Cybersecurity has enjoyed good health but is an industry itching for innovation and transformation – and the next big thing, Teri Robinson reports.
When Neil Armstrong climbed down the ladder on the Apollo 11 lunar module, the Eagle, and toed the moon’s surface, as he so aptly stated, his small step simultaneously represented a giant leap. The cybersecurity industry today is somewhere between that small step – a series of them, actually – and a really big leap.
We need that leap forward. Or so says Malcolm Harkins, chief security and trust officer at Cymatic. “We need transformational change rather a step” a la Apple or Uber, he says about an industry that has had its fair share of innovation but has seen much of its progression come from incremental changes that “are easier to get people to buy into.” But those incremental changes have resulted in complexity and a dependence on an array of products that keep cash flowing into the market but may or may not work in concert to solve the thorniest security problems.
Harkins envisions the kind of leap that would bring a much-needed simplicity to what has become for many organizations an increasingly complex security architecture. Doable, he says, for those “who have the strength of conviction and business acumen and leadership to drive transformational change” and overcome what he calls “the gravitational pull of the cash cows.”
Cybersecurity, like other markets in a thriving economy, is enjoying a spate of good health, a trend predicted to continue for a few years. The global cybersecurity market, in fact, is expected to continue to tick up from $184.19 billion in 2020 to $248.26 billion by 2023, a MarketsandMarkets report says.
“The cybersecurity market continues to be robust, attracting investment and a steady stream of ambitious startups, says Atiq Raza, chairman and CEO at Virsec. “There continues to be a perfect storm of rapid changes in technology (such as the cloud and mobility), an ongoing cyber arms race against well-funded adversaries and a range of new global privacy laws with increasing teeth.”
Calling the market “more buoyant than it has ever been,” Colin Bastable, CEO of Lucy Security, notes it has “lots of activity, innovation and drive.”
Both need – for solutions to combat cybercriminals and nation-state actors – and opportunity – there’s money to be made – are driving growth.
The hottest topic: Ransomware - The attacks that transpired last year alone arguably made ransomware the hot topic of the year and most likely a leading contender for 2020, as well, but a new element that cropped up late last year – attackers adding a layer of blackmail to the threat of locking a target’s computer system – solidified its standing. Read on...
“As the world at large wakes up to the need for more robust cyber posture and expects it from the companies they buy from, the need for cybersecurity products has never been greater,” says Padraic O’Reilly, co-founder and chief product officer of CyberSaint.
Indeed, troubling threats continue to crop up and wreak havoc. “Threats are diversifying and increasing in sophistication, and businesses and individuals are actively seeking refuge from breached privacy. Increases in digital skimming attacks like Magecart, account takeover attacks and mobile attacks increase the need for proactive and behavioral approaches to dealing with advanced attacks increases,” says Omri Iluz, co-founder and CEO of PerimeterX.
“The global network of state and non-state aligned threat actors is forever driving the development of brand-new technologies and companies to address new threat vectors,” adds Durbin.
No longer relegated to the “depths of the organization,” cybersecurity “has stopped being something that is discussed solely by hackers and techies to a subject that has a growing place on the board’s agenda,” says Hank Thomas, CTO and board director at SCVX, a cybersecurity-focused special purpose acquisition company (SPAC). “It is falling squarely on the agenda of many business leaders at meetings such as Davos and is forming the basis of political debate and policymaking with issues surrounding the choice of suppliers and partners as seen with the ongoing Huawei as a provider of 5G networks debate.”
Many firms providing security solutions and services have grown through mergers and acquisitions – and 2019 saw some whoppers:
Maintaining “we are still in early innings when it comes the cybersecurity and the market,” Steve Durbin, managing director at the Information Security Forum (ISF), says, “increasingly many companies that have taken their C and D rounds of funding are wondering what their next move is now that some of their valuations are out of range for most VCs. A wave of M&A, consolidation, and IPOs has begun.”
“As we enter 2020 and the new decade, cybersecurity is by far the fast-growing and most dominant category within the IT industry, and is poised to remain so, as cyber threats continue to increase in complexity, severity, and quantity,” says Rui Lopes, engineering and technical support director at Panda Security.
