At the anniversary of the Equifax Inc. breach disclosure, the biggest headache for executives in charge of protecting company data has to do with choices — as in, way too many of them.
The number of cybersecurity choices facing chief information security officers, or CISOs, is truly overwhelming, according to those in the industry, as hundreds of “Best in Show” companies vie for rising corporate security budgets while claiming superiority for their small niche of the sector. The growing pressure to protect customer data, and with it, the company’s reputation, has given way to the idea of a Holy Grail of a central solution for cybersecurity.
On Sept. 7, 2017, Equifax
disclosed that hackers had gained access to data on about 143 million customers, a figure that grew to up to 148 million. Hackers got into Equifax because the company was slow to patch a vulnerability in Apache Struts, a popular open-source web software. As recently as Aug. 22, another vulnerability was detected in Apache Struts by software engineering analytics company Semmle.
Over the course of the past few months, MarketWatch interviewed several top cybersecurity executives for views of the industry in the wake of the Equifax disclosure, and the need for consolidation in a fractured sector was the most recurring theme. Many see companies dealing with a patchwork of different software offerings for different needs, which can make mistakes — like a delayed Struts patch at Equifax — more likely.
“I think you’ll have to see consolidation,” FireEye Inc.
Chief Executive Kevin Mandia told MarketWatch in a recent interview. “The best of breed isn’t sticking out as much anymore.”
To get an idea of how many companies are pitching solutions to CISOs, more than 600 exhibited at the RSA Conference, one of the cybersecurity sector’s biggest annual conferences, this past April in San Francisco. The vast number of options was so overwhelming that executives interviewed by MarketWatch all wildly overstated how many companies were there — they all cited “thousands” of companies exhibiting at RSA, often several thousands, underscoring the bewilderment that appears to be at play in the industry.
SailPoint Technologies Holdings Inc.
CEO Mark McClain had one thing to say for CISOs having to deal with it: “Good luck.”
“There’s so many nuanced, isolated, specialty offerings, so the word you hear is ‘fragmentation’: We have a massive fragmentation challenge in the world of security,” McClain told MarketWatch. “You’re hearing a lot of frustration in the buyer side.”
Gearing up for cybersecurity ‘platform wars’
The problem appears to stem from all the different vulnerabilities a particular company faces, and security priorities differing for some companies, which has led to an explosion of specialists in different security fields such as endpoint protection, network security, identity management, email protection, firewalls and on and on.
What most CISOs at companies are looking for, though, is a single-pane, centralized approach that covers all of these fields and can be easily adapted to accommodate new products or face new threats, FireEye’s Mandia said.
“It’s a journey and I don’t think anyone’s arrived at it yet,” Mandia told MarketWatch.
In a recent blog post, Jon Oltsik, an analyst with ESG Market Research, said that 62% of businesses polled want to buy a security suite from a single vendor.
“So, we are at the onset of the cybersecurity ‘platform wars’ where vendors compete for bigger, lucrative deals where deployment projects could span several years,” Oltsik said.
Competing in that battle could lead to huge returns, as worldwide security spending is expected to hit $114.15 billion in 2018 and grow to $124.12 billion in 2019, according to research firm Gartner. It could cost a lot to become a competitor, though — Cisco Systems Inc.
, believed to be one of the largest security competitors in the market, recently promised $2.35 billion to acquire Duo Security for identity management, which adds to its $2.7 billion purchase of Sourcefire in 2013 and $635 million acquisition of OpenDNS in 2015, among others.
FireEye’s Mandia told MarketWatch, that of all security vendors, Cisco was closest to providing an “envelope” platform.
Gee Rittenhouse, the general manager of Cisco’s security business, told MarketWatch that delays in security-incident detection and complexity due to juggling multiple vendors cobbled together to form a coherent cyberdefense is driving consolidation. Rittenhouse said about 20% of customers polled by Cisco in 2016 said they were using 10 to 20 vendors for their cybersecurity systems. Today, about 25% of customers are saying it has grown to more like 20 to 50 vendors.
“When you have multiple vendors built into your systems, it takes a while to coordinate the response and correlate all those events,” Rittenhouse said, explaining that by then an attacker could already be off with stolen data.
“It’s just becoming harder to deal with the complexity of adding in all these elements,” Rittenhouse said. “And before you know it you just don’t have enough staff to operate the gear that you have.”
An eat or be-eaten business
International Business Machines Corp.
is another deep-pocketed Dow Jones Industrial Average
component which is grooming itself as a security player as it tries to move away from its legacy mainframe business toward services. In its most recent quarterly earnings, IBM reported that security revenue surged 79% from a year ago to $1 billion, its fastest-growing segment, but one that accounted for only 5% of IBM’s sales for the quarter.
