In her deep-dive report, Citi Research’s Global Software analyst, Fatima Boolani, highlights some of the important trends driving rapid development across the software space globally.
The resulting fragmentation of network connections, infrastructure resources, users, devices, business applications, and data have increased IT complexity and the potential for cyber-attacks. Against an already unrelenting threat landscape, this IT dispersion has galvanized threat actors to employ novel vectors and attack techniques for cyber intrusions. Concurrently, these malicious actors are also exploiting pre-existing weaknesses and cyber gaps, compounded by the unforced errors of organizations’ hybrid work/hybrid IT topologies.
As a result of these mega trends, the demarcation between cybersecurity, networking, and developer/IT ops tools within infrastructure software sub-disciplines is eroding. Citi Research expects conventionally earmarked spend for these sub-segments to undergo disruption and consolidation, which could mean a shake-up in market share for incumbents and upstarts.
Citi Research focuses in the report on seven sector themes:
- “Security for the Cloud” as the hotly contested arena of budgets, relevance;
- Firewall vendors’ viability in a post-COVID, Cloud-first IT landscape;
- Definition of “Act II” of hypergrowth next-gen endpoint security players;
- Vendors’ battle royal in the great re-platforming;
- Emerging frontiers and front-runners in identity security;
- Future of the vibrant DevOps ecosystem;
- Data security’s chance for prime time.
Focus on Point 7 Above: Is Data Security Ready for Prime Time?
The challenge of identifying exposed, high-risk data assets – typically an underinvested area in comparison to other pillars of cybersecurity – has only become more onerous, as Cloud migration and Cloud adoption have ramped the volume, variety, and velocity of sensitive, ransomware-worthy data creation.
This data, now fragmented across WFA users/accounts, an endlessly sprawling application estate, coupled with even lower IT oversight, is compounding cyber risk.
Key Investor Debate
To date, the data security and data protection part of the cybersecurity market has experienced niche procurement attention from organizations, and thus inconsistent attention from investors, attributable to four related factors:
- Data security is multi-faceted – Running the gamut of encryption, loss prevention, distribution and access, backup and recovery, masking, lifecycle, and governance, these distinct capabilities have often involved a multitude of vendors across broader IT, storage, data management, and security disciplines.
- Data security is often perceived as a means to a compliance end – Product-level investments have leaned tactical rather than strategic, to comply with discrete data privacy laws, such as GDPR.
- Organizations are lagging in response to evolving data management challenges – The onslaught of new regulations, standards, and growing data varieties have made the task more challenging. Commercially available tools have also proven either too difficult to deploy and scale or too narrow in scope to address all data security use cases holistically.
- Data security is often a “post-requisite” for cyber-mature organizations – Data security solutions are generally considered advanced; thus, "cybersecurity maturity" is a pre-requisite for data security investments, which at times is a hurdle for all but large organizations.
Unstructured data – found in emails, file folders, spreadsheets, and shared drive documents – is exploding and breeding everywhere. According to Accenture, ~80% of the data that businesses generate today is of this variety. Further, Gartner forecasts that this type of unstructured data is growing 25-50% per year, with enterprises slated to require upwards of 50M PB of storage (50ZB) per annum by 2030 to support this data growth.
Naturally, such staggering data growth stands to substantially widen the "exposed" sensitive data surface that organizations already under-invest in protecting. Illuminating where such sensitive data lives and how it is being accessed is a critical component to ensuring organizations are not flat-footed against compliance, data privacy regulations, and business continuity risks, with lapses involving fines, reputational damage, and operational losses.
WFA, hybrid IT, and Cloud migration/adoption magnifying this challenge: The dispersion and fragmentation of such data across myriad IT environments and data stores have amplified the challenge of identifying sensitive data assets. Repositories cutting across the on-prem and Cloud spectrum mean that ensuring granular role-based access to data and monitoring data usage behavior is harder, especially with data increasingly buried in SaaS and new-age collaboration apps (Slack, Teams) that are more susceptible to malicious or inadvertent access.
Big, albeit sleepy, wallets to grab: Data security has a home among myriad budgets, unlike many sub-disciplines of cybersecurity with defined allocations (i.e., perimeter, identity, endpoint), and also tends to compete with “do nothing” or DIY approaches. As such, data security does not neatly fit into a singular bucket, and addressable market sizing is less straightforward. However, this also means that budgets have the potential to be peeled away from different pools of enterprise security and IT areas under the CTO/CIO/CISO purview.
In this vein, Citi Research uses a three-part composite TAM sizing approach, rolling up the data security, data governance market, and partial storage software market (~8% of the total storage market specifically related to file analysis capabilities, core to data access monitoring) – markets most adjacent to data security. In aggregate, this ~$14B market today could grow to ~$16B by CY23 at a 9% CAGR.
The software sector provided annual returns of ~24%, ~57%, and ~17% between 2019 and 2021, according to data from FactSet. Citi Research believes that multiple expansion likely has been the source, aided and abetted by a yield-starved investing environment resulting from easy monetary policies. On an absolute level, the sector’s multi-faceted digital transformation themes and recurring financial model attributes also have likely been supportive of this expansion.
Software Has Been a Haven for Yield-Starved Investors
The software sector’s role as a haven for yield-starved investors is even clearer when contrasted to other areas of tech, such as hardware, IT services, and internet.
Global IT spending patterns over the last five years, per Gartner data, clearly demonstrates that software has been eating away significant slices of IT spend – another notable input to explain continued investor interest in the software space – with the composition of forward IT spending forecasts indicating that this dynamic could persist and durably so.
For more information on this and the other six sector themes, please see the full Citi Research report, Global Software - Welcome to the Cambrian Explosion of Infrastructure Software, published on 24 January 2022.
Citi Global Insights (CGI) is Citi’s premier non-independent thought leadership curation. It is not investment research; however, it may contain thematic content previously expressed in an Independent Research report. For the full CGI disclosure, click here.