They invest in various computer security technologies - from platforms for paying bonuses for detecting vulnerabilities in programs to diagnostics and automated testing of programs. But most of all they are attracted to authentication and identity information management technologies - about $900 million was invested in startups dealing with these technologies at the end of 2019.

Investments in cybersecurity training startups reached $418 million in 2019, led by KnowBe4, which raised $300 million. The startup offers a phishing attack simulation platform and a range of training programs.

In 2019, companies involved in Internet of Things security received about $412 million. The leader in this category in terms of investment volume is SentinelOne, which in 2019 received $120 million for the development of endpoint protection technologies.

At the same time, Metacurity analysts provide other data characterizing the situation on the venture financing market in the information security sector. In 2019, the volume of investments here reached $6.57 billion, increasing from $3.88 billion in 2018. The number of transactions also increased - from 133 to 219. At the same time, the average volume of investments per transaction remained virtually unchanged and amounted to 29.2 million at the end of 2019, as calculated by Metacurity.

2018

Growth by 9% to $37 billion - Canalys

In 2018, equipment sales, software and services intended for information security (IS), reached $37 billion, an increase of 9% compared to a year ago ($34 billion). Such data was published by Canalys analysts on March 28, 2019.

Despite many companies prioritizing protecting their assets, data, endpoints, networks, employees and customers, cybersecurity accounted for only 2% of total IT spending in 2018, they said. However, more and more new threats are emerging, they are becoming more complex and more frequent, which provides manufacturers of information security solutions with new opportunities for growth. Total cybersecurity spending is expected to exceed $42 billion in 2020.

Canalys analyst Matthew Ball believes that the transition to new models of information security implementation will accelerate. Customers are changing the nature of their IT budgets by using public cloud services and flexible subscription-based services.

About 82% of information security deployments in 2018 involved the use of traditional hardware and software. In the remaining 18% of cases, virtualization, public clouds and information security services were used.

By 2020, the share of traditional models for deploying information security systems will drop to 70%, as new solutions on the market are gaining popularity.

Suppliers will need to create a wide range of business models to support this transition as different products fit different different types deployments. The main challenge for many today is to make new models more focused on affiliate channels and integrate them with existing ones affiliate programs, especially with customer transactions via cloud platforms. Some cloud marketplaces have already responded to this by allowing partners to offer tailored offers and prices directly to customers by tracking deal registrations and discounts, Matthew Ball reported in a March 29, 2019 post.

According to Canalys analyst Ketaki Borade, leading cybersecurity technology vendors have introduced new product distribution models that involve companies moving to a subscription model and increasing operations in the cloud infrastructure.

The cybersecurity market remained highly dynamic and saw record deal activity and volume in response to growing regulatory and technical requirements, as well as the continued widespread risk of data breaches, says Momentum Cyber ​​co-founder and managing partner Eric McAlpine. “We believe this momentum will continue to push the sector into new territory as it seeks to address emerging threats and consolidates in the face of supplier fatigue and growing skills shortages.”

2017

Cybersecurity expenses exceeded $100 billion

In 2017, global spending on information security (IS) - products and services - reached $101.5 billion, the Gartner research company said in mid-August 2018. At the end of 2017, experts estimated this market at $89.13 billion. It is not reported what caused the significant increase in valuation.

CISOs are looking to help their organizations securely use technology platforms to become more competitive and drive business growth, says Siddharth Deshpande, research director at Gartner. - Continued skills shortages and regulatory changes such as the General Data Protection Regulation (GDPR) in Europe are driving further growth in the cybersecurity services market.

Experts believe that one of the key factors contributing to increased information security costs is the introduction of new methods of detecting and responding to threats, which became the top security priority for organizations in 2018.

According to Gartner estimates, in 2017, organizations spent on cyber protection services globally exceeded $52.3 billion. In 2018, these costs will rise to $58.9 billion.

In 2017, companies spent $2.4 billion on protecting applications, $2.6 billion on data protection, cloud services- $185 million

Annual sales of solutions for identity and access management (Identity And Access Management) turned out to be equal to 8.8 billion. Sales of IT infrastructure protection tools increased to $12.6 billion.

The study also points to $10.9 billion in spending on equipment used to provide network security. Their manufacturers earned $3.9 billion from information security risk management systems.

Consumer cybersecurity spending for 2017 is estimated by analysts at $5.9 billion, according to a Gartner study.

Gartner estimated the market size at $89.13 billion

In December 2017, it became known that global company spending on information security (IS) in 2017 would amount to $89.13 billion. According to Gartner, corporate spending on cybersecurity will exceed the 2016 amount of $82.2 billion by almost $7 billion.

Experts consider information security services to be the largest expense item: in 2017, companies will allocate over $53 billion for these purposes compared to $48.8 billion in 2016. The second largest segment of the information security market is infrastructure protection solutions, the costs of which in 2017 will amount to $16.2 billion instead of $15.2 billion a year ago. Network security equipment is in third place ($10.93 billion).

