Observations About the Cybersecurity Ecosystem in 2021

Sometimes the best insights come during periods of reflection. I have had some time to think about what I learned and observed when building the cybersecurity ecosystem mapping. I wanted to share some commentary that builds upon the ecosystem mapping itself.

I received a lot of good feedback from people about the project. I learned and observed a lot while building it — sometimes without fully realizing what my thoughts meant or seeing the dots I'd connected.

The original ecosystem mapping project was a rote analysis about the structure of the ecosystem. It was built to hold up against the test of time. Endurance necessarily means looking beyond near-term events and focusing on long-term patterns. I wasn't intentionally analyzing anything — just trying to create as accurate of a structure and framework for the ecosystem as I could.

The objective here is different: this is my interpretation on what's happening in the cybersecurity ecosystem we're all living in today. As with any projections, it's speculative in nature. There is likely to be disagreement and discourse — but that's what makes predictions interesting.

First, I'll cover a few observations about the ecosystem as a whole and the process of mapping it. The remainder is observations and commentary on individual categories. Not everything in the full ecosystem mapping is covered — just relevant insights I thought were worth sharing.

Ecosystem

The cybersecurity ecosystem is broader than people realize, including people who work in cybersecurity.

The cybersecurity ecosystem was difficult to model. What makes modeling difficult is how enormous the ecosystem is. It feels even more enormous when one of your primary objectives is completeness.

The subtly ironic part about the enormity is how large it seems to professionals with years of experience in cybersecurity. I heard this reaction from other people, and I experienced it myself.

After working in cybersecurity for over a decade, I thought I had a good grasp on all of its parts. Wrong. Maybe this was hubris, or just a false sense of certainty. Whatever the cause, the big takeaway is this: understand and accept that the full scope of cybersecurity is beyond any single person's comprehension.

Industry mappings are relatively inconsistent.

I did not realize how inconsistent existing industry mappings were before doing my own. This isn't a knock against the people who made them — it's an observation about how different and subjective each of our views about the same ecosystem are. Every mapping has similarities — in fact, they're all more similar than different. However, the differences that exist occur in important ways.

At a macro level, most mappings were focused on the commercial aspects of the ecosystem. The approach makes sense for the investors and professional services firms who built them. However, it excludes a large portion of the ecosystem that isn't a product or a company.

For example, no mappings included cyber crime as an industry segment. As we recently learned, ransomware alone has at least $5.2 billion in economic activity. Sure, it's an illicit business, but billions of dollars moving around can't be ignored. Like it or not, cyber crime is part of the cybersecurity ecosystem just like predators and diseases are part of the natural ecosystem.

At a micro level, there are lots of relationships and nuances among companies and industry segments that are hard to account for. As I said in the introductory article, the mapping requires a degree of judgment. People name and group the industry categories differently, sometimes in bizarre and confusing ways.

For example, some companies were grouped in a way that made them appear to be competitors when they are not. This occurred a lot in larger categories like access control, security operations, and infrastructure security. Companies aren't truly competing against one another until granular levels of the mapping.

It was also difficult to fit some companies or products into one industry segment. This happened with larger companies who have a portfolio of products (e.g. Cisco) or products that span multiple categories (e.g. platform shift from EDR to XDR). This is partially caused by category integration, which I'll cover next.

There are opportunities in both category creation and integration.

Some of the best opportunities for new companies, products, services, and more will come from ecosystem categories that are either loosely defined or completely undefined in the current map. Early stage opportunities and investments need to break the mold, so to speak.

Much of the innovation that has happened in recently IPO'ed companies was from category integration. For example, early movers Palo Alto Networks and CrowdStrike effectively created the now-popular XDR category by merging endpoint protection with other areas of detection, response, and network security. More opportunities still exist in category integration.

