Nilesh Thakker, Managing Partner, Zinnov; Sangeetha Anand, Principal, Zinnov; Rahul Agarwal, Consultant, Zinnov
Cybercrime could cost the world a staggering USD 10.5 Tn in losses in 2025, predicts Cybersecurity Ventures. This year alone, the damages are predicted to be to the tune of USD 6 Tn, i.e., twice the collective valuation of all unicorns – or approximately 3000% of the damages inflicted by natural disasters worldwide in 2020! With the pandemic substantially accelerating the rate of digital transformation, forcing companies to quickly adopt technologies into their core business strategy, the world saw more data breaches than in the previous 15 years combined. In addition, the shift to remote work, Cloud misconfigurations, along with widespread adoption of emerging technologies such as 5G, Artificial Intelligence (AI), Internet of Things (IOT), Machine Learning (ML), etc., contributed to the sophistication of threats, breeding unique security issues, and providing the hackers a wealth of possibilities to access sensitive data and information.
The Cybersecurity Imperative for Companies
The statistics are alarming, and the threats continue to compound. In 2020, according to Check Point, a Cybersecurity firm, new organizations became victims of ransomware every 10 seconds. Recent ransomware attacks not only plagued big firms such as Colonial Pipeline, Magellan, and Garmin, but also crippled social infrastructure such as schools and hospitals. Massive supply chain attacks on SolarWinds and FireEye took the scope and sophistication of cybercrime to new heights, stealthily and systematically extending attacks to US government agencies and high-profile private companies as well. The situation is a clarion call for Cybersecurity firms to be more innovative than they ever were, to solve complex problems, evolving types of threats, and all at an unprecedented speed. To address this, there is a need for these firms to rethink their business strategies, processes, and talent strategy to put a stake in the ground and make the most of this opportunity.
The industry is being invested in like never before. According to Momentum Cyber, the expected global Cybersecurity market size in 2026 will be USD 345.4 Bn, compared to the current USD 217.9 Bn at a CAGR of a whopping 9.7%. The total VC investment in the first half of 2021 alone was a massive USD 11.5 Bn, up from USD 4.7 Bn during the same period a year earlier. Companies are looking to invest in the APT (Advance Persistent Threat), IAM (Identity and Access Management), and Encryption segments to develop solutions to prevent breaches arising from emails, Cloud platforms and services, endpoints, and networks. Also, Aerospace and Defense verticals are estimated to lead the market in Cybersecurity-related investments as they carry highly confidential data, and the governments around the world are also becoming increasingly committed to fortifying their data. So, that brings up the ultimate question – how can Cybersecurity firms exploit this goldrush?
As new technologies emerge and are adopted by businesses, complex security issues will always be on the horizon. Cybersecurity firms need to be a step ahead to prevent a breach before it happens. But, to stay ahead, the industry lacks qualified cybersecurity talent – the global Cybersecurity Workforce Gap was 3.1 Mn in 2020, according to the (ISC)2 Cybersecurity Workforce Study. Consider North America – the US employs 879,157 Cybersecurity professionals and has a gap of roughly 359,000. Similarly, Canada is estimated to have a Cybersecurity talent pool of 102,000 and a workforce gap of 16,500. Undoubtedly there is a need for companies to re-examine their talent sourcing in order to find enough Cybersecurity talent and focus on innovation. Globalization, by leveraging countrieswith a vast talent pool,is a logical, simple, and effective way that companies have been tackling the problem.
Besides enabling affordability as a function of cost arbitrage, globalization also solves for scalability and speed, which are critical in a highly dynamic security market. It’s worth exploring how leading Cybersecurity firms consistently outperform their peers by leveraging globalization in their business models.
Globalization – The Game Changer
Zinnov analyzed the R&D workforces of some leading Cybersecurity firms by mapping these firms across 2 axes – the % of engineering work being delivered in low-cost global locations (X Axis) and the % of insourcing – percentage of talent hired internally across the globe rather than outsourced to vendors (Y Axis )(Figure 1) .
The emergent quadrants highlight unique characteristics of the mapped firms.
Q1 (High Quality, High Savings): In this zone, companies prefer more globalization with teams spread across the borders to gain cost arbitrage, access good quality scalable talent, and have most FTEs (Full-time Employees) instead of outsourcing.
This includes Trend Micro, SolarWinds, Micro Focus, CyberArk, Gigamon, FireEye and Zscaler. They have a higher percentage of low-cost globalization as well as insourcing.
Q2 (High Quality): There is not much globalization in this zone, but companies focus more on having FTEs instead of outsourcing to have better quality of talent and more control over the work.
The companies in this zone include SecureWorks, Riverbed, SailPoint, BeyondTrust, Veracode, and Proofpoint. They have a higher insourcing percentage but lower low-cost globalization.
Q3 (Low Quality, Low Savings): In this zone, companies are still evolving and relying more on outsourced work, and do not have much of a global presence. These companies are constantly thriving to go global and have more insourcing.
Q3 includes Barracuda & LogRhythm. They have lower insourcing and globalization among all the companies.
Q4 (High Savings): Companies in this zone understand globalization benefits of having low-cost high-quality talent across the globe and are putting in reasonable efforts there.
