We've all heard the refrain time and again: The information security industry is on fire.
Reading any number of research reports on the topic lends support to the sentiment. For instance, by 2020 the cybersecurity market is estimated to hit $170 billion at a compound annual growth rate (CAGR) of about 10 percent from 2015 to 2020, according to Markets and Markets. More stats from Gartner reveal that worldwide spend for IT security will reach $101 billion in 2018. And U.S federal government spending on information security is predicted to spike from about $18 billion in 2017 to some $22 billion by 2022.
The reasons are numerous. Cyberattacks occurring daily are prompting C-level executives and their board members to worry increasingly about the security of their organizations (as well as their jobs). This is resulting in more palpable (yet still somewhat beleagured) support for IT security planning and resourcing, which we explore more in-depth in this month's “Educating Boards” feature. As well, mobile workforces relying on any number of devices and cloud services are exposing organizations' critical data assets to a bevy of risks. There's also the ever-expanding interconnectivity of networks and systems that enables tremendous productivity, but multiplies dramatically the potential for compromise of myriad data flows.
So there you go. All these stats, all these happenings prove that IT security is hot right now. Right? Everyone – whether they really have a genuine interest in or concern about information security-related problems or not – wants a piece of this hot, hot market.
Just recall, if you will, this year's recent RSA Conference and its tremendous flurry of activity across multiple halls where vendors and service providers of all types hawked their wares. Most assuredly, we had some of the industry's stalwart brands represented alongside quite a few newcomers touting emerging technologies.
By all accounts, for information security leaders working for companies jonesing for some new cybersecurity tech, this was the place to be. Yet, one CISO told me after the event that what RSA affirmed for her was just how many of the products currently available really do more of the same thing. For her – given how varied, driven and successful attackers are now – she wants to see truly radical offerings that can provide more active intelligence and defense to detect and then help her prioritize, investigate and triage attacks as they happen. She'd also like the product to learn from all these activities so that response to similar types of onslaughts in the future are automated and, of course, ultimately protect the corporate infrastructure. She acknowledged there were machine-learning types of offerings represented at RSA, but even this class of emerging products is quite fragmented, with various solutions addressing only bits and pieces of her needs.
And this brought her to a next point: Are solutions doing what they claim they can do? Given the noise, CISOs are frustrated.
But, it's not just some vendors that are proving exasperating to cybersecurity practitioners. The other is all the hoopla about this hot market. Sure, they actually may be seeing increased interest in IT security troubles from the C-suite or board members, but, as another CISO explained to me in a recent conversation, that attention isn't necessarily resulting in more budget for additional help and resources. Many companies, some in industries where security should have been on the minds of executive leaders 15 years ago, still have only one, possibly two, dedicated IT security pros on board.
When I mentioned an article I read recently that revealed how even large companies that can afford larger investments are not fortifying their security postures as they should – because Target, Sony and others saw no major impacts to market share and experienced little profitability loss after their well-publicized breaches – this CISO affirmed this stance as the norm. As a result, plenty of IT security vendors, old and new alike, are facing difficulties hitting their own revenue goals for the year, he explained further.
Sure, the IT security industry is sizzling right now. It does have a shining future and will see still more progress. There's no argument that security controls, in some cases, already do and will continue to underpin most of the activities in which we all engage these days. Indeed, they're compulsory. And, yes, for some organizations right now, cybersecurity solutions and services are in high demand.
But, make no mistake: There will be and currently are growing pains. For those who simply are entering a long-established and now increasingly flourishing industry based on superficial interest and comprehension, a vague desire to be part of one of today's more healthy markets or entertaining visions of quick and big money, there likely will be no big wins for you. Without genuine care, respect, knowledge, understanding and appreciation for the very IT security pros you're trying to serve and the endless challenges they must confront and manage, you might as well drop what really is a deep-rooted information security industry like it's hot.