The structure of information security expenses also includes consumer software for information security and identification and access management systems (Identity and Access Management, IAM). Gartner estimates costs in these areas in 2017 at $4.64 billion and $4.3 billion, while in 2016 the figures were at $4.57 billion and $3.9 billion, respectively.

Analysts expect further growth in the information security market: in 2018, organizations will increase spending on cyber protection by another 8% and allocate a total of $96.3 billion for these purposes. Among the growth factors, experts listed changing regulation in the information security sector and awareness of new threats and the pivot of companies to a digital business strategy.

In general, spending on cybersecurity is largely driven by companies’ response to information security incidents, as the number of high-profile cyberattacks and information leaks affecting organizations around the world is growing, says Ruggero Contu, research director at Gartner, commenting on the forecast.

The analyst’s words are confirmed by data obtained by Gartner in 2016 during a survey involving 512 organizations from eight countries: Australia, Canada, France, Germany, India, Singapore and the USA.

53% of respondents named cybersecurity risks as the main driving force behind increased cybersecurity spending. Of this number, the highest percentage of respondents said that the threat of cyberattacks most influences information security spending decisions.

Gartner's forecast for 2018 calls for increased spending across all major areas. Thus, about $57.7 billion (+$4.65 billion) will be spent on cyber protection services, about $17.5 billion (+$1.25 billion) will be spent on ensuring infrastructure security, and $11.67 billion (+ $735 million), for consumer software - $4.74 billion (+$109 million) and for IAM systems - $4.69 billion (+$416 million).

Analysts also believe that by 2020, more than 60% of organizations in the world will invest simultaneously in several data protection tools, including information loss prevention, encryption and auditing tools. As of the end of 2017, the share of companies purchasing such solutions was estimated at 35%.

Another significant item of corporate expenditure on information security will be the involvement of third-party specialists. It is expected that, against the backdrop of a shortage of personnel in the field of cybersecurity, the growing technical complexity of information security systems and increasing cyber threats, company costs for information security outsourcing in 2018 will increase by 11% and amount to $18.5 billion.

Gartner estimates that by 2019, corporate spending on third-party cybersecurity experts will account for 75% of total cybersecurity software and hardware spending, up from 63% in 2016.

IDC predicts market size to be $82 billion

Two thirds of the costs will come from large and very large companies. big business. By 2019, according to IDC analysts, the costs of corporations with more than 1,000 employees will exceed the $50 billion mark.

2016: Market volume $73.7 billion, growth 2 times more than the IT market

In October 2016, the analytical company IDC presented brief results of a study of the global information security market. Its growth is expected to be twice that of the IT market.

IDC calculated that global sales of equipment, software and services for cyber protection will reach about $73.7 billion in 2016, and in 2020 the figure will exceed $100 billion, amounting to $101.6 billion. In the period from 2016 to 2020, the information security market -technology will grow at an average rate of 8.3% annually, which is twice the expected growth rate of the IT industry.

The largest information security expenses ($8.6 billion) at the end of 2016 are expected in banks. In second, third and fourth place in terms of the size of such investments will be discrete production enterprises, government agencies and continuous production enterprises, respectively, which will account for about 37% of expenses.

Analysts give leadership in the dynamics of increasing information security investments to healthcare (an average annual growth of 10.3% is expected in 2016-2020). The costs of cyber protection in the telecom, housing sector, government agencies and in the investment and securities market will rise by approximately 9% per year.

Researchers call the American market the largest information security market, the volume of which will reach $31.5 billion in 2016. The top three will also include Western Europe and the Asia-Pacific region (excluding Japan). There is no information on the Russian market in the short version of the IDC study.

CEO of the Russian company Security Monitor, Dmitry Gvozdev predicts an increase in the share of services in total Russian security spending from 30-35% to 40-45%, and also predicts the development of the client structure of the market - from the total predominance of the government, financial and energy sectors towards medium-sized enterprises from a wider range of industries.

One of the trends should be the development of the share of domestic software products in connection with issues of import substitution and the foreign policy situation. However, the extent to which this will be reflected in financial indicators will largely depend on the ruble exchange rate and the pricing policy of foreign vendors, who still occupy at least half of the domestic market software solutions and up to two thirds in the equipment segment. The final annual financial result of the entire Russian information security solutions market can also be tied to external economic factors, Gvozdev said in a conversation with TAdviser.

2015

MARKET SIZE

FEDERAL SPENDING

CYBER CRIME

COST-PER-BREACH

FINANCIAL SERVICES

International

SECURITY ANALYTICS

2013: The EMEA market grew to $2.5 billion.

The volume of the security equipment market in the EMEA region (Europe, Middle East and Africa) grew by 2.4% compared to 2012 and amounted to $2.5 billion. Analysts called multifunctional software and hardware systems for protection the largest and fastest growing segment of the market under consideration. computer networks– UTM solutions (Unified threat management). At the same time, IDC predicted that the market technical means information security will reach $4.2 billion in value terms by 2018 with an average annual growth of 5.4%.

