Facebook’s security breech, the recent debate over China’s spy chips embedded within Silicon Valley tech giants’ hardware and the list of cybersecurity incidence will only keep growing. In the last 3-5 years, the world seems to have paid a lot more attention to the growing importance of cybersecurity. Without a doubt, it is a high growth market globally
Cybersecurity is not just a technically complex field but is also one that is rapidly evolving in terms of technology and industry landscape. While it is often easy to understand what drives growth and demand within an industry, the intricacies and nuances are hard to comprehend. The parts of the industry that are most talked about in the media i.e. web security naturally captures the most mind-share and are arguably easier to understand. In this cybersecurity mini-series, we seek to provide a comprehensive top-level view on the industry with an emphasis on key industry segments, trends and economics.
Hardware, Software and Services
It is useful to think of the cybersecurity industry along the lines of
- Hardware products: Examples include secure network equipment, access cards, biometric scanners and computer chips designed for hardware level security
- Software products: Antivirus software, threat detection systems, cryptographic key certificates are common examples
- Services: Common services in the cybersecurity arena includes Managed Detection and Response, Integrated risk management (i.e. consultancy services) and infrastructure protection
Based on industry estimates by Gartner, equipment form ~10% of the market, services account for ~70% and software make up the remaining ~20% of the market
Operational Technology vs Information Technology
Operation Technology (“OT”) supports physical value creation and manufacturing processes. It therefore comprises the devices, sensors and software necessary to control and monitor plant and equipment. Information Technology (IT), on the other hand, combines all necessary technologies for information processing.
Again, a few examples might help. ERP systems, CRM platforms are typical examples of IT systems that supports an organisation’s process. On the flipside, supervisory control and data acquisition systems (“SCADA”) and signalling setups for trains and public transportation are examples of OT systems.
Historically, while IT systems have embraced open-source concepts, OT systems were primarily built on proprietary, closed-end architectures. There has however been a gradual convergence of OT and IT systems, driven by the need for greater integration, supervision and coordination across organisational functions. Industry observers note that as OT systems start to be more connected and open, it opens up security vulnerabilities and increases opportunities for cybersecurity breaches.
A key point to note is that the industry players (or vendors) for IT Cybersecurity and OT Cybersecurity are vastly different with limited (albeit some) overlaps. In the OT space, one would find players such as Raytheon, Lockheed Martin, Siemens and other large global electronics systems integrator. Traditional IT players like IBM, Cisco, Symantec and a long tail of newer players such as FireEye and Palo Alto Networks serve the IT cybersecurity space.
Types of Cybersecurity
The very fact that cybersecurity vulnerabilities cuts across many different aspects of an organisation’s IT or OT systems gives rise to numerous industry subsegments. This is in part the reason why the industry has been fragmented, as niche players emerge to specialize in different aspects of cybersecurity, which we seek to explain briefly below.
These segments loosely describe “what to protect”:
- Network Security – Practically any form of network. In the commercial sector, this primarily relates to data and information networks (including payment networks). In industrial settings, wired and wireless networks for supervision, system controls and data acquisitions would fall within the real of network security. In military and government context, core communication backhauls (including satellite communication networks) are aspects of network security
- End Point Security – An extension of Network Security, End Point security relates to protecting the edge of networks. Theis is typically characterised by a user terminal such as a laptop, mobile phone or any device through which one could access the network
- Identity and Access Management (IAM) – Related to End Point Security, IAM seeks to protect and enforce access rights, through the various endpoints into networks. Think of two-factor authentication, biometric access and passwords
- Web Security – By far the broadest and most commonly talked about field, Web Security involves multiple aspects including Databases, internet communication, content and personal data protection.
- Infrastructure Security – As the name implies, Infrastructure Cybersecurity pertains to critical assets like data centres and other public utility infrastructure such as transport, street lighting, power generation and transmission etc.
- Others – There are many other areas, one of which is security for nearfield technologies (Bluetooth, NFC etc.)
Adjacent to these industry subsegments are attack vectors which are commonly described by industry observers as the “how to breach”. Each of these represents a field on its own
- Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks
- Man-in-the-middle (MitM) attack
- Phishing and spear phishing attacks
- Drive-by attack
- Password attack
- SQL injection attack
- Cross-site scripting (XSS) attack
- Eavesdropping attack
- Birthday attack
- Malware attack
We plan to cover these in a subsequent article and invite industry experts to contribute views towards betterment of the content piece.
Industry trends and economics
A common misconception, even among senior business leaders is that growth (or the prospects of growth) is great. There is no doubt that the cybersecurity market is a high growth sector, that spending on cybersecurity has increased – tremendously – and the fundamentals are there to support continued growth in industry spending as least for the foreseeable future.
The issue that many industry analysts have started to notice is that top-line growth are not translating to earnings growth and investments are not translating to returns
- Many managed security services providers, even when at scale, struggle to turn profitable under the dual pressure of mounting staff cost and declining prices as services get commoditized.
- Software vendors face similar challenges, in addition to R&D investments that are always having to keep pace with evolving threats.
- As the lines of OT and IT cybersecurity blurs, cybersecurity specialist find themselves competing against larger electronics systems integrator and equipment vendors who view security as a capability extension rather than a core revenue stream, putting pressure on pricing as they approach clients with an entirely different industry logic.
Theses and the resulting trend towards industry consolidation are worth exploring in a separate piece. For now, established companies and startups alike continue to plough billions of investments into the cybersecurity sector; and it remains an open question whether the flow of capital into R&D, industry education, talent and ecosystem development will yield the intended economic and social benefits that would ultimately payoff.