Cybersecurity Budgeting: 2008-2018, a decade of economic change

TL;DR, see chart (but it doesn't tell the entire story).

In 2008 we found ourselves in an interesting economic situation... The stock markets were dropping from the mortgage crisis, consumer spending and confidence were down, people were losing their homes. This was certainly a challenging time to be in tech and cybersecurity. There were strong ROI justifications and economies gained from technology investments, but they were at odds with people losing their jobs. And there was no end in sight to the economic downturn...

Turns out we were about a year from the bottom in terms of the stock market, which arrived in 2009... and about four years from the bottom of the housing market in 2012 (based on median home prices). At the time I was making a transition from online lending (E-Loan.com) to the world of B2B SaaS solutions. The company I went to work for offered premium external DNS solutions with DDoS and Cache poising mitigations. We are talking the top end Tesla of globally distributed, IP any-cast, BGP routed DNS... and as my friend and colleague Preston Dodge liked to say, "we are selling bottled water to people that have really, really good tap water". The contacts I was speaking to were receiving budget cuts and these Directors (in most cases) went from signing 6-figure contracts themselves, to needing CFO/CEO approval for anything over $1,000. It wasn't easy building business justifications but the solution helped with infrastructure CapEx cost take away, and that kept the company alive.

On the other hand a number of cybersecurity solution providers found a very meaningful place in the troubled economy of 2008-2010. CIO's and CISO's were being asked to do more with less. There was a transition from focusing on CapEx investment to OpEx and SaaS agreements which could be terminated without losing unrecognized depreciation. And there was an opportunity for consolidation. Some of the largest businesses and governments began looking at their long lists of vendors, a number of which were shelf-ware, seeking consolidation and rationalization opportunities. This was certainly tough on a lot of startups and companies without free cash flow, leading to a number of acquisitions in 2008-2012. Moreover, larger vendors like McAfee with broad portfolios found customers looking to transition from "best of breed" to "best of need". The popularity of cybersecurity ELA's (enterprise license agreements) began growing around this time. In late 2011 I worked with State of Alaska to consolidate 7 vendors across 10+ controls into one such McAfee ELA, saving the state over $3 million dollars.

So the last 10 years started off pretty rough from a cyber budgeting perspective, but things changed for a variety of reasons. With connectivity getting faster, more information getting hosted online, exploit kits allowing less skilled attackers to up their game, and fewer jobs for the inexperienced/younger generation, the global number of cyber criminals grew. Some of the worst cyber attacks in history were occurring including a USB stick left in a US Military parking lot in 2008 that sparked the creation of US Cyber Command. The Federal government wasn't the only one investing more in cybersecurity. Businesses everywhere began looking at the percentage of technology budget being allocated to cybersecurity people, process, and technology as a KPI for business risk. This was driven by the large IP breaches on Google, Yahoo and others in 2009, Stuxnet was discovered in 2010, even RSA one of the largest cybersecurity vendors was breached in 2011. Things were heating up and with the economy recovering at accelerated rates, organizations began loosening up on budgets to avoid being the next big headline.

In 2011 to 2014 a number of new cybersecurity vendors were founded and the industry began realizing it wasn't just big companies and governments being attacked. It was everyone. Plug in a FireEye box on an internal network port in 2012 and it lit up like a Christmas tree. We were all breached and it was a question of how badly. Many security leaders began publicly acknowledging that if you thought you weren't being attacked, it just meant you didn't know about it. There was also a shift from the belief that we could truly prevent networks from being breached, to the "assumption of breach" or "zero trust" era. The attacks that couldn't be blocked needed to be detected and responded to before significant damage was done. And critical networks shouldn't trust hosts, critical hosts shouldn't trust networks, and critical apps shouldn't trust users. At this point cybersecurity unemployment rates dropped below 1% and has been pinned there since.

In the wake of exponentially increasing breaches during 2014-2015 and the realization that nation state cyber attacks were a thing, budgets really began opening up. Businesses realized their reputation and risk were closely tied to cybersecurity capabilities. Companies began building SOC's (security operation centers) in house, and investing in Managed Security Service Providers. The Big 4 and friends expanded niche cyber practices into flourishing consulting practices around penetration testing and incident response. This was the time where the paranoid CISO's, with tinfoil hats... that had been locked away in the basement... began joining board meetings. The horror!

Given cybersecurity had become a board level conversation, and budgets were generous, new realizations emerged in 2015-2017. Organizations of all shapes and sizes realized they were becoming software and technology dependent companies and that meant a growing attack surface. The ability to mitigate risk became much more challenging. The expanded budgets created a talent shortage in cybersecurity across almost all organizations. Companies that didn't have a single dedicated security title in 2011 were in some cases hiring 100+ in house personnel to scale cybersecurity operations. Many IT and Dev workers were converting into cybersecurity for higher pay and upward mobility. The largest companies in the F100 began to exceed 1,000+ dedicated cybersecurity roles, and once rare cybersecurity masters programs become prevalent. Thus the talent shortage became further exacerbated. Yes cybersecurity spend had become a more balanced investment relative to other technology spend, but the breaches continued to occur. Open cybersecurity jobs went from under 100k in 2008 to 1m+ in 2015, and now 3m+ today in 2018.

In turn, the cyber-vendor landscape grew exponentially... What was 300+ companies in 2008 has grown to 3,000+ in 2018. Solutions addressing the CIS Top20, NIST Framework, OWASP Top10... along with new capabilities like AI based prevention, AI SOC to reduce operational overhead, and many other solutions have been built to address problems. This too came with a problem however, and I have written multiple times about the challenge CISO's face sorting through today's vendor noise (there are some great podcasts focused on this topic by David Spark and others, reflecting on the interesting dynamic of CISO-Vendor relationships). This leaves organizations with the challenging task of figuring out how to choose partners wisely and invest effectively.

In an alternative approach, Facebook, Google, Twitter and other tech savvy companies began running crowdsourced Bug Bounty programs. This is to say inviting non-employees to contribute to the company's cybersecurity posture in a scalable way, finding vulnerabilities missed by in house resources. In an era where strong budgets don't directly translate to good cybersecurity outcomes we need to identify and prioritize ideas that help us address an asymmetric adversary and this is a great example. The company I work for today, HackerOne, helps make this approach more accessible and easier to implement. This makes for quite a budget amplifier in a "pay for performance" model where so much of the industry is economically oriented toward "pay for effort".

The lack of resources, growth of software development, accelerated SDLC cycles, and ease of employees accessing data from a wide variety of devices and applications make it quite a different world than than it was in 2008... which was the first year after the iPhone debuted. Thinking about the last decade of cybersecurity budget trends certainly helps illustrate how much this industry has changed... but budgets only go so far.

We need today's scholars to become tomorrow's solvers. We need to work openly and transparently with one another for the betterment of our connected society. And we need to be honest with ourselves and others. I would like to see a more tempered narrative in cybersecurity so budget owners can more confidently invest without fear of another deployment not living up to its promise. If we want to see cybersecurity budgets continue to improve we need to deliver great results and business outcomes. Let's continue to chip away at these problems in a thoughtful way, and avoid being put back in the basement. ;)