Pointing to what Gartner says is an 8.7 percent growth in worldwide IT spending, Iluz stresses “security spending is growing faster than IT spending, and the demand for security solutions has never been higher. Security awareness is growing, and security teams are expanding.”
Where did all the money go?
Over the last year or so, organizations opened their wallets frequently and for a variety of reasons but compliance with standards and regulatory requirements drove many of the expenditures, with compliance expected to make up a 30 percent chunk of IRM spending, Gartner says.
Companies have sunk resources into cloud security as well. “The move to cloud deployments and containers fundamentally changes how security needs to be built, but the security industry has been slow to shift away from legacy, perimeter security models,” says Virsec Vice President Willy Leichter, who also pegged industrial control systems and runtime memory protection as investment hotspots.
“Right now, all eyes are on endpoints as critical targets and on endpoint detection and response (EDR) solutions, as well as true threat hunting, which takes a proactive, behavior-based approach to malicious activity,” says Lopes. As the number of flaws, compromises and vulnerabilities found in “bedrock software and even IT management themselves” proliferate, enterprise businesses and channel providers are finding proactive, advanced threat detection and remediation invaluable, he says.
Etailers, hit by attacks via client-side JavaScript code like the Magecart attacks are looking to implement advanced security measures and get visibility into code in their web and mobile applications. “In November, the PerimeterX research team documented a new Magecart twist: multiple attacks by different groups on the same site at the same time,” says Iluz. “Magecart has hit nearly 20,000 domains, including some of the world’s best-known brands such as Procter & Gamble’s First Aid Beauty, Delta Airlines and British Airways.”
The boom in e-commerce is also spawning fraud and ushering in a deluge of stolen credentials on the dark web, which drive attacks as do “password promiscuity, a growing cybercriminal ecosystems and application design flaws,” Iluz says. As websites act more like banks, providing access to credit cards, gift cards, loyalty points and money, they become more vulnerable to cybercriminals.
Spending on security services also has risen, usurping investments in products during 2018 and 2019, according to Forrester. In fact, services, says Gartner, will account for 50 percent of security software by some time this year.
But not all of the significant investment has been in products and services. “A big chunk of VC money directed at the startup cybersecurity community has been spent on sales teams,” says Thomas. “Sales cycles are long in the space, with a ton of companies competing for the same work. So the cost of sales is very high.”
And many organizations have carved out additional budget dollars to train and boost security awareness throughout their ranks as well as hiring on experts in a tight job market.
“Many companies find a shortage of pre-trained security experts and have invested more in training staff internally,” says Leichter. “Well-trained and up-to-date security analysts are scarce and command premium salaries.”
Secure development education and awareness budgets have ticked up in the last five years, says Jack Mannino, CEO at nVisium. “With the amount of public breaches that have occurred, awareness is heightened and this has triggered organizations to invest in training,” he says. “Many of the software developers my team has educated over the past five years had never received formal education on software security prior to this.”
Riskier business
Over the last few years, another factor has emerged to exert influence on budgets and the allocation of resources – risk. As cyber threats persist I both frequency and severity, “enlightened organizations have now moved to a risk-based approach to managing cyber risk,” says Durbin, an acknowledgement “that cyber is entirely embedded across the business and so a cyber threat is actually a threat to business as opposed to something that can be managed from an IT department.”
No longer can organizations afford – both in budget dollars and practicality – a strategy of “throwing a blanket over the entire enterprise,” Durbin says, but rather must align with an approach “that reflects the risk appetite of the business with regard to achievement of business key performance indicators that are aligned with delivery of the overall corporate business strategy.”
Risk management therefore will likely become “the guiding light in determining how cyber risks are handled, prioritized and funded,” he says, driving a need to quantify risk and prompting reporting on the reduction that risk rather than relying on “the traditional maturity assessment or benchmarking against standards.’
But calculating risk as technology continues to change rapidly is challenging. “At the end of the day, every organization has to make direct or indirect calculations of their risk tolerance to guide their security spend,” says Leichter.
Cyber risk quantification methods, though, “have historically been disparate and lacking a common thread,” says CyberSaint’s O’Reilly. He sees progress toward that commonality “with the integration of the FAIR model as a NIST CSF informative reference and the increased use of NIST SP 800-30 as well as solutions that enable the implementation of these frameworks, we are seeing more and more organizations integrate cyber risk into their overall strategy and budgeting.”
