Every year, global investment in cybersecurity increases and pretty much so does investment in cyber startups. And so the inevitable question arises: Are we approaching or already in a cybersecurity bubble, fueled in part by venture capitalists?
The quick answer is yes and no.
According to Gartner Inc. worldwide spending on cybersecurity exceeded $86 billion in 2017, an increase of 7%, and will grow to $96 billion in 2018, an increase of 8%. These figures are easily more than double the economic growth of the United States, the world’s cybersecurity spending leader.
Investment by venture capitalists in cybersecurity is similarly robust. According to Momentum Cyber, a cybersecurity investment bank, 290 investments in cybersecurity companies totaled $4.9 billion in 2017, up from 267 investments totaling $4.3 billion in 2016. In cybersecurity M&Q activity, meanwhile, 175 transactions totaled $20.1 billion in 2017, a small decrease from $20.4 billion in 2016 but still the second-best year ever.
So, returning to my rhetorical question, are we in or on the cusp of a cybersecurity bubble?
The complete, unvarnished answer is that we were but no longer are, notwithstanding the numbers. The fact is, innovation comes in waves, not always rationally, and cybersecurity has been no exception. We still have an enormous amount to accomplish in the cyber realm.
The initial wave in cyber, driven by hype and hope, has been reflective of a military-style “reconnaissance in force” mentality. The cybersecurity industry threw as much innovation as possible at the wall to see what would stick, operationally as well as financially. Fortunately, lessons were learned from this initial wave, which was overcapitalized, and that is giving way to a second, more rational growth wave. Historically, it is this second wave that generates the serious business of building real solutions, as opposed to a perpetual game of “whack a mole.”
Given this, here are the areas of growing cybersecurity innovation and investment I see unfolding in 2018 and beyond:
1) A movement toward data-centric security – i.e., an emphasis on the security of the data itself, rather than the security of networks, servers or applications. In the vast majority of cyberattacks, the target is “the data”. Notwithstanding tens of billions of dollars invested annually in attempting to secure access to the data, data itself remains highly vulnerable. Recent vulnerabilities documented in select Intel microprocessors affecting as many 3 billion devices – as well as the enormous breach of Equifax last year, among other examples -- validate the need to rethink our approach to data security. Homomorphic encryption -- the ability of process data while encrypted -- is one cybersecurity arena with the promise to redefine data security.
2) The implementation of defenses against the weaponization of data. Much of our cybersecurity efforts have been overly focused on the compromise or theft of data for its inherent value or to leverage the data for financial or political goals. As the events of 2017 have demonstrated, data can also be manipulated -- or weaponized -- to shape or create undesirable outcomes. Russian agents, for example, hacked into Democratic Party databases prior to the 2016 election and created negative Hillary Clinton posts on Facebook. They have done similar things in other countries as well. The ease in which data can be copied and transformed on the internet has made IT increasingly difficult to determine the origins of a piece of data. Look for the emergence of data provenance – the process of tracing and recording the origins of data and its movement between databases -- as an essential discipline.
3) Expanded use of and improvements in industrial control systems (ICS). The discovery last summer of Crash Override -- the malware used to hack an electricity transmission station in the Ukraine late the previous year – plus reports of other malware that targeted safety systems in petrochemical facilities in the Middle East reflect rapidly emerging attack vectors focused on critical infrastructure globally. These systems directly impact the smooth functioning of global economies and societies day-to-day. The emergence of ICS attacks also reflects the expansion of cyber attacks from their historic IT orientation to the OT (operating technology) sector. Heightened investment in ICS systems is on the way.
4) Improved security for the Internet of Things (IoT) and embedded systems. The chances for things to go wrong among billions of IoT devices, which continue to grow at a robust clip, are enormous, especially given their minimal security. Many IoT devices rely only on their firmware – a class of software providing low-level control of device hardware – for security, and that is woefully insufficient. IoT devices fall outside the traditional IT domain. They also have low price points, little ability to be updated or refreshed and essentially no one monitoring them. Look for venture capitalists and companies to explore a new paradigm to discover, mitigate and manage extensive IoT vulnerabilities.
5) The start of investment in secure communications at every level – an imperative. Inherent in all security challenges is the movement of 1s and 0s at the speed of light on a global basis. Every device, every system and every transaction everywhere in the world depends upon a layered and interconnected communications infrastructure designed to be functional and reliable, with marginal consideration for security. We also boast an environment in which wireless infrastructure delivers unparalleled flexibility and cost advantage. But there is a downside as well: Our global economy operates on a platform with more in common with a public broadcast platform than a trusted infrastructure.
The bad guys know this, and corporations and venture-backed startups must step up to the plate to help prevent unauthorized interceptors from accessing online communications in an intelligible form.
No one oversees the management of our global digital substrate, let alone protects it. Making this domain safe and secure has become the primary challenge of cybersecurity and the focus of innovators and investors. As threats shift and evolve, so does the work of cyber defenders.
One of the most important showcases for the leading innovators in cybersecurity is InnovationSandbox Contest at the annual RSA Conference in San Francisco. Innovation Sandbox distills submissions from hundreds of cyber innovators down to ten startups with the potential to move the needle in cybersecurity. The value of some of these companies is impressive.
Going forward, innovation, as always, will not proceed on a straight line. The pace of investing will also ebb and flow. But huge investment in cybersecurity will remain essential indefinitely – and this is an absolute certainty.