In the wake of the attacks on the US on September 11, the media and government have campaigned to highlight the risks that many companies and institutions face from hackers and viruses. The focus on the threat of cyberterrorism in particular has forced many companies to increase the effectiveness of their security programs.

As a result, we can expect considerable IT security investment over the next few years. Datamonitor expects vendor revenues for firewalls and virtual private networks (VPNs) to hit the $7.5 billion mark in 2005, and eSecurity services will increase at an average annual rate of 24% between 2001-2005.

Waking up to the threats

Across the globe, companies are becoming increasingly aware of the need to deploy effective security architectures in order to mitigate the threats associated with conducting eBusiness.

One of the reasons for this is the fact that companies are constantly falling prey to increasingly sophisticated viruses such as NIMDA and Code Red. These viruses are reported to have cost businesses $590 million and $2.6 billion respectively.

Such costs are typically calculated according not only to the damage caused but also takes into account lost business from network and application downtime and the costs of cleaning up after an attack.

Since firms are scaling back on IT budgets, an important first step is to look at the best ways to improve internal processes to maximize security. Then, companies must invest in the technologies to fill in the gaps. As a result, considerable IT security investment will be undertaken in 2003 – even if the global economic recovery proves elusive.

Security products vendors such as Check Point, Cisco and ISS can expect together to achieve global security product sales of over $9 billion this year, up from $7.3 billion in 2001. The fastest growing sectors will be firewalls & virtual private networks (VPNs). Revenues will rise from just over $2 billion in 2001 to almost $7.5 billion in 2005 – an average growth rate of 37% a year.

If it’s too hard, outsource it

However, other technologies such as public key infrastructure (PKI) and intrusion detection solutions (IDS) have caused serious headaches for network administrators because of the unexpected management overheads. For PKI, the unexpected problems have deterred many people from investing in such a complicated technology. The IDS market could well present end-users with similar levels of heartburn.

So although Datamonitor expects the global market for intrusion detection and vulnerability assessment solutions to grow strongly from $617 million in 2001 to over $1.7 billion in 2005, growth will not be as rapid as many vendors might hope.

Instead, as more IT managers face up to the realities of managing a complex security architecture, they may turn to one of the many managed security service providers offering them the chance to outsource the management and monitoring of such solutions as firewalls, VPN and IDS.

By 2005, the global market for eSecurity services will be worth $14.5 billion – and the fastest growing sector will be outsourced security services. Datamonitor expects this sector to rise at a CAGR of 35% between 2001-2005, growing from $867 million in 2001 to reach $2.9 billion in 2005, accounting for 20% of all security service revenues globally by 2005.

Reaching the standard

As companies look towards collaborative IT systems and extranets, many will want to ensure that their partners are just as diligent in ensuring that their systems are safe. Many in the industry have looked towards standards such as the British BS7799 and the international ISO17799 as a means of achieving this, whereby anyone certified as complying to these standards will have achieved a minimum level of security.

However, the uptake has not so far been dramatic, as many companies are unwilling to pay for such a certification – and it has not yet become mandatory for large collaboration projects. But as more and more companies look toward cyber-risk insurance policies, however, they may need to comply with such standards to qualify for such policies or to receive rebates.

As a result, standards such as BS7799 and ISO17799 could have a major impact on security services revenues in the foreseeable future. If the uptake of such practices increases, revenues from security consulting could be even higher than the predicted $5.7 billion in 2005.

However, this will not be the case for a number of years until a more compelling argument for certification is found. This may come from insurance companies, if they decide to make a real push for the use of cyber-risk policies to mitigate some of the risks associated with conducting eBusiness.