Security has been a chief concern for enterprises since the early days of computing. As software has evolved to enable businesses to be more productive, hackers have also evolved to take advantage of vulnerabilities in the tech stack. The DDoS attack on Dyn last October, which resulted in much of the American internet being unavailable for the majority of the day, unveiled a pretty scary weapon available to hackers called the Mirai botnet. And while the malware was eventually contained, cyber attacks remain a very real threat to enterprises.
I’ve noticed at McKinsey, where we pride ourselves on client confidentiality, that we have begun to approach enterprise security with a renewed sense of urgency. The firm has conducted a massive cyber security campaign including: mandatory courses for new hires, periodic phishing tests (unfortunately, yours truly has failed a few!) and the addition of a new cyber solutions group to support the firm internally as well as engage with many of our enterprise clients. All this is encouraging and I’m glad the firm is investing in this area. But still it’s tough to feel at ease if for no other reason than the fact that it’s tough to deciphere the world of cyber security jargon.
So what exactly is shaping the nebulous world of cyber security and what can we expect in the near term? There’s a lot of literature on the various types of attacks and the underlying technology being used in these attacks. In layman’s terms, however, it boils down to two (almost opposing) trends:
- (1) Commodification and automation of basic attacks: Known vulnerabilities are being included in attack scripts and being made available to less skilled attackers. In addition, networks of attack robots are running attack scripts against any device connected to a network.
- (2) Professionalization and specialization of attackers: Attackers are acquiring the skills to plan and launch long-term campaigns and advanced persistent threats (APTs). In addition, electronic platforms, e.g., “ExploitHub”, connect attack experts globally and allow for trading specific skills. Finally, better educated attackers are entering the scene, e.g. secret services building up cyber security capabilities.
While the development of these themes (particularly the second one) is alarming, the good news is that there are a number of industry stalwarts who have long been building and re-building software to fight these attacks. In addition, there are a range of emerging players who are also building meaningful security products.
Cyber security companies can be grouped into 5 categories: (1) endpoint security, (2) network security, (3) web/ messaging security, (4) identity and access management (IAM) and (5) security and vulnerability management (SVM). Below I have provided a view by category of each of these categories and some of the existing and emerging players:
So where’s the opportunity for new entrants? All five of these categories have real opportunity and one could credibly build a company around each. But right now IAM and SVM are particularly relevant to large enterprises, many of which have little institutional knowledge of these categories. IAM is crucial because corporate data, and especially customer data, is often an enterprise’s most valuable asset – to suffer identity fraud could be catastrophic. SVM is important as well becasue most large enterprises don’t have a clear sense of their risk levels or ways to track vulnerability. Diagnosing and then monitoring risk levels helps enterprises understand where they are vulnerable and what they can do to shield themselves from attack.
I hope we see more companies built around these two areas because we’re going to need high quality software tools to protect against the attacks we are seeing from a new, and very sophisticated, generation of hackers.