The cybersecurity industry has undergone a sea change over the past decade as organizations find themselves under almost constant attack from an array of state-sponsored attackers and increasingly skillful and professional criminals.

And not surprisingly, money is behind the spread of cybercrime, with one estimate from Cybersecurity Ventures that puts the cost to enterprises at more than $6 trillion annually by 2021 in theft, lost productivity and recovery costs. That alone makes it more than worthwhile from the attacker’s point of view.

In his latest Breaking Analysis video, Dave Vellante, chief analyst at SiliconANGLE sister market research firm Wikibon and co-host of SiliconANGLE’s video studio theCUBE, points out that cyberattackers are being helped in their endeavors by an explosion in so-called “endpoints” that need to be protected.

Companies are increasingly storing massive amounts of data in multiple public and private clouds, while the number of smartphones and connected edge devices in use continues to grow, creating ever more possible avenues of attack.

It’s in stark contrast to the old days. Before the rise of the cloud, security used to be a relatively straightforward concept, Vellante said.

“It used to be simple: I have a castle and the queen is inside and we need to protect her,” Vellante said. “So we build a moat around the perimeter.”

But those days are gone as the queen has long since exited the castle and enterprises are unable to keep up with her.

“Think of the queen as data. She’s gone up to the sky with the clouds,” Vellante said. “She’s gone to the edge of the kingdom and beyond. She’s making visits to machines and hanging out with the commoners — she’s totally exposed.”

As a result, the security landscape is now more fragmented than ever before, with hundreds of products available and a never-ending stream of startups emerging in the space. Indeed, it’s said that the average Fortune 500 company uses as many as 72 security products to try to keep their data and systems safe. But still many fail to do so.

“The state of the security union is not good,” Vellante said. “Every year we spend more, lose more and are less safe.”

Cloud security: a big misunderstanding

One area in which practitioners need to be more mindful is with public cloud security. Public cloud infrastructure operators, and in particular, Amazon Web Services Inc. operates what it likes to call a “shared responsibility security model” that not all customers seem to understand. Vellante explained that in the case of AWS, this involves it securing its S3 storage buckets and EC2 infrastructure, with the customer taking responsibility for enforcing policies and configuring systems to prevent unauthorized access via the endpoints.

“I think this shared security model is misunderstood by a lot of people,” Vellante said. “Specifically I think people feel like ‘my data is in the cloud and AWS has better security than I have… ergo I’m good.’” But the reality according to Vellante is while the responsibility to secure infrastructure is shared in the sense that AWS secures its infrastructure, ultimately the customer is responsible for securing its data.

Companies are also finding it hard to recruit enough skilled security personnel to properly protect their systems as there simply isn’t enough talent to go around, Vellante said

And so it may come as a surprise to learn that enterprises are actually becoming more circumspect about how much money they’re willing to spend on security relative to previous years, according to data from Enterprise Technology Research. According to Sagar Kadakia, director of research at ETR, “CIOs no longer have a blank check to spend on security.” One could be mistaken for thinking this means enterprises have thrown in the towel, so to speak, but in fact it’s more of a reflection of how fluid the cybersecurity space is right now.

What’s actually happening according to ETR is that spending on cybersecurity is bifurcating, with a select few companies seeing their spending momentum and market share grow at the expense of others. Among those on the up are startups such as CrowdStrike Holdings Inc. and Okta Inc., plus more established players such as Palo Alto Networks Inc., Cisco Systems Inc. and Microsoft Corp. In contrast, the likes of Dell EMC, IBM Corp., Symantec Corp., Check Point Software Technologies Ltd. and SonicWall Inc. are all losing ground according to ETR surveys.

“What you’re seeing is a slowdown in the growth of security spending,” Vellante said, citing ETR’s data. “It’s still a priority, but there’s less redundancy, or experimentation with new vendors, and less running systems in parallel with legacy products.”

The problem is that, at the end of the day, security is in many ways still broken and it’s going to take a massive effort from all of the major players in the space to fix it. But the odds are stacked in favor of the criminals. As Vellante notes, the good guys need to win every day, whereas the bad guys only need to win once, and they will have countless opportunities to do so.

“We can’t just keep using brute force and throwing tools at the problem,” Vellante said. “The focus really has to be on automation. So machine intelligence and analytics will definitely be part of the answer. I predict the more things change the more you’re going to see this industry remain a game of perpetual Whac-A-Mole.”

Here’s Vellante’s complete video analysis:

Image: JanBaby/Pixabay