2019 New England Cybersecurity Landscape
“As always in life, people want a simple answer . . . and it’s always wrong.”
~Baroness Susan Greenfield, Neurochemist
In 2018, we used the Buy Local, Eat Local concept as a way to express the robust variety of information security software, hardware, and solution providers available in the New England Cybersecurity economy. The 2019 Kettle Cybersecurity Landscape of New England is greatly expanded, including a broader data set and deeper level of analysis. There are more choices than ever in our local ecosystem.
Information security risks continue to grow exponentially. (1, 2, 3, 4) Supply chain complexity, resource scarcity, the low cost of entry for cyber crime, and regulatory change may create a desire to put one’s head in the sand, but ignorance is not bliss.
We incorporated audience feedback from the 2018 Landscape to adjust our approach. Information security companies lack a consistent classification across commerce and government data sources. We expanded our research data, growing the number of companies from 162 in 2018 to 258 in 2019. Seven new businesses bring the overall total to 265.
The New England filtering criteria continues to knock out some key names. As a refresher, we apply the following criteria to establish the Kettle New England Cybersecurity Landscape:
Focus core business products and services on Cybersecurity.
Recruited for open roles between February 28 through March 22, 2019.
Maintain their headquarters in New England.
A number of information security firms that met the first two criteria were not a match for the third requirement. These firms are an essential part of the robust ecosystem in New England and are listed in the Additional Companies directory.
Information security continues to confuse and paralyze the business community. (5, 6) In 2018, the Landscape provided an initial view of the local marketplace and job opportunities in the information security economy of New England. The sheer volume of options and solutions available locally is significant. Kettle is vendor agnostic, but we have structured the 2019 Landscape in response to requests for clearer direction.
We continue to avoid declaring “good or bad” in each category, but we have clarified some of the potential points of application from our perspective. These application points are driven by frequently asked questions from our clients, colleagues, and community.
Awareness and Training are the Unspoken Features of the Landscape
We have built the 2019 Landscape (see accompanying infographic) from the ground up. The foundational layers of security are fairly consistent across industry, geography, and size, e.g., Network and Infrastructure Security, Application Security, and Endpoint Security.
Specialized or niche services, e.g., Internet of Things (IoT) Security, are placed at the top of the Landscape to represent the fact that not all organizations will benefit from these solutions immediately. After the foundation is established, higher level tiers of the Landscape should be considered for utility and value.
2019 Landscape readers should avoid picking solutions from each category with the assumption that this approach will mitigate their risk.
Awareness and training efforts require time (and therefore cost). Otherwise, an awareness campaign can be low cost or free.
The 2019 Landscape should be used in tandem with a strategy that incorporates Awareness, Value, and Measures, e.g., Insurance Application, NIST maturity.
Awareness and Training should accompany any information security effort to have any hope of adoption, although generic, vague, or broad Awareness messages are often ineffective.(7) Specifically, organizations should tailor the messaging, language, and format of their Awareness efforts to match the audience. For example, businesses could reinforce awareness to front-line retail staff via channels that they use regularly, e.g., Snap, Slack, or What’s App, as well as positive, humorous, or affirming multimedia content. In parallel to written communications, Kettle created an Information Security playlist in Spotify to share internally for a client.
Business and career opportunities remain a seller’s market.
“To competently perform rectifying security service, two critical incident response elements are necessary: information and organization.”
~Dr. Robert E. Davis, CISA, CICA
We have found a robust, active information security job market in New England. However, we have had to piece together disparate data sets and information sources. Employment data specific to the cybersecurity economy would benefit from a consistent set of definitions, i.e., state classification codes.
The 2019 Landscape is likely a conservative estimate of the true value and opportunity of the cybersecurity economy in New England.
From the period between Feb 28 and March 25, 2019, we identified 2,065 open roles at information security focused companies headquartered in New England. Expanding the view to include open infosec roles at companies headquartered outside of New England for the same period, there were 3,926 open roles.
The 2019 Landscape includes a breakout of the open C-Level, i.e., executive, roles that were open during our research window. In addition to Chief Information Security Officer roles, we included open roles with Director, Vice President, and Lead level titles and Security included in the title. Across New England, approximately 3% of the total open roles were C-Level security roles . This is consistent with a healthy career pyramid, offering opportunities for entry level, mid-career, and leadership roles.
Small to Medium Sized Businesses (SMBs) can use the 2019 Landscape to review their options, compare products by name, and make a choice that fits their needs and budget.
Secure the supply chain as a part of your “reasonable” information security control.
“You cannot shame or belittle people into changing their behaviors.”
Attackers are increasingly focused on front line staff and salespeople as the entry point.(8) High turnover and lack of training make them easy targets.
