Software is the largest segment in the cybersevurity industry, BofA says.

A report by Bank of America Merrill Lynch examined investment opportunities for firms in the cybersecurity space.

The market itself is large and growing. Citing data from technology research firm Gartner, BofA estimated the cybersecurity solutions market is currently between $75 billion and $77 billion. It’s expected to grow to $170 million by 2020, according to market research firm Markets and Markets.

A big reason for that growth is corporate spending on cybersecurity, especially in the financial services industry, as well as telecoms, technology and manufacturing. “Cyberspend,” as BofA put it, budgets have grown nearly twice as fast as IT budgets over the past two years, and firms are spending an average 6% of their overall IT budget on cybersecurity initiatives, compared with 2% in 2010.

The Securities Industry and Financial Markets Association, for its part, recently carried out a cybersecurity exercise called Quantum Dawn 3, with more than 80 participants in the financial sector and government.

Investors are finding increasing opportunity to invest in the cybersecurity market. Cybersecurity startups raised $2.5 billion in 2014 across 224 investments, according to BofA, and there have been 59 M&A transactions between cybersecurity firms. Cybersecurity-related unit investment trusts and ETFs, like PureFunds’ Cyber Security ETF (HACK) are also entering the market.

Low-growth areas in the cybersecurity market include endpoint protection platforms and consumer security software, which combined account for 39% of the market, but those are offset by better performance in the security information and event management (SEIM), secure Web gateway, identity governance and administration and enterprise content-aware data loss prevention areas.

Software is the largest segment in the cybersecurity industry, BofA found, at $21.4 billion. It’s expected to reach nearly $27 billion by the end of the decade, driven primarily by new freemium models, security appliances, and increased security for cloud operators and mobile devices.

The enterprise market, which serves firms rather than consumers or end users, represents about $15 billion and is forecast to grow to $19.5 billion by 2018. The endpoint security market is expected to grow from $10 billion in 2014 to over $14.5 billion five years later.

By revenue and market share, Symantec is the largest security software vendor, with $3.7 billion in 2014 and 17% market share. However, even though IBM is only the third largest vendor by those measures, growth from 2013 to 2014 far outpaced its competitors: 17% compared with 4.6% for Intel and 5% for EMC.

Much of IBM’s growth is driven by SEIM solutions, according to the report. “Security information and event management (SIEM) is defined as applying security analytics to real time events for the detection of targeted attacks and data breaches, and hence logging these for reference to prevent future attacks in an enterprise environment. It is considered a mixture of both software and serviced-based cybersecurity solution.”

According to the research firm MarketsandMarkets, the SEIM sector is expected to grow from less than $3 billion in 2014 to $4.5 billion in 2019 at a compound annual growth rate of 12%, the highest for any of the sectors in the cybersecurity market.

It’s the little guys that are leading in innovation, though. Business development firm Cybersecurity Ventures rated firms like FireEye, an advanced threat protection provider, and Lancope, which provides network visibility and security intelligence, as the most innovative in the industry. Only IBM and Lockheed Martin were in the top 10.

The report found adopting new technologies is the biggest priority for corporations’ cybersecurity budgets, followed by audits and assessments of current systems. However, only a third of executives surveyed by PwC said they prioritized adding new skills and capabilities along with that new technology.

Governments are also increasing what they spend on cybersecurity. In the United States, the number of information security incidents increased from over 5,500 in 2006 to 67,168 in 2014, according to data the report. “In response, the U.S. federal government spent $78.8 billion in total on cybersecurity between 2006–2013, and this is expected to reach $14 billion in 2016 alone.”

In spite of that, BofA believes the government is still not spending enough. “Despite seemingly facing an increasing wave of attacks, spend on cybersecurity as a percentage of total department budget is still low,” it wrote in the report. “In fact, only the Department of Homeland Security spends more that 3% of its 2014 budget on cybersecurity.”

The report noted that there are seven factors that influence the cost of a data breach to a company: third-party errors, lost or stolen devices, quick notification, a strong security posture, incident response planning, appointing a chief information security officer and consulting support.

In fact, companies that deployed a security intelligence system had an estimated 21% retun on investment. Estimated ROI for encryption technology was 18%, followed by firewalls at 14%.

— Check out Where the Real Cybersecurity Risk Comes From on ThinkAdvisor.