Is innovation in information security dead? It's easy to think so when each day there is a new headline about yet another massive organization's data breach, or a new report points out that enterprises aren't taking care of the security basics. All while cyber-attackers are gleefully scooping up our private data and looting our bank accounts.
These breaches aren't happening because organizations aren't spending money on information security. JPMorgan Chase CEO Jamie Dimon claimed the financial institution spent approximately $200 million on cybersecurity in 2012, and more than $250 million by the end of 2014. The bank plans to double spending over the next four to five years. Target spent $1.6 million for its advanced malware detection platform from FireEye. New security products hit the market every week, and organizations are buying them. Total information security spending in 2015 is expected to reach $76.9 billion in 2015, according to market firm Cybersecurity Ventures. Total security investments in the first quarter of 2015 alone reached $472 million, the analyst firm estimated.
So if it's not the spending, is it the technology? Are organizations spending on the wrong things? We frequently hear that security products are outdated and rely on old technology. The threat landscape is a rapidly changing one, but in many areas, security defenders are using the same tools and methods they were using a decade ago. As attacker motivations evolve, the security industry needs fresh ideas and new approaches. This is why innovation is so important.
The good news is the industry gets it. The number of security startups popping up each month and new incubators nurturing a new class of entrepreneurs throughout the year show that innovation is alive and well in information security.
The venture capitalists definitely think so. Consider some of the recent series A funding news. Online crowdsourced security testing startup Bugcrowd raised $6 million in Series A funding earlier this month. Cloud application security company Elastica raised $30 million in Series B funding. Phone fraud detection company Pindrop Security raised $35 million in its Series B round of financing last month. And Risk I/O, a vulnerability intelligene platform, raised $4.5 million in Series A earlier this year. And this is just a random selection—there are plenty more examples to pick from.
RSA Conference runs the Innovation Sandbox contest each year to identify a company with the most innovative security product. This year, 93 applications applied for one of the finalists slots. (You can see the list of finalists) It may sometimes feel like all the products out there are just repackaged versions of old products with fancy new names, but that's not the case. It's clear new ideas are coming to market.
Startups aren't the only ones trying to solve security problems in creative ways. Innovation is happening on the federal government level—there are several government-led research grants for work on Internet of Things, for example—as well as large companies. Many ideas may never make it out of concept stage or never gain the necessary market traction, but that doesn't mean there isn't good work being done right now.
There is a lot of interest in advanced security technology—especially when it comes to securing the Internet of Things. Vulnerability assessment is also gaining traction. In addition to comprehensive security solutions, enterprises are looking for layers of security defenses to repel attacks aimed at specific network layers, analysts from Frost & Sullivan said in the recent Impact of Cyberseutiy Innovations in Key Sectors report. The report covered healthcare, information and communication techonologies, aerospace and defense, banking and finance, and energy and manufacturing. Securing applications and data was "particularly crucial due to the emergence of new threats on specific targets," the analysts wrote.
“The integration of futuristic technologies and mechanisms such as predictive threat analytics, machine learning, and network and device behaviour analysis will quicken the march towards proactive cyber security solutions,” Debarun Guha Thakurta, a research analyst with Frost & Sullivan said. “The convergence of neural networks, machine learning, and predictive analytics will further lay the foundation for a plethora of next-generation cybersecurity solutions.”
Innovation in the security industry is alive and well. ISACs, law enforcement, incubators, and various consortiums are working together to come up with advanced innovative security products. Startups are part of the game, but innovation is something that everyone can take part in.
Most people enter the security industry because they want to help save the world. Making money and having the glory is definitely part of it, but at the end of the day, information security is about doing some good. And fresh ideas and creative outlooks are always welcome. Are you in?