Whenever you read anything about Cybersecurity these days, the vast majority of stories, articles and research is focused in businesses rather than individuals. However, consumer security is technically the industry that started it all, it has a current market size about USD 10 billion and it’s expected to continue to grow substantially over the next years.

With many businesses having their employees working remotely to some extent, the lines dividing corporate networks from households were never this blurred, so I believe reviewing where the consumer cybersecurity market is and could be in the future has never been more relevant than now.

This is going to be a two-parts series, where the article you are reading now is going to explore how the market has evolved to the point where we are today, and we are going to be reviewing the future opportunities, challenges and shifts in the next one.

The story so far

Once upon a time, back in the 80s, the first computer viruses started to appear, and a computer scientist called Fred Cohen wrote a book about them, becoming widely known as the father of the term. (*)

Shortly after, the original antivirus programs followed, appearing all over the world, at a rate and number that you wouldn’t have expected in those early days of the computing world, when a public, global internet wasn’t thought of by anyone except a handful of dreamers and science fiction writers.

The world became witness of an arm race of sorts that brought new types of malicious software – malware, the term encompassing more than just computer viruses – and more cybersecurity tools, like anti spam, antiphishing, antispyware, firewalls and more.

The antivirus vendors began incorporating additional functionalities and features, creating the then-called internet security suites, going even beyond malware protection as the internet continued to reach every home and person around the world.

By that time, in the late 90s/early 2000s, many of the original antivirus software were out of business, acquired or in the way to, but the irruption of internet-enabled phones brought later new vendors (i.e., Lookout) and even more cybersecurity software (password managers, secure browsers, VPNs, etc), that started to focus more in protecting the user rather than the device as it was always done before.

As subscription models became the norm during the last decade, the cybersecurity vendors followed, and now, the total, ultimate, premium offerings available go well beyond the prevention of threats like malware, including multiple security and privacy functionalities, even dark web monitoring and protection for identities.

Mr. Cohen’s seminal paper, often credited with starting the conversation about computer viruses, is now 40 years old. Despite all the effort put into the matter and, to some extent, thank to it, the consumer security space has a vibrant present and a very interesting future that I’d try to describe below.

As consumer behaviour changed, cybersecurity needed to adapt

The way that the original antivirus programs were designed isn’t compatible with how individuals behave today, even though many of those primordial concepts remain. Those changes meant that the current consumer cybersecurity products are needing to consider so many scenarios and additional functionalities that, while they are expected to protect against everything, most often than not they aren’t capable of.

Consumers surf the web, receive emails in multiple devices and programs, consume content through apps installed on their phones, connect to the internet from multiple locations, share files directly and through online storage, communicate with text messages and messaging applications, publish content in social media, and more.

The growing number of attacks shows that while security suites are adapting and covering more ground as fast as they can, their work is far from easy and needs to consider an immense number of variables.

The gaps between what traditional digital security products can do and the evolving behaviour of individuals and cybercriminals is opening opportunities for other ways of providing protection to consumers.

Browsing protection and Mobile security, an example of how things changed

Antivirus software predates the internet, and as the adoption of the world wide web grew, protecting users while they browse online became one of its most important features. However, this isn’t something that you can address solely by a traditional endpoint security product.

Browsers like Chrome, Safari or Edge now include different security features to prevent some of the most common attacks, and even telcos and ISPs are providing services to safeguard the browsing experience of their subscribers.

Secure browsers and VPNs appeared as a way to safeguard the browsing experience of internet users, focused not only on protecting the devices but also the privacy of individuals. As with many other security features in the past, the major vendors began including those features in their suites as they became popular and a market opportunity.

Another big change was the advent of smart phones and other mobile devices, that brought powerful computers into the hands of internet users, and changed the operating systems landscape, as we went from a world where the majority of devices were running Windows to another where Android became the most used consumer platform in the world.

Not only that, all of those operating systems include now several digital security and privacy features that were originally the domain of the internet security suites, creating a situation where the cybersecurity vendors are competitors of the platforms where they operate.

New devices, new operating systems, more connectivity, changed the computing world, and Cybersecurity with them.

The evolution of the cybersecurity vendors landscape

Not every vendor was able to adjust to the changes. The need for including more functionalities as well as the early explosion in the number of antivirus and internet security suites resulted in several waves of consolidation where many of them were acquired, fell into obscurity or simply disappeared.

Pioneers like Dr. Solomon, Thunderbyte, McAfee and F-Prot were the most prominent cases of an early M&A wave that consolidated the incipient market. Avira, AVG, Norman, Panda and Webroot are others that had a relevant global presence before falling into obscurity or being acquired.

Every one of the changes in consumer behaviour mentioned before also brought new vendors, like Lookout with the explosion of smartphones, and NordSecurity with the popularisation of VPNs.

