Cybersecurity has enjoyed good health but is an industry itching for innovation and transformation – and the next big thing, Teri Robinson reports.

When Neil Armstrong climbed down the ladder on the Apollo 11 lunar module, the Eagle, and toed the moon’s surface, as he so aptly stated, his small step simultaneously represented a giant leap. The cybersecurity industry today is somewhere between that small step – a series of them, actually – and a really big leap. 

We need a leap forward. Or so says Malcolm Harkins, chief
security and trust officer at Cymatic. “We need transformational change rather
a step” a la Apple or Uber, he says about an industry that has had its fair
share of innovation but has seen much of its progression come from incremental
changes that “are easier to get people to buy into.” But those incremental
changes have resulted in complexity and a dependence on an array of products that
keep cash flowing into the market but may or may not work in concert to solve
the thorniest security problems.

Harkins envisions the kind of leap that would bring a
much-needed simplicity to what has become for many organizations an
increasingly complex security architecture. Doable, he says, for those “who
have the strength of conviction and business acumen and leadership to drive
transformational change” and overcome what he calls “the gravitational pull of
the cash cows.”

Cybersecurity, like other markets in a thriving economy,
is enjoying a spate of good health, a trend predicted to continue for a few
years. The global cybersecurity market, in fact, is expected to continue to
tick up from $184.19 billion in 2020 to $248.26 billion by 2023, a MarketsandMarkets
report says.

“The cybersecurity market continues to be robust,
attracting investment and a steady stream of ambitious startups, says Atiq
Raza, chairman and CEO at Virsec. “There continues to be a perfect storm of
rapid changes in technology (such as the cloud and mobility), an ongoing cyber
arms race against well-funded adversaries and a range of new global privacy
laws with increasing teeth.”

Calling the market “more buoyant than it has ever been,”
Colin Bastable, CEO of Lucy Security, notes it has “lots of activity,
innovation and drive.”

Both need – for solutions to combat cybercriminals and
nation-state actors – and opportunity – there’s money to be made – are driving
growth.

The hottest topic: Ransomware – The attacks that transpired last year alone arguably made ransomware the hot topic of the year and most likely a leading contender for 2020, as well, but a new element that cropped up late last year – attackers adding a layer of blackmail to the threat of locking a target’s computer system – solidified its standing. Read on…

“As the world at large wakes up to the need for more robust cyber posture and expects it from the companies they buy from, the need for cybersecurity products has never been greater,” says Padraic O’Reilly, co-founder and chief product officer of CyberSaint.

Indeed, troubling threats continue to crop up and wreak
havoc. “Threats are diversifying and increasing in sophistication, and
businesses and individuals are actively seeking refuge from breached privacy.
Increases in digital skimming attacks like Magecart, account takeover attacks
and mobile attacks increase the need for proactive and behavioral approaches to
dealing with advanced attacks increases,” says Omri Iluz, co-founder and CEO of
PerimeterX.

“The global network of state and non-state aligned threat
actors is forever driving the development of brand-new technologies and
companies to address new threat vectors,” adds Durbin.

No longer relegated to the “depths of the organization,”
cybersecurity “has stopped being something that is discussed solely by hackers
and techies to a subject that has a growing place on the board’s agenda,” says
Hank Thomas, CTO and board director at SCVX, a cybersecurity-focused special
purpose acquisition company (SPAC). “It is falling squarely on the agenda of
many business leaders at meetings such as Davos and is forming the basis of political
debate and policymaking with issues surrounding the choice of suppliers and
partners as seen with the ongoing Huawei as a provider of 5G networks debate.”

Many firms providing security solutions and services have
grown through mergers and acquisitions – and 2019 saw some whoppers:

Maintaining “we are still in early innings when it comes
the cybersecurity and the market,” Steve Durbin, managing director at the
Information Security Forum (ISF), says, “increasingly many companies that have
taken their C and D rounds of funding are wondering what their next move is now
that some of their valuations are out of range for most VCs. A wave of M&A,
consolidation, and IPOs has begun.”

“As we enter 2020 and the new decade, cybersecurity is by
far the fast-growing and most dominant category within the IT industry, and is
poised to remain so, as cyber threats continue to increase in complexity,
severity, and quantity,” says Rui Lopes, engineering and technical support
director at Panda Security.

Pointing to what Gartner says is an 8.7 percent growth in
worldwide IT spending, Iluz stresses “security spending is growing faster than
IT spending, and the demand for security solutions has never been higher.
Security awareness is growing, and security teams are expanding.”