At the end of 2013, the leading position among suppliers in terms of revenue from sales of information security equipment in the EMEA region was taken by Check Point. According to IDC, the vendor's revenue in this segment for 2013 grew by 3.8% and amounted to $374.64 million, which corresponds to a market share of 19.3%.

2012: Forecast PAC: The information security market will grow by 8% per year

The global information security market will grow by 8% annually until 2016, when it could reach 36 billion euros, the study reported.

There are two main approaches to justifying the costs of information security.

Scientific approach. To do this, it is necessary to involve the management of the company (or its owner) in assessing the cost of information resources and determining the assessment of potential damage from violations in the field of information security.

1. If the cost of information is low, there are no significant threats to the company’s information assets, and the potential damage is minimal, ensuring information security requires less funding.

2. If information has a certain value, threats and potential damage are significant and defined, then the question arises of including costs for the information security subsystem in the budget. In this case, it is necessary to construct corporate system information protection.

Practical approach consists in determining the real cost option for a corporate information security system based on similar systems in other areas. Practitioners in the field of information security believe that the cost of an information security system should be approximately 10-20% of the cost of a corporate information system, depending on the specific requirements for the information security regime.

Generally accepted requirements for ensuring the “best practice” information security regime (based on practical experience), formalized in a number of standards, for example ISO 17799, are implemented in practice when developing specific methods for assessing the effectiveness of an information security system.

The use of modern methods for estimating the costs of information security makes it possible to calculate the entire expendable part of an organization’s information assets, including direct and indirect costs for hardware and software, organizational events, training and professional development of employees, reorganization, business restructuring, etc.

They are necessary for proof economic efficiency existing corporate protection systems and allow heads of information security services to justify the budget for information security, as well as prove the effectiveness of the work of employees of the relevant service. Cost estimation methods used by foreign companies allow:

Obtain adequate information about the level of security of a distributed computing environment and the total cost of ownership of a corporate information security system.

Compare the organization's information security departments both among themselves and with similar departments of other organizations in the industry.

Optimize investments in the organization’s information security.

One of the most well-known methods for estimating costs in relation to an information security system is the method total cost of ownership (TCO) company Gartner Group The TCO indicator is understood as the sum of direct and indirect costs for the organization (reorganization), operation and maintenance of a corporate information security system during the year. It is used in almost all major stages life cycle corporate information security system and makes it possible to objectively and independently justify the economic feasibility of introducing and using specific organizational and technical measures and means of information security. For the objectivity of the decision, it is also necessary to additionally take into account the state of the external and internal environment of the enterprise, for example, indicators of the technological, personnel and financial development of the enterprise.

Comparing a certain TCO indicator with similar TCO indicators in the industry (with similar companies) allows you to objectively and independently justify the organization’s costs for information security. After all, it often turns out to be quite difficult or even practically impossible to assess the direct economic effect of these costs.

The total cost of ownership for an information security system generally consists of the cost:

Design work,

Purchases and configuration of software and hardware protection tools, including the following main groups: firewalls, cryptography tools, antiviruses and AAA (authentication, authorization and administration tools),

Costs of ensuring physical security,

Personnel training,

System management and support (security administration),

Information security audit, - periodic modernization of the information security system.

Direct costs include both capital cost components (associated with fixed assets or "property") and labor costs, which are included in the categories of operations and administrative management. This also includes costs for services of remote users, etc., associated with supporting the organization’s activities.

In turn, indirect costs reflect the impact of the corporate information system and the information security subsystem on the organization’s employees through such measurable indicators as downtime and freezes of the corporate information security system and the information system as a whole, operations and support costs (not related to direct costs ). Very often, indirect costs play a significant role, since they are usually not initially reflected in the information security budget, but are revealed later in the cost analysis.

The calculation of the organization's TCO indicators is carried out in the following areas.

Components of a corporate information system(including information security system) and information activities of the organization (servers, client computers, peripheral devices, network devices).

Expenses for hardware and software for information security: consumables and depreciation costs neither servers, client computers (desktops and mobile computers), peripheral devices and network components.

Costs for organizing information security: maintenance of information security systems, standard means of protecting peripheral devices, servers, network devices, planning and management of information security processes, development of security concepts and policies, and others.

Expenses for information system operations topics: direct costs of maintaining personnel, cost of work and outsourcing made by the organization as a whole or service to implement technical support and operations to maintain infrastructure for users.

Administrative expenses: direct personnel costs, operational support and costs of internal/external suppliers (vendors) to support operations, including management, financing, acquisition and training of information systems.

End user transaction costs: End-user self-support costs, formal end-user training, casual (informal) training, do-it-yourself application development, local file system support.

Downtime costs: Annual end-user productivity losses from planned and unplanned outages of network resources, including client computers, shared servers, printers, application programs, communications resources, and communications software.

