When you go down the list of the top U.S. defense contractors on the 'Defense News Top 100', you would think the behemoths are major players in the commercial cybersecurity market. Nothing could be further from the truth.
The worldwide cybersecurity market recorded roughly $75 billion in 2015 and it is expected to reach $175 billion by 2020. The aerospace, defense, and intelligence vertical is a major contributor to those figures, and the big defense contractors show up big time when it comes to helping U.S. federal agencies protect themselves against a growing cyber threatscape.
But in the commercial sector -- which includes Fortune 500, Global 2000, and corporations of all sizes -- well, that's a different story. The top five U.S. defense contractors are bungling a huge market opportunity to provide their services to our nation's biggest companies. Go figure.
Cybercrime cost businesses around $500 billion in 2015, and a new report from Juniper Research says it will quadruple to $2 trillion by 2019. There are 1 million cybersecurity jobs open in 2016... nearly 300,000 of them in the U.S., and the labor shortage is getting worse, not better. There will be $100 billion in spending on cybersecurity over the next four to five years, cybercrime is on the rise, and cybersecurity talent is hard to come by. Providing cybersecurity services that meets the standards of federal agencies is much more difficult than what the commercial market demands - and the defense contractors have the experience. Could the cybersecurity market conditions and commercial opportunity for large defense contractors be any better?
Here's a quick recap of the top five U.S. defense contractors and what they've done recently in the commercial cybersecurity market:
Lockheed Martin recently announced it was exiting the commercial cybersecurity market. It has been planning to sell off or spin off its roughly $4 billion government information technology business since early in 2015. That would include its cybersecurity unit.
”The cyber programs that will remain with the company are mostly focused on defense and intelligence customers and will be realigned into the corporation’s other four business segments” stated Dan Nelson, vice president, corporation communications at Lockheed. “The main factors driving the spin-off or sale of our IT and technical services businesses (which include cybersecurity) are changing market dynamics, shifting government priorities, increased competition and industry trends that have led us to believe that these businesses may achieve greater growth, and create more value for our customers by operating outside of Lockheed Martin,” added Nelson.
Boeing exited the commercial cybersecurity market roughly a year ago, according to a story in The Wall Street Journal which reported that Symantec was acquiring staff and technology licenses from Boeing’s Narus subsidiary. Narus was a vendor of big data analytics for cybersecurity. Some media depicted the Narus transaction as an “acquisition” by Symantec. Apparently Symantec only hired some of the Narus staff, and Boeing retained ownership of the Narus intellectual property (software) and customer base.
The security analytics market size alone is estimated to grow from $2.1 billion in 2015 to $7.1 billion by 2020, at a compound annual growth rate (CAGR) of 27.6 percent from 2015 to 2020, according to a recent report from Markets and Markets. Talk about botching a big opportunity.
“We continue to support a variety of defense, government and security customers with cybersecurity and data analytics products and services. It is correct that with the divesture of Narus, we are not focusing on commercial cybersecurity for the time being,” stated Andrew Lee, senior manager and division communications lead, Electronic & Information Solutions at Boeing, not long after the Narus breakup was reported.
Raytheon Company and Vista Equity Partners completed a joint venture transaction in May of 2015 which created a new company that combined Websense, a Vista Equity portfolio company, and Raytheon Cyber Products, a product line of Raytheon’s Intelligence, Information and Services business. Originally called Raytheon | Websense - it took the new company about eight months to come up with a new name... now called Forcepoint.
In a nutshell, the big defense contractor carved out its cybersecurity products and dumped them into a new business - as opposed to continuing as a unit inside of Raytheon. That may prove to be a smart move by Raytheon, but it is also evidence that defense contractors struggle to execute in the commercial cybersecurity market. The Raytheon deal pretty much suggests that a hot new cyber company is more likely to resonate with corporate customers than a defense contractor is.
General Dynamics sold off its Fidelis cybersecurity business in mid-2015 to U.S. private equity firm Marlin Equity Partners. Fidelis, which was part of General Dynamics' Mission Systems business, was acquired by General Dynamics in August 2012 and was initially integrated into the company's Information Systems and Technology business.
Lucy Ryan, a GD spokeswoman, told InsideDefense.com in a statement that Fidelis "serves a commercial customer base, not in our core, and is better served with a commercially focused owner." General Dynamics, for its part, "will continue to focus on our comprehensive and robust cyber business, serving the U.S. intelligence community; Department of Defense; Department of Homeland Security; and federal/civilian and law enforcement agencies," Ryan added.
Fast-forward to today and Fidelis Cybersecurity is a hot brand which says they protect the world’s most sensitive data by equipping organizations to detect, investigate and stop advanced cyber attacks. They have a Chief Marketing Officer, Michael Evans, who was previously vice president of marketing at FireEye and before that at Mandiant (who was acquired by FireEye) - who has Fidelis looking like anything but a stodgy defense contractor.
Northrop Grumman created a new business unit in 2015 that looks like an entirely separate company - Acuity Solutions Corp. - to pursue the commercial cybersecurity market. Acuity is led by a CEO with a big name in the commercial sector - Kris Lovejoy - who was previously general manager of the IBM Security Services Division, charged with development and delivery of managed and professional security services to IBM clients world-wide.
When you scan through the Acuity website it is hard to find any mention of Northrop - except for a couple of executive staff members who came over from the big defense contractor.
Acuity pitches its flagship product, The BlueVector Cyber Intelligence Platform, on its own website - which has a distinctly commercial feel aimed at big businesses. The BlueVector homepage cites research around the amount of money large corporations spend to combat cyber breaches, and related figures. Like Raytheon, it seems that Northrop is smart enough to know the unique challenges around competing in the commercial cybersecurity market.
To make some sense out of the missed opportunity in the commercial sector, one needs only to look at the opportunity for cybersecurity in the federal sector. With a cumulative market valued at $65.5 billion (2015 – 2020), the U.S. Federal Cybersecurity market will grow steadily at about 6.2 percent CAGR, according to a report from Market Research Media. The report states “the annual cyber security spending of the US Federal government is bigger than any national cyber security market, exceeding at least twofold the largest cybersecurity spending countries.”
The U.S. federal government has spent $100 billion on cybersecurity over the past decade, and President Obama has $14 billion budgeted for 2016. Perhaps the new federal cyber budget is enough to keep the top five defense contractors busy while they leave the commercial sector to the big tech companies and venture funded cyber startups who are swarming the market. For Lockheed - the biggest defense contractor - it will no doubt remain busy with their F-35 business.