"Cybersecurity keeps growing because it keeps selling. This approach is not working."
The cybersecurity market is broken—can we fix it? Yes, but not if security companies just keep selling for the sake of selling.
In 2016, the global cybersecurity market was valued at US$ 83.32 billion. Less than a decade later, it reached US$185.69 billion (Statista). In 2018, cybercrime's cost to economies amounted to US$800 billion. In 2024, it's expected to hit $9.22 trillion.
What is wrong with this picture? Why are companies spending more on cybersecurity, and yet cybercrime keeps growing? There are a few possible reasons:
A digitising society is inevitably going to attract more cybercrime.
Cybercrime is lucrative, low risk, and constantly updating its tactics.
Victims didn't invest in cybersecurity or invested in the wrong things.
Who is to blame for bad security?
Let's address these points. as there are tiny grains of truth obscured by nonsense.
Will a digitising society attract cybercrime? As the attack surface increases, the volume of people accessing digital platforms increases. However, one would expect security efforts to lead to some reduction in the scale and velocity of breaches. Instead, cybercrime keeps growing despite the invention/evolution of sophisticated cybersecurity products, updated regulatory environments, and generally-improved security awareness.
Are cybercrime tactics constantly updating? Yes, yet the most commonly used attacks and malware are not new. Phishing, the most used attack, was invented in the 1990s. A group of hackers targeted America Online (AOL) users. Posing as AOL employees, they used instant messaging and email to steal users' passwords and hijack their accounts. This attack marked the beginning of phishing as a cyber threat, which has evolved and become more sophisticated over time, as has the technology to combat this type of attack.
Should we blame victims for underinvesting? No. I can cite examples of banks with unlimited security budgets and large, highly skilled security teams that are still getting breached. Companies are collecting incredible amounts of technical debt with few results. We should also not forget that cybercrime is a crime, and as such, these people and companies are victims.
Then, who do we blame for the rise in cybersecurity costs yet no clear decline in cyberattacks? Perhaps we can lay the most of it at the feet of the cybersecurity market?
The complexity problem
There is a fourth reason why cybercrime is so rampant. As our world digitises, our systems are becoming more layered and complicated. In the past (20 years ago), companies controlled all their data, hardware, and software. Since then, they have started using cloud services, networking, and functional integrations to create more versatile systems. Those benefits are not in question—look at how much your smartphone has improved your general quality of life and access to information and services.
But the resulting complexity is creating gaps. These gaps can be literal, such as an unpatched system, or existential, such as a tired employee clicking on a phishing link. Complexity has made it easier for criminals to thrive, especially as it becomes more lucrative to be a cybercriminal. For example, One of the most active ransomware groups, LockBit, has collected over $91 million in ransom since 2022.
Yet, there are many security products made for a more complex era. Managed Detection & Response, Secure Access Secure Edge, Zero Trust, Data Loss Prevention, Multi-Factor Authentication, Threat Intelligence—these are all solutions that were either invented or have come of age in recent years to combat the ever-growing threat.
We have the technology, and yet we are not slowing cybercrime. What is going on?
The cybersecurity market is broken. After cybercriminals attack, security companies sell more stuff to the victims. What if the client wants to mitigate cyber risks? We sell more stuff to them. And when doesn't that work due to misalignment, misconfiguration, or complexity? We sell even more. And this is why cybersecurity is most likely to be the biggest project management team in most companies.
Cybersecurity keeps growing because it keeps selling. This approach is not working, perhaps because we are buying/selling technology, not reinforcing or improving people and processes alongside those deployments.
How to improve cybersecurity
The best results come from aligning security to business risk. Take the example of securing data. Do you know exactly what data poses the biggest risks to your business? If you spend a fraction of your security budget to take care of that data, will it address most of your data risks rather than spending much more to cover everything? These ideas should be at the centre of our digital security strategies.
Performanta studied the situation and has drawn two primary conclusions.
The first conclusion is that cybersecurity is not adequately business-aligned. As an answer, we've adopted the Continuous Threat Exposure Management (CTEM) framework, which uses five steps to align security measures with real business risks and requirements.
Second, three primary elements separate effective and ineffective cybersecurity: Mean Time To Respond (MTTR), optimal coverage, and adding proactivity. MTTR indicates how quickly your environment responds to an incident. On average, this takes weeks to months. Optimal coverage is about visibility across complex systems, a topic explored above. Proactivity represents efforts to stay ahead of cybercriminals through optimisation and not just responding to their attacks and the mitigation that follows.
Performanta used these conclusions to create Safe XDR, the first cybersecurity service that delivers CTEM. It works very well:
We reduce MTTR down to minutes and, in some cases, seconds.
We deliver optimal coverage agnostically across all systems.
Our customers have proactive postures through market-firsts, such as our Risk Operations Centre (ROC).
These three elements reduce friction amongst stakeholders, reduce noise, increase context and allow for better decision-making, thus keeping you safe.
Cyber safety grows from a coordinated effort between business, risk, technology, and security. Safe XDR represents these areas through a combination of skills and technology to establish a comprehensive and evolving security environment where the customer, not the provider, controls their risks and costs.
Yes, this post may seem counterintuitive as I'm "selling" Safe XDR as the new thing to secure your company.
But I am not selling any new technology. I'm offering you a process/program to use your technology better, reduce your technical debt, and, above all, reduce redundancy and leave more cash for you. Oh, and even more, the service I am selling is fixing all the issues organisations face with a massive benefit: it would cost you less than other service providers or doing it yourself.
This is why we have the answer for a broken market. We stopped selling technology as our primary revenue generator a long time ago, to avoid helping fuel the mistakes this market is facing, and instead help us ensure we and our customers have a more shared accountability model.
Safe XDR is not just another security solution. It's the realisation of our philosophy that you can get much better security without constantly adding more and more to the stack.
Fixing a broken industry
We need to change how we sell and apply security. It reminds me of the blind men trying to describe an elephant. One feels a trunk and says it's a snake. Another feels a leg and says it is a tree. Meanwhile, the criminals are laughing at us, groping for answers. It's time to take a step back and see the bigger picture.
Safe XDR is a direct response to what is wrong with the cybersecurity market. It improves coverage, continually mitigates risks, cuts security spending, informs the business, and rescues CISOs and security managers from becoming cannon fodder, all while allowing them to do what they should be doing: securing and enabling the business, not deploying technology.
The solution is not to sell, sell, sell. It's by aligning security with business risk through coverage, response, and proactivity: the Safe XDR way.
Comments