How to justify the costs of information security?

Reprinted with kind permission OJSC InfoTex Internet Trust
The source text is located Here.

Company maturity levels

Gartner Group identifies 4 levels of company maturity in terms of information security (IS):

• level 0:
• No one is involved in information security in the company; the company’s management does not realize the importance of information security problems;
• There is no funding;
• IS is being implemented regular means operating systems, DBMS and applications (password protection, access control to resources and services).
• Level 1:
• Information security is considered by management as a purely “technical” problem; there is no unified program (concept, policy) for the development of the company’s information security system (ISMS);
• Funding is provided within the overall IT budget;
• Information security is implemented by means of zero level + means Reserve copy, antivirus tools, firewalls, VPN organization tools (traditional security tools).
• Level 2:
• Information security is considered by management as a complex of organizational and technical measures, there is an understanding of the importance of information security for production processes, there is a program for the development of the company's ISMS approved by management;
• Information security is implemented by first-level tools + enhanced authentication tools, tools for analyzing email messages and web content, IDS (intrusion detection systems), security analysis tools, SSO (single authentication tools), PKI (infrastructure) public keys) and organizational measures (internal and external audit, risk analysis, information security policy, regulations, procedures, regulations and guidelines).
• Level 3:
• Information security is part of the corporate culture, a CISA (senior information security officer) has been appointed;
• Funding is provided within a separate budget;
• Information security is implemented by means of the second level + information security management system, CSIRT (information security incident response team), SLA (service level agreement).

According to Gartner Group (data provided for 2001), the percentage of companies in relation to the described 4 levels is as follows:
Level 0 - 30%,
Level 1 - 55%,
Level 2 - 10%,
Level 3 - 5%.

The Gartner Group's forecast for 2005 is as follows:
Level 0 - 20%,
Level 1 - 35%,
Level 2 - 30%,
Level 3 - 15%.

Statistics show that the majority of companies (55%) have currently implemented minimal necessary set traditional technical means of protection (level 1).

When implementing various technologies and security measures, questions often arise. What to implement first, an intrusion detection system or a PKI infrastructure? Which will be more effective? Stephen Ross, director of Deloitte&Touche, proposes the following approach for assessing the effectiveness of individual information security measures and tools.

Based on the above graph, it can be seen that the most expensive and least effective are specialized tools (in-house or custom-made).

The most expensive, but at the same time the most effective, are category 4 protection products (levels 2 and 3 according to Gartner Group). To implement tools in this category, it is necessary to use a risk analysis procedure. Risk analysis in this case will ensure that implementation costs are adequate to existing threats of information security violations.

The cheapest, but with a high level of effectiveness, include organizational measures (internal and external audit, risk analysis, information security policy, business continuity plan, regulations, procedures, regulations and manuals).

The introduction of additional means of protection (transition to levels 2 and 3) requires significant financial investments and, accordingly, justification. The absence of a unified ISMS development program approved and signed by management exacerbates the problem of justifying investments in safety.

Risk Analysis

Such justification can be the results of risk analysis and statistics accumulated on incidents. Mechanisms for implementing risk analysis and collecting statistics should be specified in the company’s information security policy.

The risk analysis process consists of 6 sequential stages:

1. Identification and classification of protected objects (company resources to be protected);

3. Building a model of an attacker;

4. Identification, classification and analysis of threats and vulnerabilities;

5. Risk assessment;

6. Selection of organizational measures and technical means of protection.

At the stage identification and classification of objects of protection It is necessary to conduct an inventory of the company's resources in the following areas:

• Information resources (confidential and critical company information);
• Software resources (OS, DBMS, critical applications, such as ERP);
• Physical resources (servers, workstations, network and telecommunications equipment);
• Service resources (email, www, etc.).

Categorization is to determine the level of confidentiality and criticality of the resource. Confidentiality refers to the level of secrecy of information that is stored, processed and transmitted by a resource. Criticality is understood as the degree of influence of a resource on the efficiency of the company's production processes (for example, in the event of downtime of telecommunications resources, the provider company may go bankrupt). By assigning certain qualitative values ​​to the confidentiality and criticality parameters, you can determine the level of significance of each resource in terms of its participation in the company’s production processes.

To determine the importance of company resources from an information security point of view, you can obtain the following table:

For example, files with information about the salary level of company employees have a value of “strictly confidential” (confidentiality parameter) and a value of “insignificant” (criticality parameter). By substituting these values ​​into the table, you can obtain an integral indicator of the significance of this resource. Various options for categorization methods are given in the international standard ISO TR 13335.

Building an attacker model is the process of classifying potential violators according to the following parameters:

• Type of attacker (competitor, client, developer, company employee, etc.);
• The position of the attacker in relation to the objects of protection (internal, external);
• Level of knowledge about protected objects and the environment (high, medium, low);
• Level of ability to access protected objects (maximum, average, minimum);
• Duration of action (constantly, at certain time intervals);
• Location of action (the expected location of the attacker during the attack).

