No organization is immune from cyberattack. As a chilling reminder, the NSA works under the assumption that they have been compromised. They claim that “there no such thing as ‘secure’ any more. The most sophisticated adversaries are going to go unnoticed on our networks. We have to build systems on the assumption that adversaries will get in.”
Many organizations rely on yesterday’s security practices to combat today’s threats. A recent survey found that the vast majority of cybersecurity programs fall far short of guidelines drafted by the National Institute of Standards and Technology. Only about one-fourth of more than 500 executives surveyed said their company has a chief information security officer. However, high-profile data breaches have injected a new sense of urgency. Companies are increasing both the size and budget of their security teams.
The IBM Security Services Cyber Security Intelligence Index reports that healthcare, financial services and manufacturing are now the top three industry targets. In the case of manufacturing, proprietary processes or industrial formulas can generate significant value to the hacker. However, growing numbers of manufacturing cyberattacks are focused on sabotage, not espionage.
Whereas cybersecurity was once a tangential technology strategy, businesses are now cultivating dedicated cybersecurity experts, if not creating entire divisions expressly for cyber-protection. The most sophisticated go beyond viewing cybersecurity as a problem, but rather as a pillar of their value proposition to their customers, partners and investors. JP Morgan Chase estimated its cybersecurity budget to increase by $50 million and its staff by an additional 400. This estimate was made before its massive security breach.
It is predicted that new threats stemming from the growing use of cloud computing, data centers and mobile technology will propel the global cybersecurity market to $120 billion by 2017.
The Talent Imperative
Supremely skilled, technically trained workers are the cornerstone of cybersecurity business defense. Overwhelmingly, the key criteria for cybersecurity company readiness is access to a cyber-sophisticated talent pool. But demand for these folks far outpaces supply. During one week in 2012, more than 340,000 cybersecurity-related job openings were posted in the United States. According to Burning Glass Technologies, cybersecurity positions take one-third longer to fill than the average IT job. This is in part because of a growing requirement for industry certification, which can take years to receive.
Companies require individuals with directly applicable cybersecurity and advanced IT skills and training. Based on recent studies, over 60 percent of job openings state a preference for individuals with a bachelor’s degree. And about 25 percent seek candidates with a master’s degree, up from only 5 percent a few years ago.
In reality, given the highly specialized nature of cybersecurity, firms commonly place a premium on direct experience over a college degree. So while a diploma can certainly be an added benefit, for most companies, plug-and-play experience with proper industry certification reigns supreme. This preference for practical expertise is not surprising given that cybersecurity is an outgrowth of the information technology field, where self-taught, skilled professionals and technicians have always been high on the food chain. Other industries can bridge education gaps with internships and apprenticeships in order to cultivate experience or at least provide job exposure. This is not so easy with cybersecurity, given the heightened sensitivity of the information being accessed
Clustering Effect
In much of the US, cybersecurity is a homegrown industry. Operations were started by highly trained retired military, government or other IT entrepreneurs who saw an opportunity to contract back to their employers or parlay their talents into commercial cybersecurity operations. Consequently, a great many cybersecurity startups operate within a stone’s throw of major defense and government installations.
But this is an industry spawned from the Internet. Although proximity to existing and prospective clients can be good for marketing and customer interaction, it is rarely essential for service delivery.
This does not suggest that locating in military and government centers with anchor cybersecurity installations is not beneficial. Far from it. These hubs often have a keen appreciation for and knowledge of the industry, growing public-private networks for cybersecurity advancement, tech-savvy federal/defense retirees ripe for a second career, university-housed training and support such as technology transfer and business mentoring, dedicated financing, and much more.
Cybersecurity firms also take comfort in communities with a critical mass of other cybersecurity firms. In short, presence breeds more presence. However, given cybersecurity’s stealth tendencies, the number and magnitude of its firms in a given market can be grossly underestimated by those not in the industry itself. In locations that have undertaken comprehensive analyses, community leaders are often surprised to learn just how many hyper-growth cybersecurity firms are already in their backyard. With secrecy an industry virtue, touting their operations is just not in their nature.
Effective cybersecurity means solving a shape-shifting problem while anticipating the next one. This unique challenge breeds a sort of kinship among those involved. As such, firms clustered near one another have a common understanding: They can speak as one loud voice when third-party assistance is needed, share non-sensitive industry insight, work together to grow the talent pool, and network in ways that help the industry in the aggregate and its players individually. Cybersecurity concentration in one location can risk workforce cannibalization. But effective recruitment of national talent and priming the education pump from within can help to mitigate this problem.
Industry Evolution
The rising number and sophistication of cyberattacks is causing the market for third-party cybersecurity services to balloon. North American spending on managed security services, particularly IT outsourcing, is expected to increase annually by nearly 20 percent to 2017. External cybersecurity services are growing in part because many corporations lack the internal skills and bandwidth to tackle the problem, let alone address compliance issues. They have no choice but to cede the role to third-party professionals.
The military-grade expertise of defense contractors to perform certain specialty services, such as forensics or other post-breach services, positions them well when commercial clients are victims of targeted attacks or breaches. Their experience servicing and protecting frequently attacked military networks gives them a unique vantage point from which to gather rich security and threat intelligence. Among the more prominent defense contractors that have expanded their commercial offerings are BAE Systems, General Dynamics and Lockheed Martin.
There is an increasing requirement for providers of cybersecurity services to partner with those specialized in other industries. For example, in the case of industrial systems or with meter manufacturers, suppliers of these systems must approve and, if possible, integrate security controls. In many cases, the controls are old, have never been changed, are not updatable or upgradable, or may no longer be manufactured. Consequently, security controls must be “bolted on.” This requires the physical capabilities of one industry to work in partnership with the intellectual capabilities of another.
Cybersecurity markets and corresponding opportunities are growing rapidly in Saudi Arabia, South Korea, the United Kingdom, Australia and Indonesia, to name a few. Many countries will need to import expertise to counter skills shortfalls in their own workforce. The export potential of cybersecurity services is becoming global.
Adam Prager is President of Prager Company, a leading economic development and location advisory firm with cybersecurity experience (www.pragercompany.com). Joshua Drew Prager is an intern with Prager Company.