Where did all the money go?

Over the last year or so,
organizations opened their wallets frequently and for a variety of reasons but
compliance with standards and regulatory requirements drove many of the
expenditures, with compliance expected to make up a 30 percent chunk of IRM
spending, Gartner says.

Companies have sunk resources into cloud security as well.
“The move to cloud deployments and containers fundamentally changes how
security needs to be built, but the security industry has been slow to shift
away from legacy, perimeter security models,” says Virsec Vice President Willy
Leichter, who also pegged industrial control systems and runtime memory
protection as investment hotspots.

“Right now, all eyes are on endpoints as critical targets
and on endpoint detection and response (EDR) solutions, as well as true threat
hunting, which takes a proactive, behavior-based approach to malicious
activity,” says Lopes. As the number of flaws, compromises and vulnerabilities
found in “bedrock software and even IT management themselves” proliferate,
enterprise businesses and channel providers are finding proactive, advanced
threat detection and remediation invaluable, he says.

Etailers, hit by attacks via client-side JavaScript code
like the Magecart attacks are looking to implement advanced security measures
and get visibility into code in their web and mobile applications. “In
November, the PerimeterX research team documented a new Magecart twist:
multiple attacks by different groups on the same site at the same time,” says
Iluz. “Magecart has hit nearly 20,000 domains, including some of the world’s
best-known brands such as Procter & Gamble’s First Aid Beauty, Delta
Airlines and British Airways.”

The boom in e-commerce
is also spawning fraud and ushering in a deluge of stolen credentials on the
dark web, which drive attacks as do “password promiscuity, a growing
cybercriminal ecosystems and application design flaws,” Iluz says. As websites
act more like banks, providing access to credit cards, gift cards, loyalty
points and money, they become more vulnerable to cybercriminals.

Spending on security services  also has risen, usurping investments in
products during 2018 and 2019, according to Forrester. In fact, services, says
Gartner, will account for 50 percent of security software by some time this
year. 

But not all of the significant investment has been in
products and services. “A big chunk of VC money directed at the startup
cybersecurity community has been spent on sales teams,” says Thomas. “Sales
cycles are long in the space, with a ton of companies competing for the same
work. So the cost of sales is very high.” 

And many organizations have carved out additional budget
dollars to train and boost security awareness throughout their ranks as well as
hiring on experts in a tight job market.

“Many companies find a shortage of pre-trained security
experts and have invested more in training staff internally,” says Leichter.
“Well-trained and up-to-date security analysts are scarce and command premium
salaries.”

Secure development
education and awareness budgets have ticked up in the last five years, says
Jack Mannino, CEO at nVisium. “With the amount of public breaches that have
occurred, awareness is heightened and this has triggered organizations to
invest in training,” he says. “Many of the software developers my team has
educated over the past five years had never received formal education on
software security prior to this.”

Riskier business

Over the last few years, another
factor has emerged to exert influence on budgets and the allocation of
resources – risk. As cyber threats persist I both frequency and severity,  “enlightened organizations have now moved to
a risk-based approach to managing cyber risk,” says Durbin, an acknowledgement “that
cyber is entirely embedded across the business and so a cyber threat is
actually a threat to business as opposed to something that can be managed from
an IT department.”

No longer can organizations afford – both in budget
dollars and practicality – a strategy of “throwing a blanket over the entire
enterprise,” Durbin says, but rather must align with an approach “that reflects
the risk appetite of the business with regard to achievement of business key
performance indicators that are aligned with delivery of the overall corporate
business strategy.”

Risk management therefore will likely become “the guiding
light in determining how cyber risks are handled, prioritized and funded,” he
says, driving a need to quantify risk and prompting reporting on the reduction
that risk rather than relying on “the traditional maturity assessment or
benchmarking against standards.’

But calculating risk
as technology continues to change rapidly is challenging. “At the end of the
day, every organization has to make direct or indirect calculations of their
risk tolerance to guide their security spend,” says Leichter.

Cyber risk quantification methods, though, “have
historically been disparate and lacking a common thread,” says CyberSaint’s
O’Reilly. He sees progress toward that commonality “with the integration of the
FAIR model as a NIST CSF informative reference and the increased use of NIST SP
800-30 as well as solutions that enable the implementation of these frameworks,
we are seeing more and more organizations integrate cyber risk  into their overall strategy and budgeting.”

