In my previous column, I delved into the ever-shifting landscape of the cybersecurity market and its implications for practitioners. Now, I invite you to join me on a journey of exploration, as we try to decipher the future of this dynamic field. I must confess, I don’t possess a crystal ball that can predict technology trends, or I’d be a wealthy man. But that hasn't deterred me from pondering over the signs of our evolving future.
I believe two incidents in my recent past sparked the musings you are about to delve into. The first was a simple package my wife had ordered from Amazon. It arrived on our porch while she was away, and as I opened it, I was greeted by the most unassuming of sights-a plain brown box. There was no hint of its contents, flashy branding, or enticing labels. A small sticker over the end tab offers the briefest description of what lay inside.
I turned the box repeatedly, noting the lack of anything but the sticker on a blank box. Then it occurred to me: I’m old. I grew up when an item’s box created excitement and anticipation for me to pluck that specific item off the shelf and take it to the checkout clerk. If I had to select between competing brands, I was often swayed by the words on the box, the colors and fonts, and the little arrow telling me to squeeze the button to hear the sounds it makes.
To test my theorem, I went to the internet and looked up the item on the Amazon website. Sure enough, there were several high-quality, detailed pictures of the item with a lengthy description and associated user reviews. I felt like an idiot. Of course, the product manufacturer would spend their marketing money making the product appealing on the web and not invest a dime to advertise on the box it was shipped in. The marketing job was complete when my wife added it to her virtual cart. Why waste any money on packaging except for the barest minimum?
The second incident was an advertisement for antivirus software. While statistics and awards flashed across the screen, I thought about the last time I had seen these advertisements aimed at everyday television-watching consumers. Even my old employer, Symantec, has dropped its TV pitch to mom and dad. The commercial struck me with its rarity after being a staple on television for nearly three decades.
But antivirus, like almost all cybersecurity products, is now sold to service providers and corporations—not end users. As we stated, antivirus has become a foundational aspect of all IT products and services. It is being built in, no longer just strapped on. Thus, the marketing shifts to target the genuine buyers: analysts in cubicles charged with picking the most cost-effective products.
So, let’s get out of our crystal ball. What’s the future, and what trends do we foresee? The first significant change has been the shift from hardware, as almost all security-relevant tasks have been abstracted to enforcement via user interfaces and policy tools. What does that mean? Nearly all security work evolves into high-level policy enforcement and spreadsheets of risks and related controls. The days of the deep-dive hacker are ending if they even were anything more than a transient phase of our industry. I am convinced over half the self-proclaimed “elite hackers” were no more than men and women with a couple of good parlor tricks and some PowerPoint slides they used repeatedly (and loudly). The work of information exploitation is still being conducted in sweatshops by people of middling skills employed by shadowy organizations, both state-sponsored and those practicing corporate espionage.
Cybersecurity start-ups are still making money for investors, and this trend will continue, albeit with far less fanfare than pre-pandemic launches. The focus has shifted from enforcing security requirements to tracking and reporting security and risk metrics for CISOs, IT managers, and corporate Boards of Directors. As in the past, two main categories of start-ups will be those with a product that gets them acquired and those with an innovative idea who were starved of revenue and folded the tent.
How will you look to the future for your career? I recommend looking candidly at what corporate buyers want from their security capabilities. You can align with a vendor selling in this market and tie your career to technology. Conversely, you can develop killer Excel kung-fu and become the security whiz corporations turn to answer difficult risk management questions. Either way, you should maintain a skillset that makes you employable as a cybersecurity expert. I don’t recommend running around the conference circuit claiming elite hacker status. That ship has sailed.