By Chris Amery
These are ominous times in the cybersecurity market, if recent headlines prove accurate. Dave DeWalt, former CEO of FireEye, the poster child for the cyber bubble, recently said, “Suddenly, we are in this situation where there are just too many vendors and too few can be sustained.”
Startups relying on a never-ending stream of cash from venture funds are now wondering where the next funding round is coming from. Venture capital firms keen to monetize early-stage investments are keeping a wary eye on the exit plan for their portfolio companies. And end-users are growing impatient with a growing vendor list that is selling an inexhaustible supply of silver bullet solutions which haven’t lived up to their promises.
“I have never seen such a fast-growing market with so many companies on the losing side,” said David Cowan, a partner at venture capital firm Bessemer Venture Partners. All this despite hackers getting more sophisticated, cyber attacks growing in size and scope, and tangible losses mounting. So what’s really going on?
Desperation has taken hold in IT departments and the C-suite. CEOs, CISOs and IT professionals desperate for something, anything, to eliminate their rapidly expanding disaster scenarios have been consuming medicine peddled by the vendor community. Drink this, they promise, and our magic potion will ward off evil hackers and make you healthy again. Companies buy the medicine, so more vendors show up selling even more suspect potions. The cycle continues.
The ultimate problem is that companies are taking this medicine without changing their diets and starting to exercise. The result? Despite buying the latest and greatest technology, attacks continue to be successful and damages continue to rise. The fallout from cybercrime is predicted to cost $6 trillion globally by the year 2021 even as security spending forecasts trend upwards of $200 billion annually. At this point, CFOs throw their hands in the air and beg for an analysis of return on cybersecurity investment.
So what is needed now? First, a deep breath and a new approach. The problem can be managed – and it’s not a function of more medicine. More technology will not make you invulnerable. Security professionals, risk managers, and senior executives need to start with a lifestyle change – "diet and exercise".
Firms need to understand that their dollars are being spent wisely on the appropriate mix of technology and insurance, leading to an efficient cyber resilience portfolio that cost-effectively reduces overall risk.
It’s time to take a risk-based and maturity-based approach to cyber programs, with four steps:
- Quantify loss scenarios. Measure your exposures in financial terms. Where could your losses come from? Are they physical or financial damages? Are the damages impacting your firm direct or from a third party? Once firms know what they are trying to solve for, finding the appropriate response becomes a manageable problem.
- Analyze maturity levels with a standardized framework. The risk is dynamic, so the response needs to match. Purchasing a control or completing a checklist and moving on provides a false sense of security. A maturity-based approach allows firms to take a dynamic and holistic view of their cyber program.
- Optimize your technology controls and cyber insurance to manage risk to a tolerable level. Once you are able to define the risk and quantify cyber maturity levels, determining a target state of defenses (both technology and financial resources) becomes solvable.
- Benchmark against your peers where possible. Cyber risk is not a firm-specific issue – properly testing your approach versus your peers' approach allows both the firm and the industry at large to continuously evolve towards ever-increasing resilience.
This approach solves a host of issues currently faced in cybersecurity. It promotes a standardized approach across firms and industries to manage cyber risk.
As a recent New York Times article headline put it: “Cybersecurity Today Is Treated Like Accounting Before Enron". Our digital assets are too important for this. We need defensive policies and more uniform corporate governance. This allows security leaders, executives, and risk managers to speak the same language, and manage an agreed-upon risk profile. CFOs can confidently analyze their security spending ROI. And firms can evidence a cost-effective, dynamic, and defensible resilience to cyber events.
What does this mean for the cybersecurity market overall?
Ultimately, it’s a healthy evolution. The generation of vendors selling medicine without an overall view of the patient will be forced to evolve or fail. Firms will demand cost-effective, holistic solutions to manage their mix of cyber technology controls and insurance. CISOs and insurance buyers will be able to justify their budgets to CFOs using defensible metrics. Capital will flow to the cybersecurity firms providing comprehensive solutions to their clients.
And the world will be a safer place with efficient and effective cyber resilience management.
About Chris Amery
Chris Amery is Vice President, Professional & Financial Services for Axio.