Over the past couple of years the conversation of CyberSecurity has exploded from a term we’ve used as practitioners to one that is top of mind of most people in the U.S. The media frenzy, initiated by the Snowden event, has created a multi-year news cycle that continues to today. As a result we have a lot of commentators on the threats, compromises, budgets, skills, etc that are devoid of actual facts. I’ve taken some time to try and apply some data to this overall “Threat” landscape that is talked about for so long. While this is clearly not "scientific" and open to debate, I feel it does bring some data to the conversation as opposed to the faceless statements that echo in industry. So much in fact, that a resonating chamber effect is starting to take hold well outside of practitioners since the media has focused.
There are common beliefs about cybersecurity:
- Compromises are increasing year over year
- Nation state actors, such as China, are driving the compromising
- The threat landscape is continuously evolving
- Compromises of companies have a significant affect on the business bottom line
- CyberSecurity is more top of mind now than ever before
Compromises are increasing YOY
The clear distinction between attacks and compromises is an important one. Attacks are the attempts to gain access while compromises are successful in doing so. There are many tools today that allow the uneducated to attack other devices which is part of the constant increase in attacks. Yet, this should not be the real focus of our attention as it’s the compromise of corporations and subsequent data that is the main point of concern. The U.S. state breach laws are the best data set as there are clear and legal requirements around data and reporting. As we can see from the stats tracked by DataLossDB.org incidents, or compromise of PII data, increased from 2009 to 2012. However, from 2012 to today we’ve seen a steady decrease.
*Breach data greater than 30k elements from Databreaches.net
If the incidents are going down the next question is that the size of the compromised data per incident is increasing. In other words we are having fewer but much larger breaches. Looking at the data from Databreaches.net and filtering out small data breaches, of 30k or smaller, we see a consistent trend with an anomalous 2014. Two main breaches, Adobe and Ebay, in 2014 resulted in over 140m records each. This is very different than the media focus of Target, Home Depot, etc.
Nation state actors, such as China, are driving compromises
The vast majority of these compromises are retail and financial industries. If we make an assumption that nation state actors are not interested in financial gain as opposed to military, political and possible IP then the majority of the compromises can be removed. While there absolutely is a significant intelligence gathering event occurring over the past twenty years or so it’s the rise of eCrime in the 2005 timeframe that has really resulted in the compromises we see today. If we look at PriceWaterhouseCoopers (PWC) LLP’s Global State of Information Security Survey 2015, which surveyed over 9,700 global CEO, CFO, CISO and CSO’s we can see their interpretation of the threat actor.
Foreign Entities and Organizations accounted for only 9% of all compromises in 2014 where Current Employees accounted for 35%. There’s no doubt that the long standing belief, in the security industry, that insiders account for the majority of security incidents still holds true.
Corporate Security Budgets are skyrocketing
With the belief that attacks are rising and being more successful, it only makes sense that corporate budgets would increase to support the cybersecurity initiatives. In the PwC GSISS 2015 survey, however, it shows a decrease of ~4% is 2014. Digging into the data a bit more it shows a divergence between companies with 100$m or less decreasing budgets, certain larger companies verticals are declining (Defense &Aerospace (-25%), Technology (-21%), Automotive (-18%), as well and just a few verticals of larger companies are increasing (Healthcare (66%), Oil & Gas (15%), Utilities (9%)).
Many assumptions and explanations can be made. However, a few resonate
- A pause from the 2012-2013 increase has taken affect in 2014
- Overall corporate revenues are slowing resulting in a focus of limited budgets on revenue generating expenses
- Security vendors are providing solutions that are not seen as effective as needed
- CFO’s and CEO’s are becoming more intelligent on cybersecurity and holding CSO/CISO’s accountable for fiscal maturity
This is in stark contrast to Gartner’s 2015-2019 Security industry projections. An average of 8% increase in revenue is expected in the overall security industry each year to migrate the 2015 77b to 2019 106b. We believe that this is highly optimistic based on a significant influx of equity to the security vendor industry and not taking into account the budget limitations on the buy side. As a result, we expect there to be a 2015-2017 security vendor industry “crunch” due to revenue misses.
Security Compromises have a significant affect on the business
While there’s no question that compromises of data results in expense to impacted parties there is a belief that it has a significant effect on the business itself. This would result in loss of customers, revenue due to expense, operational focus for fixing issues, material financial expense, etc. Using share price as a culmination of all of these components we should look at it for the months preceding and following a compromise. In addition, we overlay the market index as well to ensure any direction of the overall market is considered when noticing an individual rise or dip. What we can see there is no evidence of any incidents having an affect on the share price.
Target - Dec 2013
Home Depot - 2014
JPMC - 2014
CyberSecurity is more top of mind now than ever before
As we’ve taken a look at the attacks, compromises and spending on cybersecurity, the last piece is the overall mind share that it has in the world. Using Google Trends we can analyze the events and searches in the public eye relating to cyber security. Using various terms, “Cybersecurity”, “china hack”, “ecrime”, “hackers” and “data breach” we can view overall relative trends. As we can see here the historical, pre 2004, view of cybersecurity as “hackers” has diminished significantly.
Removing “hackers” we can see more recent term relative to each other. There has been a significant increase in the space since 2012. This correlates to the significant increase of breach incidents (see datalossdb.org) and large size breaches (see 2014 PII chart)
Narrowing our view from 2011 to present we can see a more smoothed scaling of the overall mindshare. While china and ecrime are relatively low, the overall focus and view is around the major breaches and general “cybersecurity”.
With his we can see how disconnected the scaling of compromises and the narrative is. As breaches have decreased, PII disclosures have stayed consistent, budgets have plateaued, and overall projection of the security vendor markets have increased as well as the public narrative of the sotry. I believe that the latter two (vendor investment and public conversation) are lagging indicators and will soon correct themselves.
This will mean a fairly significant pull back of media attention as well as Board / CEO focus. In addition, there will be a decrease in the security vendor investment and a decrease of existing vendors in the space. While budgets, threats, etc won’t pull back to previous levels it will move away from the “hype” cycle we went through in the 2012-2014 years.