This was supposed to be a post, and it turned out to be a project. Wrapping your mind around everything happening today in cybersecurity, privacy, and risk is a daunting task, to say the least.
From private industry to nation states, startups to public companies, security analysts to executives, the scale and diversity of people and information has grown almost beyond comprehension.
We shield ourselves from the confusion and abundance out of necessity. It's easy to follow the allure of over-specialization — to focus on a narrow set of interests and stills, tuning out the rest of the noise. Yet, the path towards understanding requires a connection to the whole; an awareness of where our path fits into the network of domains in cybersecurity.
Having the information and tools to navigate the cybersecurity ecosystem is the path towards clarity. It's how we can truly make a difference and reach our own versions of professional success. By reading this article, I hope you've found your way to a new tool and set of information that can benefit you for years.
Consider this project a new starting point. Another increment derived from the work of many others. Errors, disagreements, omissions, and revisions are inevitable. There is no right way to define an ecosystem so large and dynamic. This is my current opinion, and my opinion is malleble.
If you want to skip straight to the mapping, you can find it here. The rest of this post explains the reasoning behind how and why I created the mapping. It's focused on a particularly important concept: thinking in ecosystems instead of industries.
Thinking in Ecosystems
A few words commonly used for broad economic categorizations are: industry, market, sector, landscape, mapping, and others. All of these words are accurate to an extent. However, thinking in terms of ecosystems helps navigate the vastness of cybersecurity.
Precision matters because of the mindset I'm encouraging you to think from. Stratechery's definition of ecosystems is a good starting point:
An ecosystem is a web of mutually beneficial relationships that enhances the value of all of the participants.
"Ecosystem" is a metaphor that comes naturally (it's literally derived from nature). It's also a good model for representing something so dynamic and inter-related. The topology of an ecosystem is also important: think of it like a web, not a hierarchy.
Professor James F. Moore is responsible for the seminal work on business ecosystems, developed at Harvard Business School in the 1990s. His famous Harvard Business Review article describes the mindset of business ecosystems:
To extend a systematic approach to strategy, I suggest that a company be viewed not as a member of a single industry but as part of a business ecosystem that crosses a variety of industries. In a business ecosystem, companies coevolve capabilities around a new innovation: they work cooperatively and competitively to support new products, satisfy customer needs, and eventually incorporate the next round of innovations.
Thinking in ecosystems also embraces nature of the times we're living in. From the MIT Sloan Management Review:
The shift to ecosystems thinking challenges the very idea of “industry” that we inherited from the industrial revolution — a discrete set of broadly similar players competing to produce a common end product in a vertically integrated fashion. The coming decades will likely see the further spread of ecosystems, with companies coevolving in temporary clusters of semifluid relationships, spanning traditional industry boundaries. We should therefore be wary of inadvertently applying assumptions from more classical environments or overgeneralizing from a handful of well-known precedents. Instead, we should adopt an ecosystems perspective and consider the specific strategic choices we face, based on our particular situation, aspirations, and capacities.
Like every (non-monopolistic) industry from the industrial era, there are competitive forces within cybersecurity. Companies compete for business. Employers compete for talent. Industry segments grow, consolidate, mature, and decline. All the normal traits of a mature industry.
From a business perspective, participants in the cybersecurity ecosystem have relatively good parity. There are few truly dominant companies or organizations to be found anywhere in the ecosystem — no Google of cybersecurity, so to speak. There are no full-stack, one size fits all cybersecurity products or platforms. We solve our problems through a combination of solutions.
There's more to the story, though. The industrial era is gone, replaced by an information era that gives leveraged individuals nearly as much power as enterprises or nation-states. This shift gives rise to new forms of warfare, threats, and attackers. Ecosystems aren't all full of happiness and mutually beneficial interactions among participants — especially not in cybersecurity.
What's unique about cybersecurity is the destructive, predatory nature that lies beneath the surface. Criminals commit fraud and steal money. Organized crime rings hold data for ransom and sell illicit goods on the dark web. Nation-states attack one another.
The cybersecurity ecosystem inherently includes an element of conflict and warfare. It's more like the savannah than some of its bougie tech contemporaries. An ecosystem in the truest sense of the word.
You could even think of cybersecurity as an ecosystem of ecosystems. Within the broader cybersecurity ecosystem, there are smaller ecosystems at various evolutionary stages. Endpoint protection is relatively mature. Cloud security is newer and less mature. Web3 security is emergent to the point it's barely on the radar.
Change is happening, and it's unrelenting. Again, from James F. Moore:
I anticipate that as an ecological approach to management becomes more common—as an increasing number of executives become conscious of co-evolution and its consequences—the pace of business change itself will accelerate. Executives whose horizons are bounded by traditional industry perspectives will find themselves missing the real challenges and opportunities that face their companies. Shareholders and directors, sensing the new reality, will eventually remove them. Or, in light of the latest management shifts, they may have already done so.
This is the importance of ecosystems, particularly in cybersecurity. Thinking in terms of ecosystems may even be one of the deciding factors in determining the cybersecurity leaders of tomorrow.
Mapping the Cybersecurity Ecosystem
Mapping the cybersecurity ecosystem is a daunting task that relies heavily on the work of others. This work is almost purely derivative — a meta-analysis of various references.
The rationalization of different thoughts and approaches for defining cybersecurity has a lot of value in itself. When discrepancies or subtle nuances existed, I had to stop and think carefully about how to resolve them. We all don't use the same terms, and our perception is guided by our own experiences in cybersecurity.
Stitching together multiple mappings also helped to account for omissions and variances in scope between different iterations. This wasn't the fault of the authors — it's just the difference between looking at an industry versus a broader ecosystem.
Creating an ecosystem mapping requires a degree of judgment. This inevitably means you'll have different opinions about various classifications, definitions, and examples. This is just one iteration — with your help, I hope to make it more accurate in future iterations.
On the issue of completeness, I'll just say that I certainly forgot things. Any omissions were unintentional — either oversimplification on my part or blind spots I'm not aware of. Another area I hope to improve upon.
I hope you find this project helpful, either as a tool to communicate your value in the ecosystem or as a model to understand how your work fits in. Cybersecurity is at an exciting point in time, and I'm looking forward to seeing how this fast-moving ecosystem continues to evolve.