Cyber security is a very fragmented market – there are a huge number of cyber security startups, usually focused on a technology niche, rather than a market. This fragmentation is driven by two psychological forces:
1. People naturally worry about unusual disasters and large downsides more than they do mundane dangers. Stories about super sophisticated cyber-attacks are much more interesting than “we forgot to patch our servers” (ala Equifax).
2. Folks have tendency to overestimate how good they are at something. When it comes to cyber security most IT organizations are sure they have the basics down pat – even though they may be failing at the most basic foundations of cyber security (e.g. the first 5 CIS cyber controls).
These two natural human tendencies drive the cyber security market to gravitate towards ever more sophisticated (aka complex) solutions to solve “sexy” esoteric attacks. It’s not that organizations can’t be attacked through complex, well-orchestrated sophisticated zero-day attacks – it just that the over whelming majority aren’t. If we lived in a world of unlimited resources this misplaced focus wouldn’t a problem, but in the real world cyber security resources are extremely constrained and increased attention in one area means less for in another.
As quick example – let’s look at a pressing cyber security issue – What are the most dangerous animals in North America? First, in order to answer that we need to define both “animal and “dangerous”, so let’s define animal as the entire animal kingdom except humans and dangerous as animals that cause the most human deaths. Turns out when you define it that way it isn’t scary snakes and bears you need to worry about, but rather the mundane, “innocuous” deer. This “scary” vs. “mundane” holds for cyber security as well – the overwhelming majority of damaging attacks are mundane.
The only way to adjust for our natural biases is through measurement and analytics -i.e. focus on real world cyber-attacks not scary “what ifs”. The resounding result from looking at actual attacks are most are usually “mundane” attacks that could have been easily mitigated by a focus on the basics.Once you have basic cyber defense down pat you can start looking at more esoteric protection – if you really need it and it is cost effective.
A platform approach is really useful in this regard – by basing cyber defense on actual data from a wide range of customers, it can help focus a company on the basics as well as democratize access to more esoteric defenses when warranted.