The cybersecurity business is booming, and cyberattacks are fueling its growth.
“We have said historically that we have a multibillion dollar cybersecurity industry because we have an insecure multitrillion dollar technology industry,” Brandon Wales, executive director of the Cybersecurity and Infrastructure Security Agency, said earlier this month during a media briefing at the RSA Conference in San Francisco.
Global spending on security and risk management is on pace to reach $215 billion this year, up 30% from almost $165 billion in 2022, according to Gartner.
Cybersecurity investments, driven by organizations’ well-founded worries about cyberattacks, underscore a counterintuitive element underpinning the market’s trajectory.
If technology vendors significantly improve the security of their products and services, the need for some security tools could decline. Systems that offset weak default settings or poor security controls in technology would be less applicable, but security tools and services will never be obsolete.
Through its secure-by-design initiative, CISA is pushing the industry to shift the burden of security responsibility from customers to vendors.
Many top technology firms and cybersecurity vendors, including AWS, Cisco, CrowdStrike, Google, IBM, Microsoft and Palo Alto Networks, signed a voluntary pledge this month to embrace the secure development and operational practices espoused by CISA.
Cybersecurity vendors play it both ways. They develop defenses and mechanisms to help organizations thwart or mitigate attacks, while pointing to cybercriminal activity as evidence of their value proposition for customers. The rush for revenue in differentiated strategies introduces unnecessary complexity.
The cybersecurity industry is part of the problem, according to Allan Liska, threat intelligence analyst at Recorded Future.
“We make it more difficult, we make it more complex than it needs to be because we’re trying to sell everybody $100,000 worth of stuff instead of the $1,000 worth of stuff that might actually help them,” Liska said.
Attacks, defenses rise concurrently
Digital threats and the financial payouts inciting cybercriminal behavior are a grim reality, according to experts and analysts. But, to experts, the damages victims absorb at scale remains unacceptable.
The FBI said it received reports of 2,825 ransomware attacks last year, up 18% from 2022. Data compromises in the U.S. jumped 78% to a record high of 3,205 incidents in 2023, according to the Identity Theft Resource Center.
Systemic weaknesses in network infrastructure persist, including poor credential management, misconfigured or nonexistent multifactor authentication and inadequate patching. These errors are among the most-common misconfigurations threat actors use to gain initial access for attacks, according to CISA.
Cybersecurity professionals can add friction to the system and block certain tactics and techniques over time, but cyber espionage and cybercrime aren’t going anywhere, John Hultquist, chief analyst at Mandiant Intelligence, told Cybersecurity Dive.
“The unfortunate reality is that whatever solutions we find, there are going to be new problems,” Hultquist said.
Some of the comparisons made between cybersecurity and public safety are sound and helpful in identifying lessons that can be applied to technology. But there’s a massive difference between cybersecurity and safety, according to Hultquist.
“When we talk about safety, you're generally trying to fight physics, which is, to a certain extent, a knowable problem,” Hultquist said.
In cybersecurity, “we’re talking about a living, breathing, thinking adversary,” Hultquist said. “Even if we do fix something there, they’re going to look for other opportunities.”