What is Cybersecurity?
Hardly a day goes by without news regarding cybersecurity threats. Whether it is about elections, e-commerce, business, or social media threats - digital systems are growing, which creates both challenges and opportunities for business development. There are many definitions of cybersecurity. One I like to use is from computer systems leader, Cisco: “Cybersecurity is the convergence of people, processes and technology that come together to protect organizations, individuals or networks from digital attacks[i] ”. I like this definition because it goes beyond technology to include people and processes. This aligns well with how I view economic development as operating within a dynamic system of people, organizations, and networks.
Why is Cybersecurity Such a Big Deal?
So why such a big deal about cybersecurity? The answer: it is increasingly impacting our ability to conduct business from communications and networking, to markets, trade, logistics, and transactions. Additionally, our response to such threats to develop systems, services, products that detect, correct, and protect is creating economic and business development opportunities.
Companies have taken note about the risk and size of threats. Corporations increased the number of times they mentioned cybersecurity on earnings calls nearly three-fold since 2014. The increase in cybersecurity talk is not surprising given the fact that last year stolen data records worldwide exceeded two billion for the first time. Throughout 2017, the total number of enterprise records breached every day, hour, minute, and second each doubled from the year prior according to Breach Level Index (BLI) [ii]. And, the threat is expensive worldwide. Cybercrime damages will cost the world $6 trillion annually by 2021[iii], which is conservative as protection and restorative actions are often hard to track.
Cybersecurity Industry Sector Performance
In terms of business and economic development, Cybersecurity includes but is not limited to the following subsectors[iv]:
IT Security Consulting - Businesses in this industry offer managed IT security services, such as firewalls, intrusion prevention, security threat analysis, proactive security vulnerability and penetration testing, and incident preparation and response. In 2018 in the US there were 15,067 business in IT security consulting. Revenues grew 5.2% annually from 2013 through 2018 to a level of $13.0 billion in 2018 and are projected to grow 2.2% annually through 2023.
Identity Threat Protection Services - Companies in this industry primarily provide software and services aimed at reducing the risk of identity theft from online or electronic media. In 2018 in the US there were 62 business in IT Threat Protection. Revenues grew 3.7% annually from 2013 through 2018 to a level of $2.1 billion in 2018 and are projected to grow 4.5% annually through 2023. Rising competition, including free services, has dampened curtailed industry revenue growth potential.
Digital Forensic Services Industry - Businesses within the Digital Forensic Services industry provide data recovery and investigative support services related to data breaches and cybercrimes. In 2018 in the US there were 1,651 business in Digital Forensic Services. Revenues grew 11.8% annually from 2013 through 2018 to a level of $2.2 billion in 2018 and are projected to grow 5.8% annually through 2023.
Top companies in Cybersecurity across the span of related subsectors Include: Booz Allen Hamilton, Oracle, Deloitte LLP, Leidos Holdings, IBM, US Army and Navy, Lockheed Martin, Wells Fargo, Northrop Grumman, Accenture PLC, Hewlett Packard, Symantec Corporation, Intersections Inc., AccessData Group LLC, Guidance Software, Global Digital Forensics, and Paraben Corp.
Cyber industries have also been experiencing significant venture capital investment supporting startups and innovation. According to CB Insights, 2017 was a record year for venture financing deals in cybersecurity with $7.6 billion invested in 552 deals. The US has lead in deals in past five years (69% of all deals) followed by Israel (7%) and the UK (6%). Leading companies includeed in the innovation space include Tanium, DUO Security, Illumio, Lookout, CyLance, CloudFlare, Avast, and CrowdStrike[v].
Emerging Trends in Cybersecurity Related to Industry
Beyond the sheer size of the threats and disruption to businesses, there several factors driving growth and innovation in cybersecurity. These are related to the fact that digital technologies and processes have increased rapidly to the point where everything is connected. Nearly everything is or can be digital and therefore everything is at risk.
Regulations: As threats increase so do regulations. As an example, the General Data Protection Regulation (GDPR): The new GDPR will be enforced to protect people’s data in the EU. Infringements of this regulation will result in fines of up to 20 million euros[vi]. Despite this occurring in the EU, it will affect institutions in the US serving international students, clients, and patients, particularly in the sectors of education and healthcare.
