Blog
Combining Digital And Physical Security For Today’s Executives
Read More
The initial transition commenced in 2006 when AWS brought to market the first enterprise ready cloud service offering. A couple years later in 2008 Microsoft and Google, both introduced their respective competitive cloud services. Up to that point, businesses were primarily on-prem, owning their entire technology stack of solutions and services. The business viewed risk in terms of financial stability, operational efficiency, physical controls with increased awareness on cybersecurity, regulatory compliance, and market competition.
Three years later in 2011, Microsoft launched their SaaS Office 365 offering, further persuading businesses to expand their footprint well beyond their physically controlled on-prem architecture. This expansion led to an explosion in cybersecurity tool development to address gaps in visibility, detection, response, governance, controls, compliance, and overall rapid industry innovations.
The list in Figure 1 was created by Graham Mann. He started building a cybersecurity vendor database in 2009 and by 2011 he felt the foundation was strong enough to publish his list, but it was still a work in progress. In 2018, with so many changes to the market, he thought it would be interesting to evaluate again for comparison. The growth in total number of solutions is a huge difference, 2011 (1683) to 2018 (7019). He said some of this can be contributed to his database still being a work in progress in 2011, but this clearly indicates the effects cloud and SaaS has had on the technology industry. It’s fascinating to see a time when Cloud Security only had 5 vendors!
Figure 1 Cybersecurity Solution – 2011 compared to 2018
| Cyber Security Solution – 2011 compared to 2018 | ||
| Product Category | 2011 | 2018 |
| Anti-DDos | 0* | 42 |
| Anti-Ransomware | 0* | 23 |
| Anti-Malware | 202 | 389 |
| Anti-Phishing | 2 | 27 |
| Anti-Spam | 76 | 122 |
| Anti-Virus | 0~ | 53 |
| Application Security | 24 | 151 |
| Auditing | 20 | 72 |
| Authentication | 0@ | 147 |
| Biometrics | 26 | 68 |
| Cloud Security | 5 | 117 |
| Cyber Security/APT detection | 0* | 196 |
| Data Masking | 0# | 17 |
| Data Security | 60 | 290 |
| Database Security | 13 | 58 |
| Digital Forensics | 13 | 111 |
| DLP | 30 | 142 |
| DRM/Doc Protection | 16 | 78 |
| email/IM/File Transfer | 121 | 312 |
| Encryption/Cryptography | 72 | 289 |
| End-Point Security | 84 | 252 |
| Firewall/WAF | 96 | 207 |
| GRC | 26 | 257 |
| IAM | 103 | 386 |
| Identity Theft Protection/Response | 5 | 47 |
| Insider Threat | 0* | 20 |
| Intrusion Prevention/Detection | 48 | 134 |
| IoT Security | 0* | 60 |
| Log Management/Analysis | 40 | 100 |
| Managed Service | 10 | 74 |
| Misc | 17 | 476 |
| Mobile Device Security | 48 | 236 |
| NAC | 0# | 12 |
| Network Security | 71 | 274 |
| Parental Controls | 0# | 24 |
| Password Management | 0# | 16 |
| PKI | 20 | 62 |
| Policy Management | 30 | 95 |
| Response Orchestration | 0* | 50 |
| SCADA & Industrial Security/IIoT | 0* | 76 |
| Secure e-Commerce | 26 | 81 |
| Secure Remote Access | 44 | 124 |
| Secure Storage | 0# | 44 |
| Secure USB | 16 | 45 |
| Security Analytics | 0* | 108 |
| Security Intelligence | 0* | 16 |
| SIEM | 55 | 116 |
| Smart Card | 22 | 45 |
| SSO | 0* | 17 |
| Threat Intelligence | 2 | 69 |
| Training & Awareness | 8 | 73 |
| User Behaviour Analytics | 0* | 26 |
| UTM | 32 | 74 |
| VRM | 0* | 13 |
| Vulnerability Assessment/Remediation | 49 | 184 |
| Web/Content Security | 133 | 371 |
| Wireless Security | 19 | 48 |
| Total Product Solutions | 1683 | 7019 |
Key: * No vendor identified in 2011
# Data not gathered in 2011 for these categories
~ Anti-Virus companies were listed under Anti-Malware in 2011
@ Listed under IAM in 2011
In the middle of this cybersecurity revolution NIST released their Cybersecurity Framework (2014), to provide structure to any organization in creating, accessing, and improving their cybersecurity programs. By 2017, an executive order invoked mandatory use for all U.S. federal government agencies.
With this uptick in cybersecurity regulations Governance, Risk, and Compliance (GRC) teams had a new area to identify, assess, mitigate, and report the organizations risk. These teams have long been in place for many businesses, but their aptitude was largely in finance, auditing, and the language of the business. The shift to the cloud changed the businesses risk trajectory into new and unforeseen ways and continues to do so today with the disruption of AI. These GRC teams are now faced with rapidly learning the elements of cybersecurity as they relate to GRC and managing the businesses risk.
The table in Figure 2 published by Gartner in 2024, shows the year over year growth of Integrated Risk Management which is increasingly becoming comprised of virtual cybersecurity triggers and controls in contrast to the days of constrained physical location risks.
Figure 2 Security and Risk Management End-User Spending for All Segments, Worldwide, 2022-2024 (Millions of US Dollars) – Gartner
For organizations without GRC teams, they may solely rely on IT leaders to convey the risks. These leaders have traditionally focused on the technical nuances of architecture, maintenance and performance, security, threats and vulnerabilities, and reporting. They are fluent in technical language and sometimes have difficulty translating the risk in terms the business can understand.
Both GRC teams and IT leaders have faced difficulty in conveying the value of cybersecurity, in terms of associated risk to the business and in the significance it holds within the organization. We are on the verge of bringing these groups together in a more cohesive way to better align and express the inherent and residual effects associated with cybersecurity.
• Security Frameworks – NIST/ISO/IEC have several publications around building a foundation, running assessments, recommended techniques, controls, and practices for organizations.
• Cyber Risk Quantification (CRQ) solutions – many offer additional components such as Cyber-Risk Register, Continuous Control Monitoring, and Framework crosswalk.
• Third Party Risk Management (TPRM) solutions
• Sayers Services:
o Business Impact Analysis (BIA) – aids in attributing revenue values to applications, services, the business uses.
o Risk Assessment – a variety of offerings tied to your framework of choice. This can help you ascertain specific risks your organization faces, with direction on ways to reduce the risks.
o Bowtie Exercises – tabletop exercise where you pick a specific “event or condition” that could impact the business and go through scenarios that trigger or cause the event. Then on the other side, walk through your organizations responsive actions and controls to gage an associated impact based on your current policies in place.
(We can help if these terms are new to you!)
Please reach out to hello@sayers.com if you are interested in a deeper risk conversation.
