It’s been a few weeks since we’ve done a write up; November through to Christmas was a bit of a rush, and our retooling & reorientation in our team of January and the rush of work in February has taken most of our team away from doing any write ups.
In previous years, we’ve done an analysis of the penetration test market as well as cyber security in general. One well received article analysing penetration testing firms unfortunately could not be redone with the same dataset given the market change, but also given a frustration of the number of new entrants to penetration testing that dont quite say what they do, making it hard to gauge the market.
This years first write up I wanted to share a few thoughts and observations for 2021.
Vapourware & charlatans will continue to pop up, and the need for regulation
With the vacuum of reliable knowlege resources, as well as the allure of cyber security given illusions of income and ability to dominate other human beings combined lack of understanding by the general community and subsequent ease of injection into the field has seen the continuation of charlatanesque behaviour that was well documented by attirtion.org back in the day.
This issue reared its head late last year when a colleague asked if I knew 2 individuals on 2 seperate occasions because they’d happened to work in Cyber. One of these ended up on reality TV property show as an unknown “cyber security expert” that was later identified as a fraud. The other featured in a news article in a relationship with some influencer and proprietor of a cyber security startup, whose cyber brand was selling vitamin supplements not 2 years ago and has no real description of their services.
Two things concern me- journalists and media organisations don’t appear to be doing any real research or due diligence but also we as an industry are not doing enough for self regulation. We place basic expectations on medical practitioners and engineers to meet basic standards, and yet for the last 25 years any shady character can turn up with gold chains, a half unbuttoned shirt and too much cologne and proclaim their technological expertise in cyber security or blockchain.
I believe we will still have this issue of reputation for some time to come, however I assess there will be a greater need for regulation. Either this will be be a market driven exercise seeking certification such as CREST, or as a result of an organisation, product or service falling well short of its mark resulting in liability through negligence.
We’ll see more acquisition & consolidation
During a talk at comfycon last year, I had predicted we were to oscillate away from acquisition and were going to see a deconsolidation this year. At second glance, I might be wrong and there could still be some steam left in the acquisition space. There are some great organisations out there with deep expertise, but perhaps need to be contiguous with the rest of the industry, so perhaps we can sustain this for the better. My only concern is if acquisitions focus more on the acquiring process and less on the quality service, we as an industry will suffer.
The diseconomy of scale is going to cause some degree of disruption
A key concept my team and I have been analysing is the diseconomy of scale observed in a large number of cybersecurity firms, especially the newly acquired and the managed security service providers & security operations centres that have come into contact with our due diligence activities. When a company has a disproportionate number of thought leaders, instagram influencers and support staff vs technologically competent operators (that are often underpaid), the market will fill the demand with smaller, niche providers that will be able to deliver higher quality services at lower costs. The only thing I can see stopping this will be interdiction of decision makers to products through panels, saturation of information by marketing, a cultural attitude of “this is how we’ve always done it” or isolation of access to information (IE you’re only reading the financial review OR this medium article for your cyber security advice, and not everything).
Employment, education and qualification will need to lift the game
I originally started drafting this paragraph on or around the time I was preparing for lecturing at UNSW Canberra; we are not preparing our workforce nor are we placing reasonable expectation on employment opportunities or activities.
Firstly, we are still emphasising a regurgitation based educational experience. Universities and academic institutions have often prided themselves on the tried and true method of knowlege base quizzes as well as reusing the same overhead projection slides for the last 40 years. We’re also seeing a heavy focus on certification which too often focuses on the same regurgitation practice. Add in the “ become an ethical hacker for $125” course which does not add value, and our education standards become laxed. We are seeing a shift into experiential learning, but this needs to be taken up by the learners and actively advocated by the education market.
Employers are not facilitating entry level pathways. Let me be frank, you are not going to get an OSCP certified tester off the bat easily with 20 years experience etc. On top of this, I am not seeing solid entry opportunities that are little more than upstairs downstairs environments where an army of MBAs are driving juniors into the ground. The absence of on the job learning environment, similar to trade based apprenticeships is contributing more to the cyber skills gap. Furthermore, entry level pathways need mentorship; if management is disconnected from professional development by a lack of existing knowlege, then the opportunity to shape new entrants is undermined. This is something we have taken on at Mercury and I hope its something that can be promoted throughout industry.
We’re looking forward to a fantastic year here at Mercury, but we’re also cautious in our optimism.