For startups and younger public companies seeking to grow their products to scale and compete with Cisco and IBM for customers that want to deal with fewer security vendors, the existential question is to whether to eat or be eaten. All these companies want to be the Salesforce.com Inc.
or Workday Inc.
of cybersecurity, a purely cloud-based and engineered software-as-a-service approach that uses add-on widgets for upgrades and system flexibility.
Both Salesforce and Workday were cited as prime models by Zscaler Inc.
Chief Executive Jay Chaudhry and CrowdStrike Inc. Chief Executive George Kurtz as what the future of enterprise cybersecurity needs to be. Not surprisingly, both CEOs extol their products as cloud-native approaches as opposed to legacy, moat-based applications retrofitted for the cloud.
Zscaler’s Chaudhry said the need for security has spawned a gold-rush mentality for security startups and the venture capitalists funding them, and that makes a CISO’s job of weeding through the available options very difficult.
“There’s so much noise out there, overfunding of security companies,” Chaudhry told MarketWatch. “How many products does an enterprise really want? There’s too much stuff going on. I think some of this stuff has to get cleared up. There’s no room for all of these companies out there.”
Speaking of funding, privately-held CrowdStrike has been a big beneficiary of it. With $481 million raised to date, including a recent round of $200 million in June, CrowdStrike stands at a valuation of more than $3 billion, according to the company’s CEO.
“Everybody talks about a platform, not everybody has it,” Kurtz told MarketWatch. “You have to have that cloud-native architecture to be a true SaaS platform, so if you look at the investors who came in at a valuation of $3 billion-plus, they’re expecting a return on that.”
At the same time, CrowdStrike doesn’t appear to be grooming itself as an acquisition target. Kurtz said CrowdStrike is currently at a size and scale that they could go public at any time.
“We can go out today if we wanted to go out,” Kurtz said in late July. “This isn’t years out.”
If CrowdStrike were to go public this year, the company would join cybersecurity companies like Zscaler,Carbon Black Inc.
and Tenable Holdings Ltd.
that have IPOed in 2018.
Investors seem to be pricing in the potential for acquisitions, as the ETFMG Prime Cyber Security ETF
has gained 36% in the past 12 months, while the First Trust NASDAQ Cybersecurity ETF
has risen 33%, compared with a 17% advance in the S&P 500 index
and a 26% rise in the tech-heavy Nasdaq Composite
How to stop that 0.1% threat?
Of course, even consolidation is not going to stop the next Equifax, executives said, as data systems can be vulnerable even if everything is being done correctly.
“If you stop 99.9% of something, if it’s a big enough number, 0.1% is still a lot,” SailPoint’s McClain said.
“In some cases I think the industry is starting to get a little bit numb in terms of all these breaches,” CrowdStrike’s Kurtz said. “In general, I think it underscores the fact that the technologies that people are buying, this defense-in-depth kind of approach, is failing because people are still getting breached.”
FireEye’s Mandia painted the struggle of defending against a persistent hacker as even more dire.
“One person has infinite scale on offense on the internet, can create work for millions if there’s one attack that works, [and] it can literally impact every freaking organization on the planet,” Mandia said.
“That asymmetry between offense and defense is more startling than I can explain,” the FireEye CEO continued. “It’s almost like the size of the universe, nobody gets it. The one good hacker is infinitely scalable and every nation we’re up against has that guy.”
Mandia, whose company worked with Equifax following the hack and focuses on state-sponsored hacking threats like Iran, urged that people need to start beating up on the perpetrators rather than the victims of hacking.
“I think we have to step back and start recognizing some of these breaches are done by professionals that if they can go unimpeded with no risk or repercussion, we better start treating the victims differently because we’re setting a bar that’s unreasonable,” Mandia, who declined to discuss Equifax specifically in his interview, said. “We’re beating them up for something that actually the government itself can’t stop.”
Some even used the Equifax hack as a marketing tool. Back in October, Oracle Corp.
Chairman Larry Ellison chided Equifax for not updating their security patches in a timely manner and claimed his new automated cloud security product would be able to protect against such a breach.
When all is said and done, even the most comprehensive security plan is only as good as its weakest link, and for most organizations, that weakest link is people, such as the employee who clicks on that legitimate-looking email link.
In the meantime, for cybersecurity companies that are looking to grow through acquisitions, the price of growth likely became significantly higher over the past year.