“There’s a tremendous amount of venture capital money flowing into cybersecurity right now due to all of the breaches, and there are also now a lot more choices for types of products,” says Quentin Orr, a partner and consultant for cybersecurity at PricewaterhouseCoopers LLP in Philadelphia.
The state of cybersecurity currently varies greatly by industry. For example, the financial and healthcare sectors are far ahead in cybersecurity in large part because they have to meet regulatory requirements. At the same time, manufacturers have some of the “most poorly secured environments in the world,” because they have no such requirements, Orr says. “But the threat to manufacturers is dramatically increasing, particularly from adversaries who want to steal their intellectual property and technologies,” he says. “These adversaries often come from developing countries who want to steal proprietary information that has taken manufacturers years of R&D efforts to launch.”
Predictions call for the number and severity of attacks to increase over the next two years due to significant “meta trends” globally, says Ed Ferrara, vice president, principal analyst for security and risk at Forrester Research in Cambridge, Massachusetts. He points to political instability, the rise of nation states and their interest in asserting spheres of influence, the cooperation of organized crime and terrorist groups to extend or advance their agenda and “hacktivists” wanting to make both political and ideological statements as factors contributing to this likely escalation.
Depending on need and the results of a thorough risk assessment, manufacturers should consider a number of different solutions covering a broad area of security concerns, Ferrara adds. Today, there are technologies that address top security issues such as threat intelligence, security analytics, identity and access management, intrusion protection, network security, data loss protection, web application firewalls, endpoint security and social media.
“Companies should be careful, however, to not create an ‘expense-in-depth’ scenario where they spend significant amounts of money on the latest technology but do not appreciably improve their security posture,” he warns. Software and consulting are converging a bit more. Companies like Mandiant (which was acquired by FireEye but kept its branding) provide specialized services like DDoS attack simulations, training employees to avoiding phishing and allocating investments to the risk areas of highest priority, says Julie Anderson, a principal at AG Strategy Group in Washington, D.C., who notes that consultants like McKinsey and Deloitte can help companies formulate the big picture and integrate cyber considerations into the overall strategy
and operations at the C-Suite level.
However, manufacturers should be careful not to be oversold, as there are many businesses of all types who believe their problem is different than what it truly is and there are vendors developing software and tools to help customers solve problems they may not have. “That’s why cybersecurity is not just a CIO problem—it goes all the way to the top,” says Anderson. “There is an opportunity for vendors and consultants to translate very technical issues to that level into how attacks can create economic loss and damage to customer trust, their reputation and their brand.”