investors include CSIRO's Main Sequence Ventures, Westpac's VC fund Reinventure Group, In-Q-Tel, TenEleven Ventures, Our Innovation Fund and former Australian Prime Minister Malcolm Turnbull.Kasada is expanding its global footprint servicing customers in the ASX 100, Forbes Global 2000 and mid-sized enterprises in the US and UK.Cloud One - Conformity works with organisations around the world to implement and maintain best-in-class infrastructure security, compliance and optimisation on the public cloud. Their solution helps businesses who rely on AWS, Azure and Google Cloud to ensure their information and data remains secure.Cloud One - Conformity provides an example of a successful exit. Founded in 2016, it was acquired in 2019 for US$70 million by global security vendor Trend Micro. Cloud One - Conformity now has offices in Australia, US, UK and Canada.SME providers received about a quarter of sector revenue in AustraliaAustralian cyber security providers are generating $3 billion in revenue from the domestic market and $600 million from international markets, totalling $3.6 billion.3 Based on expert interviews, the Australian cyber security sector is segmented into five key groups:SMEs: startups and smaller providers. SMEs received approximately $800 million in revenue, which is around one-quarter of the sector's total revenue.Major consultancies: cyber security practices at major consulting firms. They are estimated to earn approximately $500 million in revenue.Technology integrators: large international diversified technology businesses that integrate systems and security. Integrators are capturing the largest share of the market, valued at an estimated $1.5 billion.4Mid-tier firms: scaled pure-play providers such as CyberCX, Tesserent and Trustwave. They account for an estimated $500 million of revenue.5Defence-related firms: providers focused on defence and national security, such as the so-called Defence Primes.6Figure 3Australia's cyber security sector revenue by provider segmentA$, billions; 2020 estimateSurvey question: What was the total revenue for your organisation in the 2019-20 financial year?Sources: AustCyber's Digital Census 2020, customised data from illionThe cyber security workforce has grown by 4,000 over the past three yearsThe substantial growth in cyber security spending in Australia has led to the workforce expanding by about 4,000 since 2017. A total of about 26,500 people work in the Australian cyber security sector today.This estimate includes both employees in the cyber security sector and those in related roles, such as members of in-house cyber security teams and Chief Information Security Officers in other sectors.Growth in jobs in cyber security has far outpaced the national average. Between 2017 and 2020, employment in the sector grew by six per cent each year, while the nation's overall workforce expanded by just two per cent each year.7In absolute terms, the total number of direct jobs in the sector is comparatively small compared to other, more established industries. However, cyber security underpins the digitisation and growth of the entire economy, meaning it has a much greater impact on Australia's overall employment through indirect jobs.Strong job creation in cyber security is likely to continue, with 7,000 more jobs expected to be added to Australia's economy by 2024.A number of government and industry programs, such as the Australian Signals Directorate's CyberEXP Program and the Australian Defence Force's Cyber Gap Program, are focused on developing Australia's workforce to meet this growing demand. Further programs will be added into the economy in the next year as a result of the Australian Government's Cyber Security Strategy 2020 and initiatives of state and territory governments.Figure 4Australian cyber security workforce 2017-24No. of workers, thousandsNote: The employment figures for 2017-24 are higher than estimated in previous SCPs. The higher figures are based on new and updated sources of data that were available for this SCP.Sources: Gartner, IBISWorld, Australian Bureau of Statistics, Cyberseek Australia, AlphaBeta analysisFor the first time, the gross value added of Australia's cyber security sector can be estimated, at $2.3 billionGVA (gross value added) is a measure of economic activity and can be used to estimate the contribution of the cyber security sector.AustCyber's Digital Census enables the calculation of GVA for the sector for the first time. GVA is the sum of the profits and wages from economic activity in the sector. In 2020, the former is estimated at $900 million (25 per cent of revenue) and the latter at $1.4 billion, resulting in GVA of $2.3 billion. The sector's GVA is already comparable to other digital sectors such as computer software ($4.2 billion) and retail e-commerce ($3.2 billion).8While GVA estimates the direct contribution of cyber security to the economy, it does not account for its role in enabling economic activity in other sectors. For example, the GVA of sectors such as banking and telecommunications would not be possible without robust cyber security. As our corporations, educational institutions and essential services become