Having recently invested in a cyber security business (Performanta), my colleagues and I have spent the last 3 years getting under the skin of the cyber security market, its challenges and, of course, its opportunities. One thing which really stood out to me was the market's predicted growth.
Here are a few numbers. The Australian Cyber Security Growth Network reckons the global cyber security market, worth $173 billion in 2020, has the potential to grow to $270 billion by 2026. And that by 2026, 77% of all cyber security spending will be focused on external / outsourced managed security services. The market appears vast, but not that surprising when you think about the growing number of cyber attacks – for example, a whopping 94% of organizations worldwide have suffered a data breach as a result of a cyber attack in the past 12 months according to Carbon Black. But I'm going to put my head on the proverbial block and say I think that the 77% figure falls short of what will actually happen.
Predator and prey
Implementing cyber security isn't like implementing cloud infrastructure, where the main objective is scalability and efficiency. The difference with cyber security is that you have some evil geniuses out there actively finding new ways of attacking your systems, which adds a whole new layer of complexity. You can look at cyber security like you can look at evolutionary biology. A predator evolves a strategy to attack its prey. Its prey develops a defense. The predator evolves a more sophisticated strategy, eventually the prey catches up…and so on.
This biological arms race is mirrored by hackers and their targets over weeks and months, not millennia. This speed of evolving threats has led to cyber security becoming a fragmented mess for many enterprises. Perhaps 'mess' is too strong a word, but there are numerous businesses out there who've spent millions on a multitude of cyber security products to protect their networks, systems and people from a range of cyber attacks.
It's now at the point where many companies don't even know what cyber security systems they have – or even how (or whether) they work together. This seems to be a familiar theme where companies spend small fortunes on antivirus, Security information and event management ('SIEM') and Endpoint Detection & Response ('EDR') solutions, before realising they already had the right protection built into their currently solutions (for example Microsoft Defender included in a M365 E5 license). They just had to activate the right licenses using the right managed service partners to achieve the same level of protection for a lot less hassle and a lot less money.
Too much fragmentation, too little protection
These are not isolated cases either. With so many cyber security software products out there, the confusion is real, and in many large enterprises they're run in a disjointed, disorganised way, often by disparate teams. They might have one team just managing antivirus, another team managing data loss prevention, and a further team somewhere else just looking after network security – all choosing their own various stand-alone products with no overall visibility of the bigger picture. It goes a long way to explaining IBM's 2020 annual Cyber Resilient Organization Report that found enterprises deploy, on average, 45 cyber-security-related tools on their networks. The report also highlighted that the "widespread use of too many tools may contribute to an inability not only to detect, but also to defend from active attacks".
Now, casually throw in a pandemic and suddenly enterprises need to connect a huge range of devices remotely and securely. If you're a CISO, you've probably had a few sleepless nights in the last year worrying about all those unsecured home wi-fi connections, running who-knows-what software across who-knows-which unsecured devices – even if you already had a well-established BYOD strategy and zero-trust protocols. And it's only going to become a bigger challenge as the world becomes more connected digitally and a hybrid of home and office-working becomes the norm for many.
HR, IT… CS
So that's the current state of play. And if you think about it, cyber security is now following a very traditional development path for any area of increasing complexity and now, in many businesses, has its own businesses function within organisations. HR for people, Procurement for supply chain, and IT for technology are all centralized business functions that arose from increased complexity. Now the roles of a CISO and a joint team to manage cyber security postures bringing in many disparate teams around the security ecosystem is equally as important. This move goes hand in hand with outsourcing, with the need to ensure the business remains on top of the latest security trends.
This in general is the reason I think that the 77% figure underplays the latent demand for Managed Security Services. How else can any enterprise company possibly hope to both anticipate and keep up with the cyber security arms race to protect their business-critical systems whilst also managing all that complexity in-house efficiently and cost-effectively? The truth is, very few can.
It's in this fragile and fragmented landscape that I think Managed Security Service Providers (MSSPs) will thrive. Why? Because no-one else has the dedicated resources to bring all those different cyber security platforms together. And no-one has the deep expertise to get them working across the enterprise to counter an inevitable swathe of ever-more sophisticated cyber threats – whether from state-sponsored groups, organised crime, or bored teens in bedrooms.