Sam Curry, CSO, Cybereason, discusses the economic impact that COVID-19 will have on the cybersecurity industry, in the short-, medium- and long-term.
The security industry has used biological models as an analogy for what is happening on networks and in computers for decades, which is why we have the notion of a computer virus to begin with. It is ironic then, that the security industry is being dramatically affected by a real, biological virus and that what is happening in the world of biology is affecting cyber conflict and cyber markets. It’s important to realise there is, however, a massive degree of general market uncertainty at the moment as we all shelter in place and practice social distancing and sometimes more extreme forms of quarantine.
Given the market instability, risk is soaring and many companies are responding by shrinking from investments, preserving capital and hibernating. The big question before us all is what will be the ultimate fate of the economy? Examining that first then leads to a better understanding of the likely evolution short, medium and long term for the cybersecurity industry.
Short-term
The cybersecurity industry is not all the same. It has several different sub-markets — it has its blue chip brands (many of whom were struggling before the current situation) and it has its new vulnerable startups and disruptors. In the short term, while the novel coronavirus is assured to be running amok, the companies that will do well are those that have solutions that minimise disruption and help to protect customers who now are radically expelled from the reassuring perimeters on networks tied very physically to their corporate offices. Keep in mind that many customers will be slapping controls in place to control the outflow of money; but they will still spend for things that will help them stave off existential crisis and keep critical services running, especially around remote work.
If a cybersecurity vendor is asking companies to do significant heavy lifting — such as ripping-and-replacing things that don’t deal with the existential threats of suddenly being remote, is confusing users by requiring them to use tools they aren’t familiar with or that could significantly interrupt the organisations’ operations and SLAs — they should back off and hibernate too. If, however, they can help with things like awareness, strong authentication, protecting layer 8, detecting the start of those kill chains, stabilising remote access and so on, they can potentially do well; but they still need to watch their own P&Ls since the free flow of cash is still going to be slow.
Medium-term
In the next phase, cyber companies will begin to wither just like any others if the macro crisis isn’t resolved. No one is immune, and the free flow of capital is essential to all members of the economic ecosystem. Like a land turned suddenly arid due to environmental change, when there’s no more water, there is a die-off that is merciless and relatively quick.
However, in this phase, a new economy will be emerging. Whether or not a recession is under way in the classic sense of a quarter of negative growth, some companies will be spending; and those who reach equilibrium will start to consider more complex security solutions. If you’re one of those cyber companies that weathered the first phase and can reduce real risks and the emergent threats that will come from the adversary’s R&D and adaptation, you will find the start of new opportunities.
To be clear, this will not be a boom or a new heyday for cyber but rather, it will start to become evident who has money and who doesn’t, who has new risks beyond existential connectivity and continuity.
Long-term
In the final phase, looking six months and beyond, we have two possible outcomes. We all hope for the first where we exit quarantine and beat COVID-19 and fight to rebuild the economy. In this world, we see hope for inoculation in the future against future coronavirii, and the cyber sector recovers quickly in a narrowed field having seen some companies fail. It will be a while until things boom, but acquisitions and mergers become likely and a new crop of solutions will emerge even as many old names die because they have gone into bankruptcy or simple stagnation.
In the second scenario, we still fight the virus and as with any devastating economic “extinction event,” new life emerges and adapts in a less rich and booming world for a while. Here is where we learn to live with Coronavirus and find a hoped-for stasis and a slow path to recovery, which is not a new spring for the cyber industry. No one wants to consider a third scenario where no one does well, and things become completely unpredictable.
In the end, there is no one outside the realities of the macro economic conditions and there is very little certainty in future performance of companies, cyber or otherwise. Our values are being tested and our species is at war with a tiny-in-some-ways but huge-in-other-ways threat. How you behave now will tell the world a lot about what your company stands for with employees, customers and the wider community.
We need to remember that we must all try to help ourselves as our corporate culture is tested: that means we must tighten our spending as humanely as possible; we must try to help where possible and do no harm in anything we seek to protect; we must seek to be relevant; and we must be ambulance drivers, not ambulance chasers as we heal ourselves and our economy.