increasingly digitised, their success and impact largely rely on having trusted infrastructure and data.9 The sector's role in a rapidly digitising economy is further explored in Chapter 2.Note: This is an experimental first pass calculation of GVA for Australia's cyber sector using Digital Census data, as well as ABS and publicly available data. As more robust data on the cyber sector becomes available, this measurement can be further refined. Retail e-commerce is estimated using Australian online retail sales' share of total Australian retail turnover.Figure 5Estimated gross value added of Australia's cyber security sector, 2020A$, billionsProfitWagesGVA (direct)Profit estimate is based on data from more than 100 respondents to the Digital Census, scaled to account for sector size, as well as ABS data and public company reportsTotal sector wages was estimated by applying a weighted average wages-to-revenue ratio from the Digital Census to total sector revenue, as well as ABS dataGVA was estimated by summing operating profits and wages. This estimate does not include indirect economic impactsNote: Australia's 2020 cyber security sector revenue figures and revenue growth figures are estimated using global spend data as at July 2020.Sources: Gartner, IBISWorld, AustCyber's Digital Census 2020, AlphaBeta analysisMost of the businesses in Australia's cyber security sector are very young, with more than 40 per cent of providers around or under five years old, and 66 per cent less than ten years oldDespite this, a number of younger Australian cyber security firms have found early success in both Australia and abroad. One example is ASX-listed Tesserent, which was founded in 2016 and specialises in managed security and security consulting. Over the past two years, it has acquired smaller cyber security providers such as Rivium, Pure Security and Seer Security, further adding to its suite of capabilities.The average age of Australian cyber security providers is 8.5 years, and only nine per cent in the sector have been operating for more than 20 years.10 Of the firms that are older than 20 years, only 23 per cent are dedicated cyber security providers.11 The majority of these are services or IT businesses that offer cyber security as one part of their business.The sector's youth opens up many new opportunities for the Australian economy, but it also presents some challenges, as explained in chapters 2 and 3.Figure 6Age of Australian cyber security providersPercentage of all providersSurvey question: When was your organisation established?Sources: AustCyber's Digital Census 2020, customised data from illion, CrunchbaseReflecting its youth, the sector is dominated by SMEs, with over 88 per cent of providers having fewer than 100 employeesCharacteristic of its youth, the cyber security sector is dominated by SMEs, which make up around 66 per cent of providers. One-quarter of the businesses in the sector are micro providers (zero to four employees).This is expected to change as the sector matures. Of the providers surveyed, 40 per cent report that they plan to expand their workforce over the next 12 months.12 It is important to remember that this forecast comes at a time of uncertainty due to COVID-19.Of the providers with 200 or more employees, only 13 per cent identify as dedicated cyber security companies.13The rest of the large cyber security providers are professional services firms such as Deloitte and KPMG; international technology integrators such as Microsoft and IBM; and international defence specialists such as Lockheed Martin and BAE Systems. These larger providers offer cyber security as one part of their overall business, with expert interviews suggesting that cyber contributes five per cent for professional services providers.Note: Australia's cyber security sector includes all cyber security activity that occurs in Australia, where the economic value is added in Australia, including by foreign-owned entities.Figure 7Size of Australian cyber security providersShare of cyber security sectorSurvey question: What is the current size of your organisation in full time equivalent employees?Sources: AustCyber's Digital Census 2020, customised data from illionProviders specialising in systems security capture the largest portion of Australia's cyber security marketMarket spend on cyber security can be broken down by product segment. The largest product segment in Australia's cyber security market is 'Systems security' ($1.5 billion), followed by 'Software and platform security' ($1.3 billion). The 'human, organisational and regulatory' segment has the most providers, with 49 per cent accounting for a key offering. The segment with the fewest providers is 'Infrastructure security', although spending is still $1.1 billion, reflecting how this type of service is geared towards larger cyber providers.Cyber security, like much digital technology, has traditionally been understood in terms of hardware, software and services. But the diversity and sophistication of modern cyber security means that these categories are no longer appropriate. The Cyber Security Body of Knowledge (CyBOK) is an international collaboration headed by the University