By assigning qualitative values ​​to the listed parameters of the attacker’s model, one can determine the attacker’s potential (an integral characteristic of the attacker’s capabilities to implement threats).

Identification, classification and analysis of threats and vulnerabilities allow you to determine ways to implement attacks on protected objects. Vulnerabilities are properties of a resource or its environment that are used by an attacker to implement threats. A list of software resource vulnerabilities can be found on the Internet.

Threats are classified according to the following criteria:

• name of the threat;
• type of attacker;
• means of implementation;
• exploited vulnerabilities;
• actions taken;
• implementation frequency.

The main parameter is the frequency of threat implementation. It depends on the values ​​of the “attacker potential” and “resource security” parameters. The value of the “resource security” parameter is determined through expert assessments. When determining the value of the parameter, the subjective parameters of the attacker are taken into account: motivation for implementing the threat and statistics from attempts to implement threats of this type(if available). The result of the threat and vulnerability analysis stage is an assessment of the “implementation frequency” parameter for each threat.

At the stage risk assessments the potential damage from threats of information security violations is determined for each resource or group of resources.

The qualitative indicator of damage depends on two parameters:

• Significance of the resource;
• Frequency of threat implementation on this resource.

Based on the damage assessments obtained, adequate organizational measures and technical means of protection are reasonably selected.

Accumulation of statistics on incidents

The only weak point in the proposed methodology for assessing risk and, accordingly, justifying the need to introduce new or change existing protection technologies is the determination of the parameter “frequency of threat occurrence.” The only way to obtain objective values ​​of this parameter is to accumulate statistics on incidents. Accumulated statistics, for example, over a year will allow you to determine the number of implementations of threats (of a certain type) per resource (of a certain type). It is advisable to carry out work on collecting statistics as part of the incident processing procedure.

Purpose of the study: to analyze and determine the main trends in the Russian information security market
Rosstat data was used (statistical reporting forms No. 3-Inform, P-3, P-4), financial statements of enterprises, etc.

Organizations' use of information and communication technologies and information security tools

• To prepare this section, aggregated, geographically separate divisions and representative offices were used (Form 3-Inform “Information on the use of information and communication technologies and production computer technology, software and provision of services in these areas".

The period 2012-2016 was analyzed. The data does not claim to be complete (since it is collected according to limited circle enterprises), but, in our opinion, can be used to assess trends. The number of respondent enterprises for the period under review ranged from 200 to 210 thousand. That is, the sample is quite stable and includes the most likely consumers (large and medium-sized enterprises), who account for the bulk of sales.

Availability of personal computers in organizations

According to the statistical reporting form 3-Inform, in 2016 there were about 12.4 million units in Russian organizations that provided information on this form personal computers(PC). In this case, PC means desktop and laptop computers; this concept does not include mobile Cell Phones and pocket personal computers.

Over the past 5 years, the number of PC units in organizations in Russia as a whole has increased by 14.9%. The best-equipped federal district is the Central Federal District, accounting for 30.2% of PCs in companies. The undisputed leading region for this indicator is the city of Moscow; according to data for 2016, Moscow companies have about 1.8 million PCs. The lowest value of the indicator was noted in the North Caucasian Federal District; organizations in the district have only about 300 thousand PC units; the smallest number is in the Republic of Ingushetia - 5.45 thousand units.

Rice. 1. Number of personal computers in organizations, Russia, million units.

Organizational expenses on information and communication technologies

During the period 2014-2015. Due to the unfavorable economic situation, Russian companies were forced to minimize their costs, including costs for information and communication technologies. In 2014, the decrease in costs in the ICT sector was 5.7%, but at the end of 2015 there was a slight positive trend. In 2016, Russian companies' spending on information and communication technologies amounted to 1.25 trillion. rub., exceeding the pre-crisis 2013 figure by 0.3%.

The bulk of the costs falls on companies located in Moscow - over 590 billion rubles, or 47.2% of the total. The largest volumes of expenses of organizations on information and communication technologies in 2016 were recorded in: Moscow region - 76.6 billion rubles, St. Petersburg - 74.4 billion rubles, Tyumen region - 56.0 billion rubles, Republic of Tatarstan – 24.7 billion rubles, Nizhny Novgorod region – 21.4 billion rubles. The lowest costs were recorded in the Republic of Ingushetia – 220.3 million rubles.

Rice. 2. Amount of companies’ expenses on information and communication technologies, Russia, billion rubles.

Organizations' use of information security tools

IN Lately One can note a significant increase in the number of companies using information security protection tools. The annual growth rate of their number is quite stable (with the exception of 2014), and amounts to about 11-19% per year.

According to official data from Rosstat, The most popular means of protection at present are technical means of user authentication (tokens, USB keys, smart cards). Of more than 157 thousand companies, 127 thousand companies (81%) indicated the use of these particular tools as information protection.

