If you survived the frothy clamor of RSAC16 you certainly left confused by the breathless promises of the 600 or so would-be cybercorns on the show floor. The security industry has reached a new crisis point: We are out of words! The security lexicon is exhausted so vendors are making ever more absurd claims. My favorites: “Machine Learning allows us to analyze all changes in behavior and predict risks and breaches before they happen”, and “Complete unified threat management and protection for your network, web, email, applications, and users”.
The cyber-meme has peaked, and the cold hard light has begun to sober up investors whose heady enthusiasm led to a profusion of new companies, each of which would definitely have stopped the Target hack. Now, just a few weeks later, as evidence mounts that the bubble has burst, boards are warning their companies to prepare for a storm. Silicon Valley can create unicorns, but they need too many VC rainbows to survive.
How did we end up here, and what does this mean for the security market?
The narrative of the industry has been increasingly dominated by those who stand to profit most from a message of doom and gloom. The press feeds on stories of breaches and pwnage. Vendors are complicit, and analysts fan the flames: Markets and Markets recently predicted that the cyber-security market will grow from $106.32 Billion in 2015 to $170.21 Billion by 2020, a Compound Annual Growth Rate (CAGR) of 9.8%. Investor mania has led to what BTIG refers to as the “Game of Clones” – a flood of “me too” vendors, over 90% of which have revenues under $20MM. CISOs tell me that they receive upwards of 25 unsolicited calls per day from vendors peddling nichey products, each of which needs to be evaluated, deployed, managed and maintained through its costly life-cycle.
Even if the market grows as predicted, the funding famine will cause many unprofitable companies to fail or pivot into services – only firms that are delivering value will survive. But I’m not of the view that the market will grow as predicted. There is a common flaw in such analyses, namely an assumption that enterprises will remain as vulnerable as today, over time. This is wrong. The rapid adoption of cloud computing will eliminate much of the traditional security market opportunity. Hybrid and public clouds are more secure (through better design) than traditional data centers. Cloud services also reduce the need for traditional security products. For example, if you adopt Office 365, you don’t need a “secure email gateway” – email security is a feature of the cloud service. If you adopt Azure AD, not only is the AD forest more secure, but in addition Microsoft can help identify credential misuse. On the endpoint, Windows 10 as a Service forces enterprises to keep current on patches, reducing the opportunity for attackers, and the OS benefits from virtualization based security and many other security enhancements. In summary, adopting new infrastructure will improve security more than any vendor widget could, and ought to reduce your overall spend over time. The market will grow, but in different ways: the broad adoption of connected / IoT capabilities in mainstream enterprises is a good example of a new market, with its own vulnerabilities and threats. Don’t expect Anti-Virus for your smart door lock though.
So, as we put the unicorns out to pasture, what does the market and opportunity look like? Enormous. The bad guys haven’t stopped hacking. Customers have an urgent need to stop breaches and quickly identify targeted attacks without haystacks of false alerts. That it is possible to secure an endpoint without any legacy network tools, or “detect to protect” tomfoolery is quite revolutionary, and Bromium customers appreciate being breach free. Revolutionary tech need not be mythical, expensive, or imaginary, like the unicorn.