I recall that in the early 2000’s, as an analyst I would start thoughtful discussions with clients by loudly proclaiming, “There are over 300 vendors in cybersecurity!” It was a mere five years before that when the entire RSA Conference was held in one small portion of a San Francisco hotel ballroom. At the time, it served to impart how important and fast-growing the cybersecurity market was. Today, however, it simply dates me as somewhat of an industry relic.
Protecting an enterprise against all known and unknown cyberattacks isn’t simple or easy, nor should we expect it to be. IT environments have changed radically over the years. There are many benefits to this: the adaptability to a global pandemic is but one obvious and recent example. There are also detriments to all this change, however: securing these evolving environments is more difficult than ever. Furthermore, the task of protecting an enterprise now requires you to extend your focus on the security posture of all the organizations in your network of suppliers, distributors, and partners. Interestingly, a recent report from Forrester Research expects that as many as 60% of all cybersecurity incidents in 2022 will arise from issues with third parties.[1] Moving beyond that, even, we also have the explosion of IoT where the cybersecurity ramifications are only more far-reaching. Next-gen automotive, emerging medical devices, smart cities infrastructure projects, and the blending of IT with OT each create whole new levels of concern that have profound implications for how cybersecurity intersects with physical security and public safety. On the other side, we’ve seen attack motives evolve from notoriety to personal profit, cyber-espionage, and even national interest. With this we see new more well-resourced adversaries such as state actors.
The cybersecurity industry is making impressive strides at an incredible pace. In the past decade alone, organizational spending on cybersecurity has doubled.[2] In that same period there’s been a ten-fold increase in cybersecurity venture funding.[3]We now have over 2,800 cybersecurity vendors boasting a total portfolio of over 6,500 products.[4] We have more seasoned practitioners and a significantly matured cybersecurity discipline benefitting from peer and vendors’ educational efforts including a thriving new threat intelligence ecosystem. Meanwhile cybersecurity has truly become a board-level concern with awareness and attention at an all-time high.
Given all these industry developments, let’s take a step back and ask, “Are we feeling more secure than we were 10 or 20 years ago?” Obviously we are safer for spending on cybersecurity than if we didn’t. Yet are we winning the fight? It feels like we’re at best treading water in defending against cyberattacks and breaches. In fact, the safety of our systems and digital assets seem less assured than ever despite all these innovations and investments. Is this the fate of efforts: to keep up as best we can rather than have our defensive capabilities outpace the tactics, techniques, and procedures of our adversaries?
We face two fundamental challenges hindering our efforts: the complexity of the environments we seek to protect, and the asymmetry of the battle against our adversaries. Complexity is a byproduct of the digital revolution and technological innovation: businesses run on ever-more intricate, interconnected, and increasingly automated systems. At the pace of change we’re undergoing, it seems we’re destined to leave behind more holes than we can fill. Security architectures themselves are victims of complexity. We now have multiple market subsectors designed to help security teams analyze, prioritize, and respond to all the alerts generated from all the other security solutions in place. Snake, meet tail. Asymmetry is an inherent fact in cybersecurity working against us: attackers have to exploit just one vulnerability to be successful whereas organizations must defend, find and shore up all possible weaknesses. As we see attackers with ever more resources behind their efforts, protection shifts to prioritization over completeness. Moreover, these factors of complexity and asymmetry are correlated: as complexity grows; so does the asymmetry, compounding our challenge.
Cybersecurity vendors, and wholly new and innovative types of cybersecurity solutions, have proliferated in response to this, and there efforts are laudable. These new products and services are both useful and necessary. Of course, none are silver bullets either. Each provides an answer to a problem, but not a grand solution to the larger challenge. Successful cybersecurity entrepreneurs and their backers take a problem-first approach when establishing their companies and bringing new solutions to market. These solutions are individually all well-intended, and when properly implemented and properly managed they can significantly advance an organization’s security posture. Nevertheless, discrete solutions exist in a broader context of existing IT and security architectures and the evolving threat landscape. This creates even more complexity, and taken in aggregate threatens the long-term sustainability of our collective undertaking.
Developments such as DevSecOps, “Zero Trust” architectures, and the application of AI to cybersecurity are all steps driving us in the right direction. But they are not sufficient: the attack surface continues to grow, and with it so do complexity, asymmetry, and risk. I don’t have an answer here to this problem, nor do I expect one simply to appear. But that doesn’t make the challenge one to be ignored. The risks are growing, but we are also more aware of those risks and they are more defined than ever. Cybersecurity has been and will continue to be fertile ground for incremental innovation. As an industry, however, I encourage those across the ecosystem – venture firms and incubators, startup founders and cybersecurity behemoths, practitioners and policy makers, academia and other institutions – to think more about our progress beyond new technologies and incremental improvements, to where additional research and investment could best be directed to addressing the long term challenge of our growing cybersecurity risk.
Jonathan Penn is a cybersecurity strategist and advisor with 20 years of experience helping enterprises, government organizations, and the vendor community develop and implement robust cybersecurity solutions. Today Jonathan serves as an Advisor and Investor to companies in the areas of security, privacy, networking, and social -- ranging from early startups seeking product/market fit or first customers, to mature companies adapting to ever-changing market dynamics. Prior to that, he was Director of Security for Avast Software, helping the company drive market disruption to become the leading provider of consumer security and privacy protection. Jonathan held the role of Research Director for Forrester Research, leading a global team of cybersecurity analysts providing groundbreaking research and actionable advice for its F1000 and industry clients.
[1] https://www.forrester.com/blogs/predictions-2022-continued-uncertainty-forces-attention-on-securing-relationships/
[2] Gartner, Forecast Information Security, Worldwide
[3] https://about.crunchbase.com/cybersecurity-research-report-2021/
[4] CyberDB, https://www.cyberdb.co/