February 25, 2021
The Automation Illusion
New, sophisticated cybersecurity tools are invaluable in securing our digital world, but they increase, rather than obviate, the need for well-trained cybersecurity experts.
Ten years ago, Marc Andreessen famously noted in the Wall Street Journal that, “software is eating the world.” The gist of this argument will be familiar to most and has been borne out by the subsequent years in industry after industry; from retail to movies to telecom and beyond, the virtual dimension has overtaken the physical. The trend for enterprises to undertake digital transformation initiatives to automate, streamline and better serve customers has moved from forward-thinking to table stakes in an eyeblink. Meanwhile, the challenges stemming from the pandemic have accelerated this trend, as remote and virtual workspaces become the norm.
The movement from the physical to the virtual, and from manual to automated processes, is a long-term, secular trend, and generates its own peculiar consequences. One of these has been the meteoric rise in cybersecurity concerns. As highly sensitive data, both for individuals and enterprises, moves primarily or even exclusively into cyberspace, the opportunities for bad actors to exploit it have flourished. Correspondingly, total spending on cybersecurity by enterprises has outpaced IT spending overall, growing at a CAGR of 10.4% from $167.1B in 2019 to $248.26B by 2023, according to Forbes.
Ironically, perhaps, the proposed solution to the security concerns generated by the ascendancy of software seems to be…more software. The investment in cybersecurity technologies, from threat intelligence platforms to endpoint detection to network traffic analysis, has led the way in the fight against threats, with over $8.5B invested in cybersecurity software in 2020 alone, according to Gartner. It’s easy to see why this is necessary; the sheer scale of the threat, with the proliferation of attacks and attackers (including state actors), demands a defense equal to the task. Many of the most brilliant minds in the tech world have spent years creating sophisticated tools for this purpose, with venture capital pouring into the supply side and enterprise IT budgets bringing the demand.
Yet, for all this investment in technology, there is something missing, commonly referred to as the “cybersecurity skills gap.” A fortress may have high walls, a wide moat and a secure position, but without defenders manning those walls, invaders will eventually find their way in. Similarly, even a full stack of automated tools for cyber defense still requires trained, experienced professionals with the ability to elevate, respond and redress the threats these systems detect. While these tools help cyber professionals address problems more efficiently and separate the signal from the noise, all of this automation had coincided with, rather than alleviated, a widening skills gap.
Investors are starting to address this problem by focusing on cybersecurity training for IT professionals developing a specialty, as well as general workers who require a greater awareness of the risks their digital activities may carry. In 2020, $464.4mm was invested in cybersecurity training companies; a good start but ultimately dwarfed by the $8.5B invested in software tools in the same year, according to data sourced from Pitchbook. This imbalance has led to a byzantine technology ecosystem that continues to leave enterprises, and their data, exposed. Currently, there are only 1.2 qualified cybersecurity professionals in the US workforce for every job opening available. The average ratio for the US job market is 5:1 – highlighting the severity of the shortage.
There are two critical ways companies are seeking to alleviate this gap, and both present key opportunities for consolidation and investment. The first trend is to invest directly in the cyber training space by taking advantage of Mr. Andreesen’s insight to use automated platforms that can streamline and accelerate the development of cybersecurity qualifications. These platforms lack maturity, so there’s no clear dominant approach. However, as both enterprises and IT providers strain to find talent, they will need to take advantage of the tools available to them.
The second dominant trend continues to be the growth in Managed Security Service Providers (MSSPs). These specialized MSPs can leverage stacks of third-party tools within their own Security Operation Centers (SOCs) or leverage native technology to manage clients’ security suites. This is yet another highly fragmented market, but there is a clear separation of value between those with proprietary tools and technology and those who are entirely reliant on third-party tools. Nonetheless, a consolidation rush is on, and differentiation in this market will depend on figuring out how to balance the right technologies with finding, training and retaining the people with the skills to make those technologies worth the investment.