Another set of opportunities exists in category creation. The next great innovations will come out of the white space between the categories we recognize today. A pseudonymous Twitter user summarized this opportunity well:

"If your InfoSec program consists of magic quadrant leading tools and meeting compliance reqs, then your InfoSec program is 100% known and understood by your advisories." —@snorkel

Monad is one example of a product that I believe created a category. Another good example is Tessian with their concept of "Human Layer Risk Management." Companies like these didn't fit cleanly into an existing category without being forced. They're creating new categories by solving problems other products aren't.

Remember: the map is not the territory. The cybersecurity ecosystem is dynamic enough that no mapping can accurately represent what's happening in real-time. Some of the best opportunities lie in undiscovered areas outside the map.

Access Control

Cloud-based authentication companies appear to have won the authentication the market. Everything else is a feature, not a product.

Established companies like Okta, Ping Identity, and ForgeRock have essentially won the cloud authentication category. The companies are now public and have been around long enough to establish market leadership.

Less mature and/or emerging categories like adaptive authentication, MFA, etc. are all features, not companies. For example, it's unlikely another standalone MFA company like Duo Security is going to happen again. The next generation of behavioral-based MFA companies are facing an uphill battle. Their best case scenario is to create a good product and get acquired.

There is likely more consolidation that will happen at the product level. As pre-IPO companies plateau on growth and run out of funding, tech and talent acquisitions will occur. There are still plenty of problems to be solved in this category. However, a lot of the problem-solving is going to be done by the established companies buying smaller companies to round out their product portfolios.

Companies in the access control ecosystem are going to further consolidate and compete with one another.

Access control is an interesting market because it includes a range of companies, from high-performing public SaaS companies to startups to open-source projects. My overarching belief is that most categories in this market have matured, and more consolidation is going to happen.

So far, large companies like Okta, Ping Identity, SailPoint, CyberArk, ForgeRock, etc. have been able to grow to the point of IPO without significant competition with each other. This isn't going to continue much longer. One example: Okta is building a Privileged Access Management product to compete with CyberArk.

Low-competition growth in this market happened because the mega-trends of cloud computing and digital transformations created enough opportunities for multiple new products and companies to grow. The recently IPO'ed companies are now large enough that it's harder to sustain growth. However, they all need to grow in order to reach profitability.

This inevitably means more competition, expansion into new product categories, and consolidation of entire companies. I wouldn't be surprised if larger tech companies start acquiring companies in this space. If a company as large as Slack can be bought, anything in cybersecurity is fair game.

If a disruptive company gets created within Customer Identity (CIAM), it's not going to be competing head-on with the fundamentals.

The market for fundamental Customer Identity (CIAM) platforms is under control by Okta, ForgeRock, Ping Identity, and other later-stage startups. Competing head-on with these products is a mistake.

Arguably, Segment was one of the most innovative and disruptive customer identity companies. They had a good exit because they did something different within the category that wasn't being done by companies focused on authentication and traditional needs. As it turns out, customer data management was a big deal.

Any companies who hope to do something similar need to follow the Segment model and address an adjacent need. The window in this market is closing, but there is likely still time. Many companies have yet to move from home grown customer identity solutions. New companies and new digital commerce experiences are being created all the time. There are still problems to address.

Biometrics are potentially disruptive but fighting inertia.

Biometrics are an interesting part of the access control ecosystem, only because there is a lot of upside (with proportional downside, especially at a societal level).

The two ways biometrics companies can be disruptive are:

  • Introducing biometrics into a business process or workflow that didn't have them before (e.g. Clear with airport security)

  • Inventing completely new tech (i.e. hardware companies with large R&D investments)

The dilemma with biometrics companies is that some of the new tech either isn't feasible or won't be adopted quickly enough. Their biggest competitors are inertia and lagging consumer preferences.

I still hold out hope that the futuristic world we've seen in fiction can (safely and securely) be played out. Biometrics are a big part of that future.

Application Security

Supply chain security is a big problem without enough solutions.

A lot of attention is being paid to supply chain security based on lessons learned from recent high profile attacks. This is a difficult problem to manage given the inherent complexities and chaotic nature of software dependencies.