Businesses and organizations have learned that a primary source of attack is their supply chain.(9, 10) Security audits are commonplace for new business proposals and as part of the renewal process for existing business contracts. Mergers and acquisitions due diligence activity increasingly includes information security risk assessment in light of recent failures.(11)
In addition to informing their internal journey, organizations should use the 2019 Landscape to initiate a confidential, constructive dialogue with their supply chain.
“I don’t care about security when my core business is struggling.”
~Former Client CEO
Will Organizations Rent or Buy?
Business leaders measure results in time and money, i.e., value. The value of information security projects and spend is frequently unclear. Leaders are well aware of the risk, but given a choice between increasing the marketing budget or the information security budget, the marketing budget often wins.
Business expenses related to information security will continue to stretch technology budgets and resources. Rather than driving innovation and efficiency, security spend is often viewed through the lens of regulatory compliance as a cost of doing business.
Rather than hiring resources or spending on licenses, we anticipate that the SMB market will increasingly rely on Managed Security Service Providers(MSSP) and consulting service providers. Security talent will continue to command a premium, increasing the cost of operating an internal security function. Discerning a reliable information security partner and provider will become an essential skill, particularly for SMBs with little to know information technology staff.
How will Regulatory Forces Drive Change?
We expect the pace of regulatory change to quicken in 2019. Looming compliance deadlines will force businesses with multi-state or international operations to respond. Will organizations lurch from requirement to requirement or will they incorporate proactive information security into the fabric of their operations?
We anticipate that without awareness or cultural change activities, software and hardware will serve as point solutions. While these solutions may provide evidence of implementing “reasonable” information security controls, they will be cold comfort in light of a breach. As a reminder, it takes approximately 6 months to discover a breach and another 3 months to recover.
The 2019 Kettle Cybersecurity Landscape of New England shows the predicted growth in the cybersecurity market. Buy Local, Eat Local continues to be a viable option in New England with over 2,000 job opportunities identified over the 3 weeks at 265 different business entities.
Securing our supply chain, improving the quality of talent, and maintaining a proactive position of compliance are the themes of 2019. We look forward to a robust dialogue and exchange of ideas.
BUSINESS E-MAIL COMPROMISE THE 12 BILLION DOLLAR SCAM, July 12, 2018 https://www.ic3.gov/media/2018/180712.aspx#ref2
CYBER ACTORS INCREASINGLY EXPLOIT THE REMOTE DESKTOP PROTOCOL TO CONDUCT MALICIOUS ACTIVITY, Sept 27, 2018 https://www.ic3.gov/media/2018/180927.aspx
2017 Internet Crime Report https://pdf.ic3.gov/2017_IC3Report.pdf
“It’s Scary...It’s Confusing...It’s Dull”: How Cybersecurity Advocates Overcome Negative Perceptions of Security” Julie M. Haney and Wayne G. Lutters https://www.usenix.org/system/files/conference/soups2018/soups2018-haney-perceptions.pdf
The Real Reasons Why Cybercrimes May Be Vastly Undercounted, Josephine Wolff Feb 12, 2018 https://slate.com/technology/2018/02/the-real-reasons-why-cybercrimes-are-vastly-underreported.html
Cyber Security Awareness Campaigns: Why do they fail to change behaviour? Jan 9, 2019 Maria Bada1 , Angela M. Sasse2 and Jason R.C. Nurse3
Your Most Phished Users: Do You Really Know Who They Are? Bruce Sussman May 19, 2019 https://www.secureworldexpo.com/industry-news/most-phished-user-roles?utm_campaign=Industry%20News&utm_source=hs_email&utm_medium=email&utm_content=71026398&_hsenc=p2ANqtz-82qTDelyQjsQemIV3AjOFQFGuFJtbpvCZLv66X-qdBCRYfs1hQxZS2ca9LsRZSAxtbrru1j6B0Dg8K0dT8luBqBnAfFA&_hsmi=71026351
Supply chain remains the weakest link in cybersecurity Sean Duca Jan 17, 2019 https://www.supplychaindigital.com/technology/supply-chain-remains-weakest-link-cybersecurity
Best Practices in Cyber Supply Chain Risk Management https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf
Starwood Hotels Warns of Credit Card Breach Nov 20, 2015 Brian Krebs https://krebsonsecurity.com/2015/11/starwood-hotels-warns-of-credit-card-breach/
Marriott: Data on 500 Million Guests Stolen in 4-Year Breach Nov 30, 2018 Brian Krebs https://krebsonsecurity.com/2018/11/marriott-data-on-500-million-guests-stolen-in-4-year-breach/
Job information sourced from indeed.com, LinkedIn, and Company Websites as of March 25, 2019