I have worked in cybersecurity for about a decade now, both in academia and industry, and I started asking myself this question back in 2015. I was then at Symantec, working on a new project about advanced threat detection and prevention. At the time, I was mainly concerned about the technology and detection deficit, and I’ll come back to that in another post, but I wanted to take a step back first and look at what else is at play here.
I believe there are three aspects that are negatively impacting this field; geopolitics, the huge fragmentation, and marketing. These are all dramatically influencing both the way the industry is evolving and is doing business.
Geopolitics
By this, I mean the narrow political and territorial trap that our human race has fallen into since… well forever, which often translates into crazy quests of dominance and zero-sum games. And cybersecurity is one of those zero-sum games.
There is obviously a lack of public knowledge about the practices in cyber warfare, but everybody remembers what happened with the leaks from Shadow Brokers (I recommend the darknet diaries episode about it), or a campaign like Stuxnet, where it revealed an impressive arsenal of custom tools, processes, and zero-days that none of the existing security controls or policies would have picked up or prevented. And let’s be honest, even with the increasing maturity of security solutions, evading them is still relatively easy if you put in the effort.
There is of course a rather vibrant cybersecurity community and some collaboration, but that’s just the tip of the iceberg. Even if you don’t consider nation-sponsored cyber activities, the hidden activity is still much more prevalent than in-the-open activity. One of the estimates that were part of this report (that I personally contributed to) was that the entire cybersecurity spent in 2019 was worth about 14/ 15 times less than cybercrime revenue! Add to that that the overwhelming evidence shows that nation-states have decided to be on the offensive, so they are (and will keep) undermining the industry and the community. Not good news for the industry obviously.
Fragmentation
Now, think about the size of the market, and the number of players in it. A lot of people have already said a lot about this, whether it is about overall numbers or per organisation (as in how many vendors are used on average within organisations). In a recent survey by 451Research they mentioned that there is likely more than 1200 vendors (not products!), and up to 15 security vendors per large enterprise.
I recently played at looking at categories in cybersecurity by going through reviews in Gartner’s peer insights. I stopped after 16 categories and over 700 products (not even considering things in Mobile, IoT, password management, or awareness and training services). This level of complexity is unsustainable. This makes me think that you can always find a good reason either to pick a new vendor or product, or keep existing ones. At the end of the day, I believe the technology has little to do with it (i.e. to stick with a vendor or look for a new one)!
Marketing
The huge level of fragmentation and the resulting complexity seen in the industry are driving up the marketing and sales expenditures in cybersecurity businesses. I remember reading this article more than a year ago and thinking, wow! $110 million per day in sales and marketing, and over 40% of the revenue! I thought this is insane.
This much money has made marketing the key driver in cybersecurity decision making (for both customers and security vendors). There is theoretically nothing wrong with marketing as a visibility vector, and helping potential customers see key differentiators of a product, but that’s not what’s going on. It’s effectively become social engineering. Artificial Intelligence overhype in the last few years is an example. The fact that most marketers in this industry don’t understand the basics of information security does not help either. This is the trend now in any case, and as a consequence, I suspect the industry will face more and more skeptical users and customers in the coming years, which again, is no good news for the industry.