Cybersecurity has always been a horizontal technology practice that’s roughly the same across all industry sectors. Yes, some industries have different regulations, use cases or business processes that demand specific security controls, but overall every company needs things like firewalls, IDS/IPS, threat management gateways and antivirus software regardless.
Generic security requirements will remain forever, but I see a burgeoning trend transforming cybersecurity from a set of horizontal technologies to a vertical industry application. These drivers include:
- Increasing business focus on cybersecurity. While it sounds like industry hype, cybersecurity has actually become a boardroom issue and corporate boards understand industry-specific risks much better than technology gibberish about malware and exploits. To accommodate these corporate executives, CISOs will need communications skills, as well as tools and technologies that help translate cybersecurity data into meaningful industry and corporate risk intelligence that can drive investment and decision making. Security intelligence vendors like BitSight and SecurityScorecard are already exploiting this need, offering industry-centric cybersecurity metrics for business use.
- CISO progression. The present generation of CISOs grew up through the ranks of IT and security with career development responsibilities such as network operations and firewall administration. Yes, the next generation of CISOs will still need some technology chops, but this role is moving closer and closer to business management. In fact, the best CISOs understand industry business processes, regulations and risk above and beyond technology.
Business-centric CISO resumes are a “nice-to-have” today but will evolve into a true requirement over the next few years. In the near future, cybersecurity executives will build their careers as financial services CISO, healthcare CISO or public sector CISO rather than vanilla CISO.
- Advancing regulations. While there are already a lot of industry regulations, such as FISMA, HIPAA/HITECH and NERC, additional industry regulations are bound to occur. This will happen quite quickly if a major data breach disrupts operations in a particular industry.
- Industry-focused threats. Targeted threats can generally be traced back to cyber adversaries that specialize on a particular industry in a particular geography. This makes sense: Attacking a U.S. bank demands language skills and business process and regulatory knowledge that isn’t applicable for attacking banks in France or Germany.
These industry-centric threats are precisely why we have specific industry Information Sharing and Analysis Centers (ISACs). Cybersecurity professionals are often encouraged to “think like the enemy.” Increasingly, this demands industry-specific business and IT knowledge—not just a broad understanding of cyber adversary tactics, techniques and procedures (TTPs).
- IoT. This is the big Papi of change agents for cybersecurity, as industry IoT applications will radically alter business processes, technology elements and threats. And while we’ve created an uber technology category called IoT, the fact remains that IoT healthcare applications will be vastly different than those designed for energy, manufacturing, retail or transportation. As an example, think about the specific industry, business process and technology knowledge you would need to prevent, detect or remediate a Stuxnet-like attack.
As I previously mentioned, there will always be a need for horizontal security technologies, but CISOs will increasingly judge these technologies based upon two criteria: 1) best-of-breed security efficacy and 2) how well these point tools can be integrated into enterprise solutions that encompass vertical industry-specific requirements.
IBM is well-positioned for vertical industry security, led by global services, while Cisco has ramped up services, vertical practices and partnerships. Other horizontal security technology vendors will need to pick dance partners like Boeing, GE Healthcare, Honeywell, and Siemens, as well as consultants like Accenture, E&Y, McKinsey, PWC, etc.
I anticipate a transition to vertical industry-specific cybersecurity over the next few years. Cybersecurity professionals should prepare for this evolution by developing their business process and technology skills, while vendors should pick focus industries and partner accordingly.