The life and times of the cyber security hype curve
The evolution of cyber provisioning and how this reflects the maturity (or the lack of it) of the cyber security market in developed economies
Cyber security as a term of art came into common usage about ten years ago, overtaking other established terms such as information security and information assurance a few years later.
To some people, cyber security is nothing new, so it helps to think of the pre-cyber era as one of ‘early interconnectedness’, with the cyber era as one of ‘mass interdependence’.
The term ‘cyber security’ is a useful description of what has fundamentally changed in the world of networked computer systems, a change which has really taken place over the last six or seven years.
>See also: Top 6 cyber security predictions for 2016
Landmark attacks that delineate the start of the ‘cyber era’ include the Google Aurora events in 2009, in which dozens of companies were found to have been penetrated by nation state hackers, the discovery of Stuxnet in 2010, and perhaps the more recent Aramco incident in 2012.
There have been thousands of other attacks since but these are amongst the ones that made people sit up and think hard. These attacks were not the work of single bedroom hackers or criminals, and marked a sea change in the nature of networked computer security.
In the same timeframe, there have also been ground-breaking technologies that have changed the information world. Examples include the first proper smartphone in the form of the iPhone in 2007, a device that created the global demand for these mobile computing devices.
A short time later, in 2010, the iPad was created, launching the world of tablet computing that has been cannibalising the desktop computer market ever since. Both types of device have driven computer ubiquity, the always-on society and a dramatic change in a number of security paradigms.
Other events marked the beginning of the cyber era, including the creation of the US Cyber Command in 2010, which was the first overtly military use of cyber space and an indicator of the importance of protecting national infrastructures that have now come to be dependent on the internet.
So, the cyber era is real, but has it been overhyped? The short answer is no. Never have so many been so dependent on such poor security.
That said, there is a ‘hype curve’ that is being followed by the security industry. The hype cycle, coined by Gartner, describes a sharp rise in interest in a technology, reaching a ‘peak of inflated expectations’, which declines into a ‘trough of disillusionment’ before rising again to the ‘slope of enlightenment’. Finally, the ‘plateau of productivity’ marks the point at which the technology becomes part of the weft and weave of the world and is no longer something special.
Cyber security is now past the initial peak, nearing the trough, with early signs of it becoming properly mainstream.
In the early days approaching the peak, there were hundreds of companies that purported to do cyber security, accompanied by a feverish spate of acquisitions as companies sought to get in on the cyber act.
Some companies overcommitted and oversold the importance of the early increase in the cyber market, and some of those companies are now having to downsize their security teams.
This is a strange dilemma because the demand for security expertise is at an all-time high, so what’s going on? The truth is that the world is moving towards the enlightenment and productivity phases in the hype cycle.
Organisations are starting to realise that security needs to be baked into every IT product, system and service. Every user of such services will come to expect decent security is a given. The idea that one would buy security separately is as wrong as expecting to buy safety as an optional extra when purchasing a car.
What this means is that IT service providers and cloud providers will become the natural source of good cyber security, and they will also become the principle customer for security innovation, buying the latest and best security products and services.
This is an inevitable trajectory for cyber security businesses and one of the main reasons why IT service providers need to lead the cyber security revolution that will be necessary to protect the future digital world.
Sourced from Andrew Rogoyski, head of cyber security, CGI