There are also conflicting incentives. Companies need to move faster than ever, which means relying on the work of others (i.e. use open-source packages or APIs instead of building every component). There is also more risk than ever by introducing a greater number of external dependencies into your code and environment.

There are multiple recent examples of dependencies gone awry:

  • Login failures from consumer SaaS applications using Facebook social authentication when Facebook went down.

  • Widespread SMS data vulnerabilities caused by telecom carrier reliance on Syniverse.

Help is on the way, and it can't come fast enough. Companies like Phylum and CloudSmith are building innovative solutions. Many more are needed.

The full DevOps pipeline matters to security now.

The CI/CD process was largely ignored by security processes and controls until the SolarWinds breach. This was an easy mistake to make because it seems reasonable to focus on securing code that is being written. The assumption that follows is code is safe from modification during and after the build process. SolarWinds taught us we can't make that assumption anymore.

There's more nuance, though — security issues in code and configs are important, but the build artifacts and deployment processes need to be secure, too. Perfectly secure code doesn't help you if an attacker can swap in malicious code during or after the build process and get it deployed to production.

There are a lot of exciting opportunities related to DevSecOps and DevOps security at large. DevSecOps is having a well-deserved moment as a result of the increased attention on security in the DevOps pipeline. Existing tools will gain traction, and new ones will emerge.

Application security testing products can never be too good.

Realistically, no application security testing product is going to be able to detect every vulnerability. That creates an interesting dynamic: even the best products aren't perfect.

Snyk is the darling of application security testing right now, but there is plenty of room left for other products to be valuable. A few examples of value are catching more vulnerabilities, helping to expedite remediation, or better coverage of emerging programming languages and frameworks.

For people seeking opportunities, application security is the market that keeps on giving. Technologies change. New threats emerge. Techniques to mitigate them adapt. There is always a need for new products if they're effective.

Web Application Firewalls (WAF) and adjacent features are consolidating.

Cloudflare changed the game. A whole set of adjacent web application security and network security categories are now coming together in unified platforms and services.

The consolidation roughly includes WAFs, API security, bot protection, rate limiting, DDoS protection, and more. Any product at the intersection of networking and security is up for grabs now.

This is a good example of winning a market through consolidation. It used to be painful to implement and manage all the products needed to secure an organization's web applications. Platforms like Cloudflare came along and simplified everything.

Infrastructure Security

Infrastructure security is going to be consumed by cloud security.

The products and industry segments in the legacy infrastructure security ecosystem are being rebuilt in a cloud-first way. Companies like Wiz, BridgeCrew, and more are building the infrastructure security products we've always wanted but weren't able to have until ubiquitous cloud infrastructure platforms gained critical mass.

Some of the good ideas from cloud security might trickle down into on-premise infrastructure security. However, the trickle-down effect may not be significant enough to create large companies. It seems more likely that companies will migrate most or all of their infrastructure to the cloud faster than the next generation of on-premise infrastructure security companies can be built.

Security architecture is interesting again.

Zero Trust and secure access service edge (SASE) are popular topics in cybersecurity. Product companies don't hold back on marketing their products as the solution. However, Zero Trust and SASE are both architecture concepts at their core.

The difficult part about architecture is planning and implementation. Tools to address specific problems within the architecture guidelines exist (e.g. adaptive authentication for Zero Trust). Understanding and implementing the architecture is not as well understood.

Confusion creates opportunities. Products could help, but this is more likely an opportunity for new professional service offerings.

Mobile Security

Mobile security is clearly needed but constrained by device manufacturers.

Pegasus and a recent slew of iOS zero-day exploits validated the importance of mobile security. The challenge for those seeking opportunities to help is the limited access and customization made available by device manufacturers.

Mobile operating systems don't have the flexibility and openness of PC-based operating systems. They're more tightly controlled by device manufacturers. App stores are also tightly controlled — there's not much an external individual or company can do to help make them more secure. Our collective fate is in the hands of the device manufacturers.