of Bristol that structures cyber security according to five main categories:Infrastructure security: securing computer and digital networks and related physical hardware and systems against intruders.Systems security: operational, network and systems security that includes the processes and decisions for handling and protecting data assets.Software and platform security: security that focuses on keeping software and the entire computing platform and devices resilient to cyber threats.Attacks and defences: a proactive and adversarial approach to protecting against cyber attacks, including performing penetration and vulnerability tests.Human, organisational and regulatory: tools and services to protect against intentional and unintentional user mistakes, and to ensure cyber governance and compliance.This new framework provides a more robust foundation for researchers, policymakers and industry to study the sector. See Appendix B for detailed descriptions of each product category.Note: Specialty is defined as the product or service that generates the largest amount of revenue for the business.Figure 8Australia's cyber security spend by product segment, 2020A$, billionsSurvey questions: What main products and/or services does your organisation offer? Of these, which are your top three products and/or services?Sources: AustCyber's Digital Census 2020, Gartner, IBISWorld, AlphaBeta analysisThe government and defence sectors are the largest customers of cyber providers of all sizesAnalysis of revenue breakdown by industry for both SMEs and larger cyber security providers reveals that although there are minor differences in how revenue is distributed, there are distinct commonalities in how the sector generates its revenue.For both SMEs and large providers, government (including organisations in healthcare, social care and education) and the defence sector account for approximately 30 per cent of total revenues. 'Government' is the sector's pivotal customer, with nearly 50 per cent of providers surveyed having sold cyber security products or services to the Australian Government over the previous 12 months.14 This is consistent with the rising cyber threats facing governments such as the growing sophistication of state-sponsored attacks, increasing demand for sovereign cyber capabilities and solutions.The 'Financial and insurance services' industry is the next major source of revenue, accounting for around 20 per cent for smaller providers and a slightly higher share for larger providers. The financial services sector's appetite for cyber security is driven by the high degree of criminal attention it garners, as well as stringent regulatory and compliance obligations.It must be noted that this analysis includes only external spending on cyber security. Expert interviews suggest that many of the large providers to the financial services and information and communications technology (ICT) industries are building substantial internal cyber capabilities, as opposed to purchasing external products or services.Figure 9Australian cyber security sector customers by industryLevel of consumption, provider revenue (percentage of total)Note: Data from AustCyber's Digital Census mostly describes SME providers. Data is based on the midpoint of the revenue category survey respondents selected (e.g., estimates $12.5 million revenue if they select $10 million - $15 million). Respondents were asked for the top three products and services they sold and this analysis assumes that revenue out of their top three is split equally across all other products and services they sell. It also assumes that providers' revenue is split equally across the industries they serve. High to low scale is across each product segment only.Sources: AustCyber's Digital Census 2020, expert interviewsAustralia is home to around 350 cyber security providers, with over 80% headquartered in Victoria, New South Wales and the Australian Capital TerritoryFigure 10State-by-state snapshot of cyber security providersClick on each state to view the details.18HQs9HQs20HQs90HQs41HQs68HQsNote: Cyber security priority areas are the priority capability strengths that have been identified by AustCyber and each state’s Cyber Security Innovation Node. Victoria are in the process of establishing a Node, as well as cyber priority areas. The number of headquarters in each state includes dedicated providers, as well as diversified providers – such as professional services firms, technology companies and defence providers – offering cyber security as part of their business. The percentage of providers that are exporting and the providers’ demographic information is calculated based on where the company is headquartered. State profiles are based on insights gleaned from AustCyber’s Digital Census 2020. No cyber security provider participating in the Census recorded themselves headquartered in Tasmania or the Northern Territory, so these two jurisdictions are not described in this section. As the cyber security sector continues to mature, we expect that Tasmania and the NT will develop their own local hubs.Sources: AustCyber’s 2020 Digital Census, customised data from illion, AlphaBeta analysis