Despite the original vendors having the first movers advantage to the consumer cybersecurity market, these new companies gained great traction in the new segments. For example, NordSecurity, born from NordVPN, has today an equivalent or higher annual revenue that many of the established internet security vendors like BitDefender or F-Secure.

Free solutions

An interesting feature of the consumer cybersecurity software market is the many different models that exist, like paid subscriptions, freemium products, pre-installed tools and built-in solutions.

The internet helped the spread of free antivirus and internet security solutions, with companies like AVG and Avast as the most known among them, but not only ones.

Vendors that are primarily or exclusively focused on business customers, like Sophos or Crowdstrike, have released versions of their products that were available to individuals without a charge.

Not only that, in some countries like China, there have been security solutions that were ad-based (i.e., Qihoo360), that were originally wrapping SDKs from established vendors like ESET, BitDefender or Kaspersky and today have a mix of in-house and outsourced functionality.

The ad-based approach wasn’t something exclusive to China. AVG was generating a large chunk of their revenues from installing a Google toolbar and getting paid for that, and there have been other “business models” used along the way, as we can learn from the FTC lawsuit against Avast.

In a competitive market like this one, as time passed, only a handful of free solutions can and were able to survive. This is not only because building and maintaining a cybersecurity solution that is expected to protect individuals against everything is not a cheap enterprise, but also because one of the largest companies by market cap decided to take their role in it seriously.

Microsoft: fourth time’s a charm

Microsoft… what an interesting case for this industry. They came and go so many times into the antivirus and endpoint security industry that it is difficult to keep track of how many were.

Back in 1993, Microsoft Anti-Virus (MSAV) appeared, disappearing shortly after; then, Windows Live OneCare; then, at some point, there was Microsoft Security Essentials, which also disappeared; and now, we have Windows Defender.

It was never clear how relevant was this space for Microsoft since their first incursion into the market. They acquired some companies that were used to build a security offering in the 2000s, like the romanian RAV Antivirus whose GeCAD was the base for OneCare or the business-focused Sybari that was integral to the Microsoft Forefront line of products.

However, some seeds were planted and survived, and Microsoft reinvented itself into a strong cybersecurity player in the past years, taking the leadership in terms of total market share in both consumer and business segments, due to their Defender package being virtually free of charge and delivering an acceptably good level of security.

Today, due to Microsoft, and to vendors like Gen and McAfee with their strong OEM presence, virtually all new computers come with a pre-installed security solution.

The split of the established vendors

We have seen an interesting shift in the endpoint security vendors landscape in the past decade, with the irruption of new vendors that were and still are exclusively focused in the business segment.

This wasn’t always the case in the past, as the majority of antivirus companies were focusing on delivering solutions for both consumers and businesses as the core technology was technically the same. However, enterprises have more sophisticated demands than individuals, and the features required to protect them are quite different in consequence.

With the industry evolving, and Microsoft becoming more prevalent in the consumer market, we have seen a major shift, as multi-segment vendors started to split their operations:

1. Symantec, after their enterprise business was acquired by Broadcom, split into Norton LifeLock, now part of Gen Digital, who owns also Avast, AVG, and others.

2. McAfee sold off their corporate business to Symphony Technology Group, which was renamed to Trellix.

3. F-Secure and MalwareBytes divided their operations, creating new companies to carry on with their non-consumer offering (WithSecure and ThreatDown are the names, respectively)

4. Lookout also split and their consumer business was acquired by F-Secure

Different reasons are behind above changes, as the endpoint security market has changed significantly in the last 10 years. With Microsoft taking such a big part of the consumer segment, many believe there are less perspectives for that market to grow, compared to how the enterprise vertical is evolving into Endpoint Detection and Response and beyond.

Trend Micro is the only of the large established vendors that has not seen a change of ownership and continues to have offerings for both individuals and businesses, similarly to Kaspersky, ESET and Bitdefender. From the vendors that were in the Gartner Magic Quadrant for EPP back in 2014/2015, only them keep that approach consistently since then.

What I think is going to happen now?

As I said at the beginning of this article, this is going to be a two-parts story. There are opportunities and challenges ahead that will keep changing the consumer cybersecurity market in drastic ways, and we can see some of them starting to take form today.

We are going to be exploring those in an upcoming article that will complete this series, so stay tuned.

(*) There were some ancestors to the first modern-era computer viruses, like the the Creeper worm affecting PDP-10 mainframe computers, but that’s a story for another day.

*** This is a Security Bloggers Network syndicated blog from Cybersecurity & Business authored by Ignacio Sbampato. Read the original post at: https://cybersecandbiz.substack.com/p/what-is-the-future-of-the-consumer