The move toward a risk-based model has drawn the interest
of the insurance industry, which, sniffing both opportunity and
self-preservation has gotten “more actively involved in vetting security technology
and an organization’s security posture when underwriting cyber insurance
policies,” says Leichter. “This industry is probably best suited to set a
monetary value on risk.”

Colin Bastable, CEO of
Lucy Security, expects insurance to play a bigger role in assessing risk going
forward. “We have enough data available to know the levels of risk,” he says,
noting that organizations are moving away from relying on GRC products to
manage risk. “A lot of GRC products were popularized a while back, and this led
people to think that they could get control of risk, whereas they were really
just addressing compliance,” Bastable says. “These solutions took forever to
deploy, at immense cost, and shed little light on the reality of risk. Most
organizations hope that they are so small that the bad guys can’t see them.”

Stumbling blocks

For all the forward movement and
bright spots, as cybersecurity enters a new decade and new challenges, some
persistent issues have followed security teams into 2020.

“Inadequate patch management remains a major issue, even
in 2020, as outdated and unpatched endpoints are significant vulnerabilities to
any network,” says Lopes, even after astounding and costly incidents like the
Equifax breach, which stemmed from an unpatched Apache Struts vulnerability. “A
single unpatched machine can be an open door for bad actors to exfiltrate
sensitive information, which will then inevitably be sold on the dark web.”

Organizations also have
thrown money at products and services only to find the solutions are
insufficient against wily attackers. “Unfortunately, most money has been spent
on systems that address three of the problems and on technologies that can’t
keep up with the ingenuity and avarice of hackers,” says Bastable. “I just read
a quote from a CEO who said that servers are more secure than they have ever
been —  to me that indicated a problem.
Most of this stuff just does not work.”

But the real stumbling blocks are more cultural in nature.

“Stumbling blocks in security They “tend to be as much
about mindsets as technology. Most security technology has been built around a
perimeter mindset, and gathering massive amounts of data about known threats,”
says Satya Gupta, co-founder and CTO, Virsec. “Attackers are increasingly adept
at bypassing perimeter security, and targeting applications during runtime,
leaving few clues behind.”

Organizations suffer,
too, from creeping response times (well, relatively speaking).  They’re “too slow to effectively stop most
attacks before damage is done,” he says. “Security tools need to keep moving
towards real-time detection of attacks without prior knowledge.”

Innovation and a leap

The cybersecurity industry is far
from stagnant and as long as there are innovative cyber miscreants, there will
be innovation. “Very smart people playing defense as well as offense” with the
offense “winning hands down,” Bastable says, is driving innovation “from both
sides.”

Cryptography will continue to provide a sweet spot for
organizations looking to protect data at rest and in transit.
“Format-preserving encryption (FPE) and tokenization are advanced cryptography
methods that many IT and security leaders are starting to adopt, successfully
defending their vast amount of sensitive data from data breaches,” says Deveaux.
“Data protected with either of these two methods have not been hacked, nor
mentioned as data lost, stolen or exposed in a data breach notification.”

Quantum computing will change the decryption game.
Computers “can be used to easily decrypt anything encrypted in seconds,
compared to the weeks or years it would take with today’s computing power,” he
says. “Homomorphic encryption, where researchers can execute computations on
encrypted data, decrypt the results, and get back matching results as if the original
data was never encrypted.”

Protecting critical infrastructure will continue to move
front and center, as the debate over 5G – and who gets to architect it –
demonstrates. “The issue over Huawei and its access to critical national
infrastructure as its products are used to support aggressive 5G and other
technology roll outs will continue to occupy the minds of politicians and
business leaders as economic tension continues to grow and protectionism
increases,” says Thomas.

But the cybersecurity market is in some ways a victim of
its own success – and careful approach. “The need is so big that the market at
large has become incredibly congested,” says O’Reilly. “Because the market is
so populated, the need for products and solutions built with substance that
enable and support, not cause users to blindly depend on them, is greater than
ever.”

Lopes says, “IT providers of all sizes are still in the
process of a dynamic transformation from traditional services to a
security-first posture,” and that will lead the cybersecurity market to
“continue to develop and expand as demand grows unabated.”

Clearly innovation has come to the market in incremental changes. Now, though, it seems to be mired in those small steps. Real progress more likely will come from something more transformative. As Armstrong and Harkins said, 50 years apart, a leap. 

From the March 2020 Issue of SC Media