Rice. 3. Distribution of organizations by use of means ensuring information security in 2016, Russia, %.

According to official statistics, in 2016, 161,421 companies used the global Internet for commercial purposes. Among organizations that use the Internet for commercial purposes and have indicated the use of information security measures, the most popular is the electronic digital signature. This tool Over 146 thousand companies, or 91% of the total, indicated as a means of protection. According to the use of information security tools, companies were distributed as follows:

• • Electronic means digital signature– 146,887 companies;
  • Regularly updated antivirus programs– 143,095 companies;
  • Software or hardware that prevents unauthorized access malware from global information or local computer networks(Firewall) – 101,373 companies;
  • Spam filter – 86,292 companies;
  • Encryption tools – 86,074 companies;
  • Computer or network intrusion detection systems – 66,745 companies;
  • Software tools for automating security analysis and control processes computer systems– 54,409 companies.

Rice. 4. Distribution of companies using the Internet for commercial purposes, by means of protecting information transmitted over global networks, in 2016, Russia, %.

In the period 2012-2016, the number of companies using the Internet for commercial purposes increased by 34.9%. In 2016, 155,028 companies used the Internet to communicate with suppliers and 110,421 companies used the Internet to communicate with consumers. Of the companies using the Internet to communicate with suppliers, the purpose of use indicated:

• obtaining information about the necessary goods (works, services) and their suppliers - 138,224 companies;
• providing information about the organization’s needs for goods (works, services) – 103,977 companies;
• placing orders for the goods (work, services) necessary for the organization (excluding orders sent via e-mail) – 95,207 companies;
• payment for supplied goods (works, services) – 89,279;
• receipt of electronic products – 62,940 companies.

Of the total number of companies using the Internet to communicate with consumers, the purpose of use indicated:

• providing information about the organization, its goods (works, services) - 101,059 companies;
• (works, services) (excluding orders sent by email) – 44,193 companies;
• implementation of electronic payments with consumers – 51,210 companies;
• distribution of electronic products – 12,566 companies;
• after-sales service (service) – 13,580 companies.

Volume and dynamics of budgets of federal executive authorities for information technology in 2016-2017.

According to the Federal Treasury, the total volume of limits on budget obligations for 2017, communicated to the federal executive authorities (hereinafter referred to as the federal executive authority) according to expense type code 242 “Purchase of goods, works, services in the field of information and communication technologies” in terms of information that does not constitute state secret, as of August 1, 2017 amounted to 115.2 billion rubles, which is approximately 5.1% higher than the total budget for information technology of federal executive authorities in 2016 (109.6 billion rubles, according to the Ministry of Telecom and Mass Communications). Thus, while the total volume of IT budgets of federal departments continues to grow from year to year, the growth rate has decreased (in 2016, the total volume of IT budgets increased by 8.3% compared to 2015). Wherein There is an increasing stratification between “rich” and “poor” in terms of departmental information and communication technology expenditures. The undisputed leader not only in terms of budget size, but also in terms of achievements in the IT field is the Federal Tax Service. Its ICT budget this year is more than 17.6 billion rubles, which is more than 15% of the budget of all federal executive authorities. The total share of the top five (Federal Tax Service, Pension Fund of the Russian Federation, Treasury, Ministry of Internal Affairs, Ministry of Telecom and Mass Communications) is more than 53%.

Rice. 5. Structure of budget expenditures for the purchase of goods, works and services in the field of information and communication technologies by federal executive authorities in 2017, %

Legislative regulation in the field of procurement of software for state and municipal needs

From January 1, 2016, all state and municipal bodies, state corporations Rosatom and Roscosmos, management bodies of state extra-budgetary funds, as well as state and budgetary institutions carrying out procurement in accordance with the requirements of Federal Law of April 5, 2013 No. 44 -FZ “On the contract system in the field of procurement of goods, works, services to meet state and municipal needs”, are required to comply with the ban on the admission of software originating from foreign countries for the purpose of procurement to meet state and municipal needs. The ban was introduced by Decree of the Government of the Russian Federation of November 16, 2015 No. 1236 “On establishing a ban on the admission of software originating from foreign countries for the purpose of procurement to meet state and municipal needs.” When purchasing software, the above customers must directly indicate the prohibition of purchasing imported software in the purchase notice. The ban applies to the purchase of software for electronic computers and databases implemented regardless of the type of contract on a tangible medium and (or) in in electronic format through communication channels, as well as exclusive rights to such software and the rights to use such software.

There are several exceptions when the purchase of imported software by customers is allowed.

• procurement of software and (or) rights to it by diplomatic missions and consular offices Russian Federation, trade missions of the Russian Federation at international organizations to ensure their activities on the territory of a foreign state;
• procurement of software and (or) rights to it, information about which and (or) the purchase of which constitutes a state secret.

