Cry me a river
Remember the “telephone game” played at parties when you were a kid? One person would make up a sentence or phrase which she or he then whispered into the ear of the person sitting next to him/her in a circle. That person would, in turn, whisper what he/she had heard into the ear of the next person in the circle. And around the circle the message would go until it reached the initiator, who would then clarify what she/he had originally said. Inevitably, the more people in the circle, the more misguided—and generally hilarious—the message would become.
A similar level of hilarity ensues when multiple reports from various media outlets about the state of cybersecurity spending are published in relatively close proximity.
I know that they say some things are better left unsaid
Approximately four months ago, Cybersecurity Ventures, a self-proclaimed “leading researcher and publisher of reports covering global cybercrime damage projections, cybersecurity spending forecasts, and cybersecurity employment figures” published a report stating that “the world will spend $1 trillion cumulatively on cybersecurity products and services” during the years 2017-2021. Yet just a few days ago, International Data Corp. (IDC) released its first Worldwide Semiannual Security Spending Guide, which put worldwide spending estimates at $101.6 billion annually by 2020—half of the Cybersecurity Ventures projections. IDC continued to estimate that the compound annual growth rate (CAGR) for security products will grow at 8.3%, “more than twice the rate of overall IT spending growth.”
Contradictory still, a UBS Investment Bank analyst published a report in which he indicated that “the cybersecurity industry’s highest growth days may be over,” according to Investopedia. The analyst said that the real growth in security will come from the cloud provider market, only a portion of the greater managed services market. While managed services (more broadly) accounts for 40.2% of spending in the IDC report, identity and access management, endpoint security, integration services, and unified threat management are top spending categories that don’t appear to be on the decline.
It wasn’t like you only talked to him, and you know it
Just like in “telephone,” participants in the security market projections game are consuming, interpreting, and sharing pieces of information without much regard to what others in the circle are saying—or more importantly, what it means. Of course each entity has its own market research methodology, which accounts for variations, but it seems to me that these vastly different projects are also an indication of something more apparent in security: Hype.
Cybersecurity is currently all about hype. Even the mainstream media are reporting daily on cyber attacks and Russian hacking and WikiLeaks (Oh my!). Security vendors promise myriad solutions to all that ails enterprises, and whichever number from above you believe, vendors are making the best of the fear, uncertainty, and doubt—the overinflated hype—that accompanies the cybersecurity market.
All of these things people told me
At some point, those who know better—security practitioners: end users and vendor representatives alike—have to put an end to the sensationalism and focus on getting real work done. Without a doubt, more information and more assets collecting data (some known to the security team and others, not so much) means that organizations need to scale appropriately. That same problem has existed, however, since computers became ubiquitous (and internet connected) in business in the 1990s. More recent advancements, naturally, have magnified the problems of data protection, but the point is that the runway has existed and will continue to exist. No amount of hype or hyperbole is going to fix what is broken. And what if the $1 trillion number is true? Does that change how enterprise security practitioners secure data? Does that affect how security develops products? Hopefully not.
Keep messing with my head
The aim is to develop or refine products, controls, and processes that allow practitioners to more accurately and efficiently identify vulnerabilities, threats, or incidents. Maybe that means building more products. Maybe it means better and more frequent testing. It absolutely includes a focus on security fundamentals (which are quite a bit less fun than getting all fired up about the gazillions of dollars to be made in security).
Just one method for improving security doesn’t exist—it’s going to take a lot of time, effort, creativity, and an increase in accountability all around. However, what won’t help stop the spread of cyber attacks, malware, data loss, privacy violations, password reuse, software shipped with insecure code, etc. is the spread of hype and sensationalism around what needs to be done in cybersecurity.
The game of “telephone” ends when the first person stops the chain of whispering and corrects what has become overblown or outlandish. The stakes are higher in real-life information security, and it’s up to the market to stop accepting the hype and start paying greater attention to the job at hand.