I haven’t kept up with the field of cyber security, though before I retired I was pretty deeply involved in it. I was not in the computer security department, but I worked closely with many who were. I had at one time worked for the guy who was a high level manager of the organization and had meetings with him and members of his group. So, while I have relevant background, I have virtually no current knowledge.
The problem is complex and manifold. First, information/data in need of protection comes in two basic forms. Data at rest and data in motion. Most cyber attacks (but certainly not all) go after data at rest - stored data. But things like intercepted emails, messages phone calls and the like attack information in motion.
I have mentioned before that I am reluctant to invest in companies like Mulesoft (I won’t bother with the list, but all cyber-security firms are in this category) that target IT as a customer. I’ve posted my reasoning earlier. But, it’s pretty much along the lines that IT is a cost center, even in companies that make and sell software, the internal IT department is still a cost center. Management always starves cost centers in that they contribute nothing to the top line and negatively impact the bottom line.
Cyber security is insurance. And, there are an abundance of items to insure: networks, servers, databases, applications and more. And each of those things break down to numerous separate departments. How much insurance is adequate? What is the appropriate allocation of insurance dollars, given the budgetary constraints? Which insurance products provide the most bang for the buck?
And, when it finally comes down to making these decisions, it comes down to people who influence and people who make the spend decisions. The people of influence (I was one these guys) seldom agree on anything. The people who make spend decisions are faced with conflicting and incomplete information. And the decisions aren’t exclusively based on technical merit. What’s the cost model? How viable is the cyber-security company? And so forth.
And this describes a big operation, like Yahoo or Equifax. In a small operation (say state election boards) the situation is even worse. In these situations there is often almost no IT budget, and what little money that is available is focused on functionality. Security is an afterthought at best.
I could elaborate further, but this morning me and my wife are taking a helicopter ride over the island of Hawai’i so I I’ll end it here due to time limitations. But given the 10,000 foot view of the landscape I’ve described, what cyber-security firm would you invest in? My choice is none.