In all other cases, the customer will be required to work with a single registry before purchasing software Russian programs for electronic computers and databases and a classifier of programs for electronic computers and databases.
The formation and maintenance of the register as an authorized federal executive body is carried out by the Ministry of Telecom and Mass Communications of Russia.
As of the end of August 2017, the register included 343 software products belonging to the class of “information security tools” from 98 Russian development companies. Among them are software products from such large Russian developers as:

• OJSC “Information Technologies and Communication Systems” (“InfoTeKS”) – 37 software products;
• JSC Kaspersky Lab - 25 software products;
• Security Code LLC - 19 software products;
• Crypto-Pro LLC - 18 software products;
• Doctor WEB LLC - 12 software products;
• S-Terra CSP LLC - 12 software products;
• CJSC "Aladdin R.D." — 8 software products;
• JSC "Infowatch" - 6 software products.

Analysis of the activities of the largest players in the field of information security

• As basic information for analyzing the activities of the largest players in the information security market for preparation this study information on public procurement in the field of information and communication activities and, in particular, information security was used.

To analyze trends, we selected 18 companies that are among the leaders in the information security market and are actively involved in government procurement. The list includes both direct developers of software and hardware and software security systems, as well as the largest system integrators. The total revenue of these companies in 2016 amounted to 162.3 billion rubles, exceeding the 2015 figure by 8.7%.
Below is a list of companies selected for the study.

Table 1. Companies selected for the study

№	Name	TIN	Type of activity (OKVED 2014)
1	"I-Teco" JSC	7736227885	Activities related to the use of computer technology and information technologies, other (62.09)
2	Croc Incorporated, JSC	7701004101
3	"Informzashita", CJSC NIP	7702148410	Research and development in the field of social sciences and humanities (72.20)
4	"Softline Trade", JSC	7736227885
5	"Technoserv AS", LLC	7722286471	Wholesale trade of other machinery and equipment (46.69)
6	"Elvis-plus", JSC	7735003794
7	"Asteros" JSC	7721163646	Wholesale trade in computers, peripheral devices to computers and software (46.51
8	"Aquarius Production Company", LLC	7701256405
9	Lanit, CJSC	7727004113	Wholesale trade of other office machinery and equipment (46.66)
10	Jet Infosystems, JSC	7729058675	Wholesale trade of computers, peripheral devices for computers and software (46.51)
11	"Dialognauka", JSC	7701102564	Computer software development (62.01)
12	"Factor-TS", LLC	7716032944	Production of computers and peripheral equipment (26.20)
13	"InfoTeKS", JSC	7710013769	Computer software development (62.01)
14	"Ural Center for Security Systems", LLC	6672235068	Activities in the field of architecture, engineering and technical advice in these areas (71.1)
15	"ICL-KPO VS", JSC	1660014361	Computer software development (62.01)
16	NVision Group, JSC	7703282175	Non-specialized wholesale trade (46.90)
17	"Confidential-Integration", LLC	7811512250	Data processing activities, provision of hosting services and related activities (63.11)
18	"Kaluga Astral", JSC	4029017981	Advisory activities and work in the field of computer technology (62.02

As of the end of October 2017, companies from the presented sample concluded 1,034 contracts with government agencies in the amount of 24.6 billion rubles. Leading in this list in terms of the volume of contracts concluded, the I-Teco company has 74 contracts worth 7.5 billion rubles.
Over the past years, with the exception of the crisis year of 2014, one can note a constant increase in the total volume of contracts for the selected companies. The most significant dynamics occurred in the period 2015-2016. Thus, in 2015, there was an increase in the volume of contracts by more than 3.5 times, in 2016 - by 1.5 times. According to available data on the contract activities of companies for the period January-October 2017, it can be assumed that in 2017 the total volume of contracts with government agencies will be about 37-38 billion rubles, that is, a decrease of around 40% is expected.

As already noted, the security of an enterprise is ensured by a set of measures at all stages of its life cycle, its information system and, in general, consists of the cost:

• - design work;
• - procurement and configuration of software and hardware protection tools;
• - costs of ensuring physical security;
• - personnel training;
• - system management and support;
• - information security audit;
• - periodic modernization of the information security system, etc.

The cost indicator of the economic efficiency of an integrated information security system will be the sum of direct and indirect costs for organizing, operating and maintaining the information security system throughout the year.

It can be considered as a key quantitative indicator of the effectiveness of information security organization in a company, since it will allow not only to estimate the total costs of protection, but to manage these costs to achieve the required level of enterprise security. However, direct costs include both capital cost components and labor costs, which are included in the categories of operations and administrative management. This also includes costs for services of remote users, etc., associated with supporting the organization’s activities.

Indirect costs, in turn, reflect the impact of the integrated security system and information security subsystem on employees through such measurable indicators as downtime and freezes of the corporate information security system and the integrated security system as a whole, operations and support costs.

