New Cyber Opportunities: Security Business is Growing and Changing

Over the past few weeks there have been two very different reports released that offer helpful insights and answer important questions regarding the red hot cyber security market. Evidence is everywhere regarding the growing importance of cyber security – from college students looking for jobs to mobile computing and cloud computing companies that are trying to fill in their product lines with security offerings that get noticed.  

While everyone knows that the cyber security market is hot, how big is the global cyber security industry and how fast is it growing? The first briefing answers these and related business questions and gives recommendations for companies that are active in this space. It comes from Frost and Sullivan, and this analyst briefing by Balaji Srimoolanathan is offered for free by Bright TALK (registration is required). The session is entitled: Cyber Security – From Luxury to Necessity.

After describing cyber security definitions, describing threats and defining some basic industry terms, the presentation covers the global roles that various companies have taken regarding cyber security. He described our current period as an early industry phase with radical product innovation. I won’t be covering details of his proprietary material here – but a global forecast is provided in detail by region. During the Q/A session at the end, the presenter did offer these ballpark numbers:

The cyber security end-to-end market was $40 billion (US) in 2010, up from $34 billion (US) in 2009. He predicts that between 2011- 2015 the market will grow to somewhere between $60 to $120 billion annually, depending on a variety of factors.

Of course, there are many ways to measure and define the security markets, and other analysts certainly have different financial projections. Still, it is helpful to watch this presentation, in my opinion. I learned quite a bit about the business side of cyber security, as well as why so many companies are getting into, or expanding in, this field. More than that, it puts some figures behind the numerous headlines coming out of Washington D.C. and Silicon Valley.   

The second briefing is actually a white paper that was produced for a wide-variety of groups including BSA, CDT, Tech America, ISA and others who offer a an interesting defense of our current cyber model going forward,  entitled: Improving our Nation’s Cybersecurity through the Public-Private Partnership. Here are a few excerpts from their summary of the recommendations:

 “Risk Management:

o Standards: Government and industry should utilize existing international standards and work through consensus bodies to develop and strengthen international standards for cybersecurity.

o Assessing Risk: Government and industry need to recognize that their risk management

perspectives stem from different roles and responsibilities….

o Incentives: Government and industry must develop a menu of market incentives to motivate companies to voluntarily upgrade their cybersecurity….

 – Incident Management: Government should fully establish industry’s seat in the integrated watch center and begin evaluation and process for growing industry’s presence. Industry should ensure a long?term plan for filling the watch center seats; and participants should report lessons learned from collaborative exercises as soon as possible and undertake improvement measures on a timely basis.

 – Information Sharing and Privacy: Government and industry should clearly articulate information needs and how to promote more effective information?sharing to address those needs… Congress should consider whether narrow adjustments to surveillance laws are needed for cybersecurity purposes.

 – International Engagement: Industry and government need to engage international organizations and standards ? making processes and work together to develop a strategy for engagement, capacity building, and collaboration on issues of global concern.

 – Supply Chain Security: Government should expand its participation in the international system that develops supply chain security standards and work with industry to identify and disseminate them. Government should then leverage these standards when it acquires technology and take steps to ensure it does not acquire counterfeit technology products.

 – Innovation and Research and Development: The public?private partnership should be used to create a genuine National Cybersecurity Research and Development Plan with prioritized, national?level objectives and a detailed road map that specifies the respective roles of each partner….

 – Education and Awareness: The public?private partnership should enhance cybersecurity public awareness and education, and increase the number of cyber?professionals available to both government and business….”

 This second report is significant in that it offers a view of the way forward for the industry in the US over the next decade. In contrast, there may be government regulations coming that are opposed by these groups. These new laws may mandate more direct action by the private sector to protect critical infrastructure as well control what happens in certain cyber emergencies. Here’s an excerpt from an info-security.com article on this subject:

 “The bill, the Executive Cyberspace Coordination Act, would give the Department of Homeland Security (DHS) the authority to establish “risk-enforced security practices and standards for critical infrastructure”, according to a summary of the legislation issued by Langevin’s office.

DHS would have the authority to create, verify, and enforce measures to protect information systems that control critical infrastructure. And the department would have the power to determine what critical infrastructure would be covered by the legislation.”

 Taken together, I believe that two things are clear. First, the cybersecurity market is hot and getting hotter. Second, there are serious disagreements over what that future will look like.

Any thoughts on either of these reports?