Invited to attend a seminar on cybersecurity investing, by a friend in the industry, I took it as a chance to listen to what is happening in my own industry. At the seminar, there was a panel composed of various investment managers, a few startup CEOs on their third or fourth round of funding (Series C or D), and two people from government agencies. First thing that struck me is “one of these things is not like the other”. The government agency CIOs were basically saying this startup investment isn’t helping them and they can’t use any of it. The rest of the panel was saying how amazing is the cybersecurity industry and how we can all get rich by investing in cybersecurity companies. The panel, its makeup, and topics discussed aren’t really the point.
I started thinking through contrarian possibilities. The obvious sales pitch was about how great it is to start a cybersecurity company, get funded, and everyone profits from this cycle. The less obvious thread was that cybersecurity as an industry is here to stay and the current idea of Chief Security Officer (CSO) or Chief Information Security Officer (CISO) is the gold standard for everyone to attain and have in the board room. It reminded me of some older thoughts I’d had, and discarded, a few years ago. It turns out, others had or have the same thoughts. Let’s begin.
Cybersecurity is not a product, it’s a feature. This either seems really simple or dumb. I had this thought many, many years ago. I never quite thought enough about it to really formulate an educated opinion. After a few recent conversations and discussion, I decided to write out my logic to see if it still makes sense.
Cybersecurity is not something you buy, it’s something you practice through risk management, processes, and configurations. The products you buy should have the ability to secure them. If they don’t, this still falls into your risk management paradigm and you can secure around them with other products. Ah, but cybersecurity is a product! See! Well, let’s split some hairs then. Let’s take a more concrete example.
My refrigerator is running an Android operating system(OS) and can interact with the larger Internet, as well as sync with my personal accounts to report temperature inside, power usage of the compressor and lights, and say, keep track of what’s inside it. Someday, it might remind me of what stock is low, such as asparagus, apples, eggs, etc. In some near-term future, it may just execute an order to replenish the stock.
Let’s say I can’t really secure the Android OS inside the refrigerator because it’s running an older version of the software, the manufacturer is now bankrupt, the updates aren’t happening, and Android is customized beyond a simple update. I can’t “buy cybersecurity” for my refrigerator. I can think through the threats to the Android OS and try to mitigate them. This particular instance of Android offers a few things, bluetooth connectivity, Internet access via my home wifi, and near field communications(NFC) for easier pairing or sharing of information. Of course, it also has a touchscreen for manual interactions.
In a ranking order of threats (this isn’t a real threat modeling exercise, but just to highlight the point): 1. Internet via wifi; 2. bluetooth; 3. touchscreen; and 4. NFC. There are actually more threats due to the software synchronization with various 3rd party services over the Internet, like meal plan, calendars, email, cookbook browsing, etc. However, these all fall under the first (Internet via wifi) for the most part. I can buy products to increase the security of the wifi, particularly around access control of access to the refrigerator. The features of these products, say a firewall, is increased cybersecurity for my refrigerator.
When I buy a modern car, I expect the manufacturer to have done some basic compliance with accepted information security standards. I don’t buy cyberescurity for the car. It’s just a feature of the car. Like adaptive cruise control and various operating modes (eco, standard, towing, sport) of the engine.
Ecosystems of the Home
What we’re seeing now in Apple, Google, Amazon, and every device manufacturer, is a battle for dominance in the home. Calling it the “Smart Home” or “Internet of Things(IoT)” and whatnot does not matter. I read a statistic that even for as dominating as ALL electronic commerce seems to be in the world, it’s still only 10% of the total consumer spend. That 90% opening leaves a giant market, and plenty of blue ocean, to which companies can lay a claim. The companies currently benefiting from consumer spend aren’t going to just give up their profits. They’re likely to buy and acquire the successful Internet company to bolt on the revenues and modify the sales channel.
Take the current Android/Google, iOS/Apple, Windows/Microsoft, and Amazon hardware ecosystems to an extreme in some future world. An Apple stove works with Apple refrigerator works with Apple laptops and Apple services all tied together with HomeKit. Similar tie-in for Google with its systems and Microsoft with its systems. In all of these systems, cybersecurity is built in, like usability is built in. You buy into the ecosystem you like and trust, or the default one installed in your residence.
Further, this creates lock-in to a vendor’s ecosystem. If your house is all HomeKit and iDevices, then you’re not likely to switch to other systems.
Ecosystems of the Enterprise
The modern enterprise is a mash up of various security technologies. Few serious organizations are willing to bet their business on just one vendor. In discussions with various Fortune 1000 CISO/CSOs, they would like one vendor to supply everything and make sure it’s following best practices for their industry and organizations. The reality, one vendor cannot do it today, but we’re getting closer and closer. Managed Security Providers (MSPs) can take on the liability for running parts of a network and handling the risk. By using a cloud provider, many enterprises are partially outsourcing their security to the cloud provider. The hope and contracts generally require the cloud provider to keep their systems up to date and follow best practices for their customer’s industry. Best practices, in my experience, are a pretty low bar. They are generally the minimum bar to which everyone gravitates.
What does this mean?
Right now the cybersecurity industry is hot. I expect the demand for capable cybersecurity staff to remain high for the foreseeable future. Cybersecurity as a distinct industry will probably fade away over the decades. I think back to Chief Electric Officers and such at the turn of the 20th century when electricity was new and companies had to either generate their own, or build their own transformer plants to convert from utility power. If you’re interested in this history, Nicholas Carr’s The Big Switch has some good background. With the growth of the “cloud”, we’re seeing traditional infrastructures, system admins, and related vendors go through market upheaval.
What should happen over time, possibly quickly, is the big consumer companies will be scrambling to tout their security as part of their products. Automobiles, planes, lamps, televisions, refrigerators, toasters, headphones, stoves, microwaves, etc will subtly be judged in the marketplace by what ecosystem they join and how well they stay secure. If you build the next secure embedded operating system, expect to be acquired or license it far and wide.
It’s all just a thought experiment. The late-1940s California Gold Rush made some miners very wealthy. Most frequently, it made those supplying the miners much more wealthy. I have the same feeling about the cybersecurity industry. Yes, the very one that employs me to supply other cybersecurity companies with data. The irony is not lost on me. However, this is all a contrarian thought experiment.