A recent example is Google cracking down on stalkerware ads. Enforcement actions like this have to be done by the device manufacturers and their platforms, not private companies.

The surface area for opportunities in this category aren't likely to expand any time soon. The control of device manufacturers has begun relaxing every so slightly with recent lawsuits. We're still a long way away from open ecosystems and clear opportunities for external security products.

Privacy and Data Protection

Opportunities in privacy are largely restricted by the pace and quality of legislation.

More privacy legislation is needed (domestically and globally), but there is a lack of competent legislators in the world to create thoughtful legislation. Realistically, the best we can hope for in the near term is localized clones of GDPR, possibly with minor improvements. The worst case is much worse: politically-motivated censorship.

Unfortunately, some of the most pressing problems in privacy, censorship, and content moderation can only be solved by large tech companies like Facebook and Twitter. They have large, specialized teams of their own and don't need to spend much time looking externally for solutions, even if they should.

A potential exception is qualified people from large tech companies (with an understanding of the problems they face) who leave and build a company. Without good regulation to guide the market, the people with the best chance of creating a positive impact are likely the ones who understand the problems and nuances from the inside.

Privacy tech will struggle with adoption if it's voluntary to use.

There were several interesting companies and products in the areas of Consumer Liberty and Privacy By Design. Unfortunately, adoption is likely going to lag in companies who don't face specific legislation or other incentives that encourage them to embrace these products.

Incentives are especially important in Consumer Liberty. For the idea of a personal data economy to work, the current incentive structure and economic model needs to be completely flipped. Consumers have to demand compensation for sharing their data. Companies collecting large amounts of consumer data also have to be willing to pay for it.

Consumer understanding of privacy and data protection isn't anywhere close to a point where this can happen. Without legislation to explicitly flip the incentive structure, private citizens alone aren't likely to make this category a viable reality.

Privacy-focused developer tools and the concept of Privacy By Design have a better chance of adoption in the near-term. As discussed earlier, DevSecOps is gaining traction quickly. Privacy-focused dev tools are very closely related and are already making their way into the workflows of forward thinking dev teams.

Professional Services

We need better talent marketplaces for cybersecurity.

Cybersecurity has systemic hiring and staffing issues that a new generation of talent marketplaces could help fix. There is an opportunity to do this well. It would make a huge difference if someone could.

The best options available today are marketplaces controlled by large consulting firms. Good roles are available; however, quality varies. More importantly, the platforms lack the polish and efficiency of consumer-grade marketplaces. We need new solutions.

In a world where an increasing number of people want flexibility and independence, tools for the creator economy are being built, and full-time employment is less stable than ever, we need to rethink our approach. Now is the time for the labor market in cybersecurity to be redefined in a way that works for both people and companies.

The pace of private equity firms acquiring, consolidating, and reselling boutique cybersecurity consulting firms will accelerate.

This trend is already happening in other verticals within professional services. Recent data shows the trend starting to happen in cybersecurity. Momentum Cyber reported 41 security-related transactions for professional services firms in the first half of 2021 alone.

Large consulting firms are investing significant resources into growing their cybersecurity consulting practices. Their growth engine is largely inorganic: they're actively acquiring boutique consulting firms. Large firms simply don't have the time or agility to start every new service offering from scratch.

Private equity firms play an important role in this acquisition cycle. Many small firms are able to develop a solid book of business but need professional help in non-core areas of their business. A recurring theme is a firm with solid technical skills, deep loyalty from a small number of customers, and limited marketing presence. Challenges with internal operations often follow. Private equity firms can bring the business expertise to professionalize a small firm's branding, marketing and sales, and operations, enabling efficient and profitable growth.

Private equity firms also have the potential to create larger consulting firms with enough scale, strategy, and specialization to succeed as public companies — modeling after firms like Mandiant to create the future of cybersecurity professional services. Expect to see more private equity involvement in the cybersecurity professional services category.

Security Operations

Security operations is an underrated area of need in cybersecurity.