No company falls under this quadrant.
Highly Globalized Cybersecurity firms = Higher Operating Margins
When measured for performance, Q1 firms showed higher operating margins in 2020 than those in the other quadrants. For example, Trend Micro, with an operating margin of 22.9%, and SolarWinds with an operating margin of 10.54%, completely triumph over Q2 firms such as FireEye and Proofpoint, that had operating margins of -13.67% and -9.0%, respectively. Also, Zinnov’s analysis reveals that a higher percentage of insourcing in low-cost locations allowed these firms to save at least 20-30% lesser than outsourcing to vendors. These Q1 firms reduced dependency on vendors in the long-term, empowering themselves with greater control on development process, and intellectual property and enabling faster decision-making. Through the strategic leverage of global talent from low-cost locations, companies in the Cybersecurity vertical have significantly cut down their costs and increased the focus on innovation, resulting in higher value creation.
Firms in other quadrants (Q2, Q3 & Q4), with some change in operating strategy, with deeper focus on globalization and insourcing have the potential to enable scale and growth.
Highly Globalized Cybersecurity firms = Highly Diversified Digital Workforce
A diversified digital talent is another critical utility of low-cost globalization. Our analysis of low-cost globalization intensity and exponential technology capability across Cybersecurity verticals reveals that companies with low globalization intensity (having greater percentage of talent in high-cost locations compared to that in low-cost locations) tend to have a low degree of technological capability, i.e., their digital talent is not highly diversified with respect to the skillsets required in the Cybersecurity industry, such as AI, ML, Blockchain, Cloud, etc. This leads to high-cost pressure and hindrance in future growth as well as innovation.
Due to cost pressure and to reap the other benefits of globalization, many companies in the ‘Leaders’ and ‘Adopters’ zones of the graph above considered diversifying their global talent and were able to scale faster than their peers by leveraging a larger pool of digitally diversified talent present in low-cost locations. For example, 71% of CyberArk’s R&D talent is housed in low-cost locations with 2 R&D centers in India and Ukraine. As a result, it’s operating margin almost doubled from 7.78% in 2017 to 14.36% in 2019. Trend Micro, with a consistent operating margin of approximately 22% over the last 3 years has 69% of its R&D talent in low-cost locations, with 5 R&D centers in Taiwan, the Philippines, India, and Czechia.
FireEye, which has been investing strategically in low-cost locations over the last few years, regularly delivered improved operating margins – up from -34.43% in 2017 to -13.68% in 2020. Mimecast, another ‘Adopter’ firm, saw its operating margin increase from -1.68% in 2017 to 6.89% in 2020. However, firms in the ‘Laggards’ zone such as Proofpoint only saw a marginal improvement from -10.57% in 2017 to -9.23% in 2020. Similarly, Darktrace’s operating margin increased only to -21.72% in 2020 from -23.58% in 2017. If these companies expand their globalization footprint and leverage low-cost skilled talent, they will be able to ramp up their operations, reduce costs, accelerate innovation, and thus release products in a shorter time to market.
Globalization can be a game-changing strategy for Cybersecurity firms. The numbers speak for themselves – 30% of all companies from diverse verticals are exploring global locations as a means to access digitally mature talent who can accelerate innovation. Further, Zinnov’s analysis reveals that 500 net-new global centers are expected to be set up in India alone by 2025. And India is poised to become a Cybersecurity hub with 63% of global Cybersecurity product revenue coming from India alone, second only to the US with 16% revenue share, according to a recent report by the Data Security Council of India.
Additionally, the talent pool in the Cybersecurity product industry grew to 18,000 at an impressive CAGR of 25% from 2018 to 2020. This talent pool is expected to grow considerably as several prestigious institutions such as IIT Madras, IIT Kanpur, and IIT Roorkee have started offering specialized Cybersecurity courses at both undergraduate and post graduate levels, catering to the niche talent pipelines of companies. Besides courses from private universities such as AMITY, many certifications and courses with international recognition are being offered from institutions such as The CII – Tata Communications Centre for Digital Transformation (CDT) and ISACA to reskill the huge R&D talent pool in sought-after cyber skills and bridge the gap in the Cybersecurity workforce. Interestingly, the Cybersecurity ecosystem is flourishing as well with the number of Indian firms growing to over 225 in 2020 from over 175 in 2018, generating revenues of over USD 1 Bn in 2020 compared to USD 275 Mn in 2016. This presents a golden opportunity for a lot of Cybersecurity firms to explore India as a possible destination of choice. Cybersecurity firms should not wait and watch but explore globalization as a cost-effective way to meet the unmet talent demand and stay ahead in this burgeoning industry.
According to DSCI, Cybersecurity CoEs in India have more than doubled in the last 5 years, and many are multifunction centers with influential leadership, where they are closely collaborating with their parent organizations. To tap the potential of the India ecosystem and adapt to the new normal, Zinnov’s GCoE Accelerator and virtual COE models can be employed by Cybersecurity firms for setting up their global centers of excellence and foster innovation through strong collaboration between parent organization and quality talent at the global center.
Speak with our consultants