Cybersecurity: innovation and the race to capture corporate spend

Over the summer of 2019, Forum’s Interviews with experts who have watched the topic grow in importance for the international C-suite, and who are observing those providing the solutions with interest, highlighted the direction in which cybersecurity is going – and why. And while there is a push from companies all around the world to upgrade their policies, operations and cybersecurity packages, there is an underlying arms race between those seeking to be their preferred providers.

One of the key drivers of this firm corporate shift into cybersecurity activity has been regulatory force. According to one high-ranking former Google executive, regulators have clearly recognised the danger presented by a digital, online, always-on threat and are ramping up how they demand companies of all sizes prepare for, prevent and respond to attacks. “Regulators are getting considerably more aggressive,” not just putting rules into place, but taking action when they are accidentally broken or flouted. Fines levied on British Airways, Facebook and data company Equifax on either side of the Atlantic are recent, high profile examples of regulators and governments refusing to let corporations off the hook.

There are significant differences in each regional regulator’s approach, but watchdogs and governments are all primarily concerned with the result of a lapse in security, rather than being prescriptive in how to stop it happening.  Proper and fit-for-purpose cybersecurity itself is not the aim of regulations such as the European Union’s General Data Protection Regulation or Notifiable Data Breach Act in Australia, but merely the means to protect the data and privacy of their clients and/or third party – at any cost. Some 95% of the GDPR legislation is focused on privacy and the requirement to keep client and customer data safe. That means tightening up cybersecurity is an automatic, almost implicit requirement for companies in order for them to comply with the new rules. They need to think about cybersecurity in the same way as they would any other type of security, such as around hardware, equipment or even customer safety.

But this, of course, means expense, and non-tech companies of all sizes have been guilty of the same fault regarding cybersecurity: a failure to invest. This, however, is changing, potentially thanks to the shock of the fines levied on non-tech companies over the past year. According to one US-based corporate cybersecurity adviser, large and medium-sized company spend has been increasing over the last couple of years. Significant cyber security budget increases, though not the norm, are occurring frequently as company boards realise it might be a false economy to let things slide.

Chief information and security officers are finding their requests for funding more often met with a positive response as directors are beginning to see how a fine, or even significant reputational damage, could derail their corporate strategy. Boards are starting to see how cyber, far from being a concern solely for technology companies, is rapidly becoming one of the biggest risks to the bottom line in all sectors. This means annual penetration testing of critical applications and networks, education staff programmes, and rehearsing cyberattacks, are the sorts of activities reshaping what that cyber investment looks like.

The embracing of new technology, including acceptance that cloud can be used for much more than data storage, is also catapulting many medium and large companies into more cybersecure futures. One Australia-based expert said the double-digit growth in the investments in cyber that he had seen over the last two to three years, “[is] forecast to continue out for the next three-to-five from what we’re seeing”. This volte-face by many companies – primarily the largest ones with the most spend available – is set to see money flood into the tech sector, which is already a hotbed of innovation.

In an industry famed for start-ups and giants alike, there is no shortage of partners for conglomerates wanting to shore up their digital barricades against online intruders. However, according to Third Bridge Forum’s Interviews, unlike other sectors, cybersecurity is not a winner-takes-all game. Companies, being advised by consultants who are either specialists or existing players that are rapidly skilling up on the sector, are happy to take a selection of providers that offer a range of complementary or overlapping services.

To this end, interoperability is key as company systems all need to talk to each other and, as companies sign up for multi-year contracts, the requirement for different programmes to be swapped in and out is high on the list of priorities. This refreshing of systems is also key to the whole cybersecurity debate as non-tech company boards realise this cybersecurity exercise is not one of “set and forget”.

For example, mobile working devices have already created cracks in company firewalls, meaning new methods of protecting networks have been developed. And if companies need to stay aware of what is needed to protect their digital integrity, those providing the means must too.

“Innovate or die” was the message from one of the Forum’s Interviews to technology providers wanting to keep hold of increasing Main Street corporate budgets. Hackers and other “bad actors” are constantly developing new ways to force their way into places they shouldn’t be, and to keep hold of company spend they at least need to keep pace. For those not willing to innovate, they are limiting their viability and potential client base, according to Forum’s Interviews, and there are plenty snapping at their heels.

Therefore, expect consolidation as large companies seek to buy rather than build capability, and stay one step ahead of, if not the hackers, then their competition.