Every operator in the industry is painfully tapped out and overworked right now. Many attacks happen on weekends and holidays. Nobody gets a meaningful break. We're in a vicious and unsustainable cycle.

Part of the solution is better use of automation and tools. The limited number of people we have available need to be as highly leveraged and augmented as possible. Broadly speaking, this is the job of security operations.

We already have many of the frameworks, processes, and tools we need. The challenge is using them. People and companies who can deliver highly functional workflows, processes, and true automation have tremendous opportunities in front of them. As Swift on Security so clearly stated:

"Enterprise security is just operational excellence in action."

World class security operations is the basis for making this a reality.

Security Orchestration, Automation and Response (SOAR) is interesting but still ambiguous.

SOAR is one of the most interesting and promising categories in cybersecurity. Many products and services have entered the fray recently. However, the exact definition of SOAR as a category remains ambiguous for many people.

It seems likely to go in two directions:

  • Generalized automation platforms for cybersecurity (e.g. the Zapier of cybersecurity)

  • Embedded automations within tools in other categories (e.g. low-code IAM workflows, incident response workflows, etc.)

A practical example: vulnerability management and remediation is labor-intensive. Companies have a difficult time keeping up with remediation, particularly for lower risk issues. Vulcan helps to automate the remediation process by prioritizing risks, creating remediation workflows, and making tactical remediation processes systematic. Augmenting a common but arduous process like vulnerability management can reduce a lot of the burden on security operations teams.

This is the promise of SOAR. The category is still relatively nascent. It needs some time to develop and mature. The potential benefits are clear, though — and the most opportunistic cybersecurity teams will be using this new generation of tools to build industry leading security operations capabilities.

Extended Detection and Response (XDR) is brutally competitive.

A clear area of category integration is the consolidation of Endpoint Detection and Response (EDR) and adjacent endpoint categories into Extended Detection and Response (XDR). This trend has been building and has now become mainstream.

As I have previously said, it's a market that many large companies have entered:

XDR is a newer approach to threat detection and response, thus a newer market. Larger cybersecurity product companies are also developing XDR products, including Palo Alto Networks, Cisco, Barracuda, Cynet, and more. It's an emerging market that hasn't been won yet.

The XDR product space is challenging because there are multiple stages to the product. Some products focus on integrations (e.g. CrowdStrike's XDR partnership announcement), others focus on threat intelligence, response workflows, search, and more. There isn't a clear and dominant leader yet.

At this point, it's difficult to say which products is going to win or why. Eventually, the leaders will reach feature parity among their products. Then, the race to win the market will come down to adoption and momentum.

Economically viable threat intelligence would be valuable.

There is a lot of threat intelligence available; however, it varies in relevance, price, and quality. Industry leaders like Mandiant are good at producing threat intelligence, but they haven't been able to do it profitably yet. Running a full-stack threat intelligence operation is expensive.

It would be valuable if a company or organization can standardize threat intelligence data or otherwise shift the cost model of gathering threat intelligence to one that's more financially sustainable. It's possible that threat intelligence itself will always be a loss leader (so to speak), and profits are to be made through adjacent products and services that make use of the information.

Regardless, high quality threat intelligence is extremely valuable. Low quality information is wasteful at best, and detrimental at worst. Filtering through the noise and increasing signal in an economical way is a significant opportunity.

Web3 and Blockchain

Web3 and Blockchain are a wildcard.

The most nascent part of the entire cybersecurity ecosystem was Web3 and blockchain security. It was challenging to map this category at a detailed level — the technologies are so new and moving so quickly that few people truly understand what this part of the ecosystem really looks like.

I found a good mapping of decentralized autonomous organization (DAO) tooling after I published the initial version. DAOs are only part of the story, so more thought is needed to paint a clear picture of the entire category.

At an abstract level, you could think of Web3 as an overlay on top of the entire cybersecurity ecosystem. A new generation of tools will potentially be needed for every category: identity for Web3, regulation for Web3, application security for Web3, and so on. This category is a wildcard in the truest sense of the word: literally anything could happen.