Very often, indirect costs play a significant role, since they are usually not initially reflected in the budget for a comprehensive security system, but are revealed explicitly during cost analysis later, which ultimately leads to an increase in the company’s “hidden” costs. Let's consider how you can determine the direct and indirect costs of a comprehensive security system. Let's assume that the management of an enterprise is working to implement a comprehensive information security system at the enterprise. The objects and goals of protection, threats to information security and measures to counter them have already been identified, the necessary means of protecting information have been purchased and installed.

Typically, information security costs fall into the following categories:

• - costs for the formation and maintenance of the information security system management link;
• - costs of control, that is, of determining and confirming the achieved level of security of enterprise resources;
• - internal costs for eliminating the consequences of an information security violation - costs incurred by the organization as a result of the fact that the required level of security was not achieved;
• - external costs for eliminating the consequences of an information security violation - compensation for losses due to violations of the security policy in cases related to information leakage, loss of the company’s image, loss of trust of partners and consumers, etc.;
• - costs of maintaining the information security system and measures to prevent violations of the enterprise security policy.

In this case, one-time and systematic costs are usually distinguished.

One-time costs for creating enterprise security: organizational costs and costs for the acquisition and installation of protective equipment.

Systematic, operating and maintenance costs. The classification of costs is conditional, since the collection, classification and analysis of costs for information security are the internal activities of enterprises, and the detailed development of the list depends on the characteristics of a particular organization.

The main thing when determining the costs of a security system is mutual understanding and agreement on cost items within the enterprise.

In addition, cost categories should be consistent and should not duplicate each other. It is impossible to completely eliminate security costs, but they can be reduced to an acceptable level.

Some security costs are absolutely necessary, and some can be significantly reduced or eliminated. The latter are those that may disappear in the absence of security breaches or will decline if the number and destructive impact of breaches decreases.

By maintaining safety and preventing violations, the following costs can be eliminated or significantly reduced:

• - to restore the security system to meet security requirements;
• - to restore the resources of the enterprise’s information environment;
• - for alterations within the security system;
• - for legal disputes and compensation payments;
• - to identify the causes of security violations.

Necessary costs are those that are necessary even if the level of security threats is quite low. These are the costs of maintaining the achieved level of security of the enterprise information environment.

Unavoidable costs may include:

• a) maintenance of technical protective equipment;
• b) confidential records management;
• c) operation and audit of the security system;
• d) minimum level of inspections and control with the involvement of specialized organizations;
• e) training of personnel in information security methods.

However, there are other costs that are quite difficult to determine. Among them:

• a) the costs of conducting additional research and developing a new market strategy;
• b) losses from lowering the priority in scientific research and the inability to patent and sell licenses for scientific and technical achievements;
• c) costs associated with eliminating bottlenecks in the supply, production and marketing of products;
• d) losses from compromise of products manufactured by the enterprise and reduction in prices for them;
• e) the occurrence of difficulties in acquiring equipment or technologies, including increasing prices for them, limiting the volume of supplies.

The listed costs can be caused by the actions of personnel of various departments, for example, design, technological, economic planning, legal, economic, marketing, tariff policy and pricing.

Since employees of all these departments are unlikely to be busy full-time with issues of external losses, the establishment of the amount of costs must be carried out taking into account the actual time spent. One of the elements of external losses cannot be accurately calculated - these are losses associated with undermining the image of the enterprise, reducing consumer confidence in the products and services of the enterprise. It is for this reason that many corporations hide the fact that their service is unsafe. Corporations fear the release of such information even more than they fear attacks in one form or another.

However, many businesses ignore these costs on the basis that they cannot be determined with any degree of accuracy - they are only guesstimated. Costs of preventive measures. These costs are probably the most difficult to estimate because preventive activities are carried out across different departments and affect many services. These costs can appear at all stages of the life cycle of enterprise information environment resources:

• - planning and organization;
• - acquisition and commissioning;
• - delivery and support;
• - monitoring of processes that make up information technology.

In addition, most of the costs in this category are related to security personnel. Prevention costs primarily include wages and overhead. However, the accuracy of their determination largely depends on the accuracy of determining the time spent by each employee individually. Some precautionary costs are easy to identify directly. They may, in particular, include payment for various works of third parties, for example:

• - maintenance and configuration of software and hardware protection tools, operating systems and network equipment used;
• - carrying out engineering and technical work to install alarm systems, equip storage facilities for confidential documents, protect telephone lines communications, computer equipment, etc.;
• - delivery of confidential information;
• - consultations;
• - training courses.

Sources of information about the costs considered. When determining the costs of providing information security, it is necessary to remember that:

• - costs for the acquisition and commissioning of software and hardware can be obtained from the analysis of invoices, records in warehouse documentation, etc.;
• - payments to staff can be taken from statements;
• - volumes of payments wages should be taken taking into account the actual time spent on carrying out work to ensure information security; if only part of an employee’s time is spent on activities to ensure information security, then the feasibility of assessing each of the components of the expenditure of his time should not be questioned;
• - classification of security costs and their distribution among elements should become part of daily work within the enterprise.