Cybersecurity Industry: $200 Billion in Revenue, No Impact? Why Attacks Escalate Despite Rising Budgets

The global cybersecurity industry generates over $200 billion annually. Meanwhile, ransomware damages, data breaches, and successful attacks hit new records year after year. Something is fundamentally wrong – and the industry itself benefits from the problem it is supposed to solve.

TL;DR

• The cybersecurity market grows by 12 percent annually – while damages from cybercrime increase by 15 percent
• Companies use an average of 76 different security tools – the complexity itself becomes a security risk
• The industry sells technology instead of results: No vendor guarantees that their product actually prevents attacks
• The skills shortage is partly self-inflicted – the industry focuses on niche certifications instead of broad competence

The Paradox of Growing Insecurity

In 2015, the world spent $75 billion on cybersecurity. By 2025, that figure will exceed $200 billion. The market has nearly tripled. The logical expectation: The security situation should have improved proportionally. The opposite is true.

Ransomware damages: quadrupled. Data breaches per year: doubled. Average dwell time of attackers in the network: still over 200 days. The industry is growing not despite but because of the escalating threat landscape. This is not a conspiracy theory – it is a structural problem.

Tool Sprawl: The Disease Sold as a Cure

An average company with 1,000 employees operates 76 different security tools. Firewall, EDR, SIEM, SOAR, XDR, IAM, PAM, DLP, CASB, WAF, NDR, MDR, ASM, CSPM – each acronym is its own product, its own dashboard, its own license.

The irony: This tool complexity creates the very gaps that attackers exploit. Misconfigurations between systems. Alert fatigue from thousands of daily alerts. Integration issues that create blind spots. The industry’s solution? Another tool – this time one that orchestrates all the others.

The FUD Business Model

Fear, Uncertainty, Doubt – fear, uncertainty, doubt. This is not just a marketing tactic but the business model of the entire industry. Every vendor report warns of exponentially increasing threats. Every study shows that companies “need to invest more.” Every keynote starts with a horror scenario.

No single vendor says: “You have enough tools. You just need to configure the existing ones correctly and train your employees.” Why not? That can’t be sold as a license.

What Would Really Work

Fewer tools, better basics: The Australian Signals Directorate has shown: Consistent implementation of eight fundamental measures (Essential Eight) prevents over 85 percent of all cyberattacks. None of these eight elements requires a product costing more than €50,000.

Outcome-based contracts: Why doesn’t any security vendor guarantee results? Managed service providers for facility management guarantee availability. SaaS vendors guarantee uptime. Security vendors sell licenses and leave the effectiveness to the customer. The industry needs outcome-based business models with risk sharing.

Consolidation instead of addition: Instead of buying tool number 77, companies should consolidate to 15 to 20 and configure them correctly. The savings can finance the experts who can actually operate the tools.

Conclusion: The Industry Must Disrupt Itself

The cybersecurity industry has an incentive problem: It profits from the insecurity it is supposed to fix. This does not mean that all products are useless – many are excellent. But the system in which they are sold and deployed is dysfunctional. The solution does not come from within but from customers who stop buying dashboards and start demanding results.

Key Facts

Tool Sprawl: Companies with over 50 security tools have no better detection rate than those with fewer than 20 – but 48 percent higher operating costs (IBM).

ROI Problem: Only 14 percent of CISOs can quantify the return on security investment of their total expenditures (Gartner, 2024).

Frequently Asked Questions

Does this mean security products are useless?

No. Individual products – EDR, SIEM, MFA – have proven effectiveness. The problem is not the technology itself but the assumption that more technology automatically means more security. Correct configuration and competent personnel are more important than the number of tools.

Why don’t companies simply consolidate?

Three reasons: Lock-in through long-term contracts, fear of gaps during replacement, and organizational inertia. Every tool has an internal champion who introduced it. Consolidation requires political will at the C-level.

What should a CISO do first?

An honest inventory: Which tools are actually used? Which run unmonitored? Then consolidate, correctly configure the remaining tools, and invest the saved license costs in employee training.

Related Articles

• The CISO is a scapegoat – Why the role needs fundamental reform
• Europe has already lost the cyber war – Why technological sovereignty is an illusion
• The GDPR protects no one – Seven years of bureaucracy with no measurable impact

More from the MBF Media Network

• IT strategy for C-level executives on digital-chiefs.de
• Cloud security trends on cloudmagazin.com

Header Image Source: Pexels

About the author: Tobias Massow

More articles by Tobias Massow