Internet of Things (IoT): The first wave of the internet centered on connecting people with other people and information. The current wave is connecting things to things, meaning products, equipment, and machinery. This brings us to the emerging future where everything and everybody is or can potentially be connected. In manufacturing this is known as industry 4.0. Industry 4.0 is a term used to describe the fourth wave of technological advancement in manufacturing where multiple, if not all, parts of the manufacturing supply chain system are digitally interconnected including machines used in production, monitoring and control systems, and logistics all communicating with each other. More specifically with Industry 4.0 sensors, machines, workpieces, and IT systems will be connected along the value chain beyond a single enterprise. As IoT devices become more integrated into our daily lives, it seems inevitable that we will begin to use and understand them, however, we have consistently failed to recognize their lack of basic security features. A recent survey from strategy consulting firm Altman Vilandrie & Company showed nearly 50% of US companies using an IoT network have experienced a security breach[vii]. Companies are well aware of this risk in their plans and strategies to adopt Industry 4.0 practices. A survey of industry by PWC flagged a wide range of concerns around data security, with operational interruption from cybersecurity breaches at the top of their list. Other issues like liability risks, unauthorized access to data and damage to company reputation are on the radar too[viii].
Industry and policymakers recognizing the significance are laying the groundwork for risk mitigation from cyber threats. The Aspen Cybersecurity Group, a cross-sector public-private forum comprised of leader in industry, policy, and academia have come together and put forth a set of “security first principals for IoT. They include[ix]:
- IoT devices should have appropriate security “Baked-In”
- Transparency on product security and privacy
- Manufacturers/developers should be held accountable for the security of their devices
- IoT devices should have updateable security
- Security should be in multiple layers
- Device features should be limited by necessity
As some make way into standards and regulations it will increase the integration of cybersecurity into manufacturing and logistics.
Smart Cities: We are increasingly experiencing the Integration of digital technologies, information, and applications for communities, or what are known as smart communities or cities. The integration of digital technologies and data is happening across many different community service areas including infrastructure (transportation, sewer, water), public safety, health, planning, and governance. This has the ability to make communities more efficient, effective, and responsive, but also increases risk for cyber threats of all kinds and with serious potential impacts. Recent high profile cyber breeches have occurred in San Diego, Atlanta, Baltimore, New York City, and Houston.
Rise of e-Commerce and E-services: E-commerce (e-retail alone) has grown at an estimated annual rate of 14.3% reaching $509.9 billion in sales in 2018[x]. Additionally, this growth in e-commerce is also being experienced in many services including health, business, and personal services. The resulting convenience to consumers and new business opportunities for industry is accompanied by increase cyber threats.
Employment Trends in Cybersecurity
Cybersecurity employment is difficult to measure precisely because job skills and responsibility cut across multiple occupations including IT and management analysts, network administrators, software and application developers, and other IT related jobs. However, one specific occupation that is dedicated to cybersecurity related functions is Information Security Analysts (SOC 15-1122). “This occupation is responsible for planning, implementing, upgrading, or monitoring security measures for the protection of computer networks and information". Related job titles include Computer Security Specialist, Information Systems Security Officer, Security Engineer Security Analyst, Network Security Analyst, Information Security Manager, Information Security Analyst, Security Specialist, Network Security Engineer, and Information Technology Security Analysts[xi].
Job growth has been rapid and is expected to continue. In 2018 there were 113,692 Information Security Analysts in the US. This was an increase of 36% from 2013, a rapid increase as the digital economy blossomed. Jobs in this field are projected to grow 15% by 2023 reaching 130,721[xii].
Information Security Analyst jobs are distributed across multiple industry sectors with the highest (27%,) being employed within Computer Systems Design and Related Services. Beyond this sector employment is highly distributed indicating these positions are important to many sectors.
In terms of states with the most Information Security Analysts, Virginia tops the list by a long stretch with 13,899 jobs in 2018 driven by access to federal agencies and contracts. Additionally, all the top ten states experienced employment growth in excess of 25% between 2013 and 2018.
So what kind of education do information security analysts have? Based on 2018 data on occupations 79% of persons employed as information security analysts have a bachelor’s degree or more, with bachelor’s degree being the most prevalent at 53%.
Talent is Key
While there are several factors that drive business and economic development success in cybersecurity including access to market, innovation, and digital infrastructure - industry experts stress the development and retention of talent and skills as being the most critical. Findings from the Aspen Institute Cyber Security Group state this well. “The U.S. currently has a cyber workforce shortage of 300,000 individuals and the trend line predicts an increasing gap. This is largely because demand is significantly outpacing supply, large candidate pools are left untapped, employer requirements aren’t well sync’d to the skills needed, and awareness of cyber career paths remains low. Additionally, by 2021, we estimate there will be at least 470,000 unfilled cybersecurity jobs in the United States if we don’t start thinking – and acting – differently about how we identify and develop talent. [xiii]” To address this critical workforce challenge the Group established core principles for actions. These include simplifying and clarifying job announcements, making jobs available for those without college degrees, increasing non-degree training opportunities, and launching apprenticeship programs.
What Can Business and Economic Development Professionals Do to Support Expansion of this Industry?