The move toward a risk-based model has drawn the interest of the insurance industry, which, sniffing both opportunity and self-preservation has gotten “more actively involved in vetting security technology and an organization’s security posture when underwriting cyber insurance policies,” says Leichter. “This industry is probably best suited to set a monetary value on risk.”
Colin Bastable, CEO of Lucy Security, expects insurance to play a bigger role in assessing risk going forward. “We have enough data available to know the levels of risk,” he says, noting that organizations are moving away from relying on GRC products to manage risk. “A lot of GRC products were popularized a while back, and this led people to think that they could get control of risk, whereas they were really just addressing compliance,” Bastable says. “These solutions took forever to deploy, at immense cost, and shed little light on the reality of risk. Most organizations hope that they are so small that the bad guys can’t see them.”
Stumbling blocks
For all the forward movement and bright spots, as cybersecurity enters a new decade and new challenges, some persistent issues have followed security teams into 2020.
“Inadequate patch management remains a major issue, even in 2020, as outdated and unpatched endpoints are significant vulnerabilities to any network,” says Lopes, even after astounding and costly incidents like the Equifax breach, which stemmed from an unpatched Apache Struts vulnerability. “A single unpatched machine can be an open door for bad actors to exfiltrate sensitive information, which will then inevitably be sold on the dark web.”
Organizations also have thrown money at products and services only to find the solutions are insufficient against wily attackers. “Unfortunately, most money has been spent on systems that address three of the problems and on technologies that can’t keep up with the ingenuity and avarice of hackers,” says Bastable. “I just read a quote from a CEO who said that servers are more secure than they have ever been -- to me that indicated a problem. Most of this stuff just does not work.”
But the real stumbling blocks are more cultural in nature.
“Stumbling blocks in security They “tend to be as much about mindsets as technology. Most security technology has been built around a perimeter mindset, and gathering massive amounts of data about known threats,” says Satya Gupta, co-founder and CTO, Virsec. “Attackers are increasingly adept at bypassing perimeter security, and targeting applications during runtime, leaving few clues behind.”
Organizations suffer, too, from creeping response times (well, relatively speaking). They’re “too slow to effectively stop most attacks before damage is done,” he says. “Security tools need to keep moving towards real-time detection of attacks without prior knowledge.”
Innovation and a leap
The cybersecurity industry is far from stagnant and as long as there are innovative cyber miscreants, there will be innovation. “Very smart people playing defense as well as offense” with the offense “winning hands down,” Bastable says, is driving innovation “from both sides.”
Cryptography will continue to provide a sweet spot for organizations looking to protect data at rest and in transit. “Format-preserving encryption (FPE) and tokenization are advanced cryptography methods that many IT and security leaders are starting to adopt, successfully defending their vast amount of sensitive data from data breaches,” says Deveaux. “Data protected with either of these two methods have not been hacked, nor mentioned as data lost, stolen or exposed in a data breach notification.”
Quantum computing will change the decryption game. Computers “can be used to easily decrypt anything encrypted in seconds, compared to the weeks or years it would take with today’s computing power,” he says. “Homomorphic encryption, where researchers can execute computations on encrypted data, decrypt the results, and get back matching results as if the original data was never encrypted.”
Protecting critical infrastructure will continue to move front and center, as the debate over 5G – and who gets to architect it – demonstrates. “The issue over Huawei and its access to critical national infrastructure as its products are used to support aggressive 5G and other technology roll outs will continue to occupy the minds of politicians and business leaders as economic tension continues to grow and protectionism increases,” says Thomas.
But the cybersecurity market is in some ways a victim of its own success – and careful approach. “The need is so big that the market at large has become incredibly congested,” says O’Reilly. “Because the market is so populated, the need for products and solutions built with substance that enable and support, not cause users to blindly depend on them, is greater than ever.”
Lopes says, “IT providers of all sizes are still in the process of a dynamic transformation from traditional services to a security-first posture,” and that will lead the cybersecurity market to “continue to develop and expand as demand grows unabated.”
Clearly innovation has come to the market in incremental changes. Now, though, it seems to be mired in those small steps. Real progress more likely will come from something more transformative. As Armstrong and Harkins said, 50 years apart, a leap.