Understand Key Location and Investment Drivers and Your Regions Assets
First it important to understand key location and investment drivers and your region’s assets. Howard County, Maryland conducted a detailed assessment of cybersecurity opportunities and their ability to support industry growth[xiv]. Results indicated that cybersecurity companies are attracted to regions with an existing base of other companies in the industry and a highly skilled and educated workforce. Other critical factors include the quality of cyber-education and training, proximity to federal agencies for contracts, and access to other markets. Insights for the assessment enabled regional economic partners including the Howard County Economic Development Authority and the Howard Tech Council to develop and implement strategies to continue growing this sector and supporting existing companies as well as startups.
Grow and Retain Talent
A key take-a-way from this article is that talent is critical to success in growing and supporting the cybersecurity industry. As with all workforce development, partnerships and collaboration among industry, education, and service providers are a must. A best practice example of such focused partnerships is the efforts by the Northern Virginia Community College, NOVA[xv]. NOVA serves the Northern VA region and through strong connections and partnerships with industry offers timely and relevant industry specific training and education. This includes partnerships with training and certification leaders the EC-Council and CompTIA to offer students industry certification vouchers at an academic discount. It also includes curriculum that is mapped to Federal National Security Agency and the Department of Homeland Security cybersecurity education standards. To further provide hands-on experience and training NOVA offers cybersecurity students many opportunities to participate in regional and national competitions including with the National Cyber League, Mid-Atlantic Collegiate Cyber Defense Competition, and Educause Security Awareness Video and Poster Contest.
Another best practice is the College of Marin in the San Francisco CA region which has developed an industry responsive cybersecurity certificate. “Offered in collaboration with Cisco, the program offers six modules, each with their own computer network certification. The first module, “IT Essentials,” offers a certification in CompTIA A+, while the sixth culminates in the cybersecurity certification itself. No college prerequisites are necessary and students need not commit to all six modules, making the course highly accessible for people (such as recently displaced workers) interested in rapid training[xvi].”
A specific example of an industry lead initiative is the IBM Apprenticeship Program, which was launched in 2017 as a Department of Labor Registered Apprenticeship program. IBM Cybersecurity Analyst apprentices complete a 12-month training program that includes over 400 hours of structured learning, coupled with mentorship and on-the-job activities like performing network and wireless intrusion detection, security activity monitoring, incident response processes, scans of databases, web applications, anti-virus and others. In addition, apprentices complete required learning and exam preparation for the CompTIA Security+ Certification[xvii].
Integrate with Smart Cities
Smart city/community practices and principals are growing rapidly from an emerging trend to a best practice, and soon to become industry standard in local and regional governance. This is being accompanied by significant investments by communities. Leveraging these efforts and resources with business and workforce development can help grow local and regional economic opportunities. The City of Los Angeles offers a best practice example as they invest in a cybersecurity lab and boost security across the city. Bolstered by a $3 million grant from the U.S. Department of Homeland Security, the City of Los Angeles is expanding the capabilities of a public-private partnership to protect the city against hacker attacks and support the cybersecurity industry. The expansion will allow the Los Angeles Cyber Lab to build a universal platform for threat intelligence. Partners in the public and private sector will be able to submit threats to the Lab for analysis and distribution to other participants. To support growth in the cybersecurity industry, the Lab will also invest in an innovation incubator, which will open the program to students, researchers and product developers. Organizers will also expand trainings and conferences[xviii].
Find your Niche
It is important to understand that solutions don’t need to be large region or city. Find the niche with existing industry that have cyber concerns – Healthcare, Logistics, Manufacturing, etc. Obviously, this is easier for localities and regions with large companies and institutions that face constant threat (DC, NYC, LA, etc.), but its important to realize that positive benefits can be a result of playing to the companies and institutions you have when it comes to the cybersecurity space.
This article was originally published in the Winter, 2019 edition of Expansion Solutions Magazine.
[v] 2018 Cyber Defenders, CB Insights, 2018, https://www.cbinsights.com/research/report/cyber-defenders-2018/
[vi] 8 cybersecurity trends to watch for 2018 by Michelle Drolet
[vii] New Survey Says Half of US Companies Using IoT Have Been Breached by Ken Briodagh
[viii] 2016 Global Industry 4.0 Survey - What we mean by Industry 4.0 / Survey key findings / Blueprint for digital success, www.pwc.com/industry40
[xiv] #HOCOGOESCYBER: A Study on Cybersecurity Companies In Howard County, Maryland, www.hceda.org/business-support/htc/
[xvii] Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce, Aspen Cybersecurity Group, Aspen Institute, November 2018, www.aspeninstitute.org/publications/principles-for-growing-and-sustainin...