Big Cyber’s House of Cards

Someone has to say it, and it looks like it needs to be me. Big Cyber isn’t focused on securing small businesses, at least not like they should, and not with drive that this critical market segment needs to be successful. When I was an analyst, I was privy to an amazing window into how big companies work and more interestingly, how they strategize. During that time there was an incident that woke me to the reality that Big Cyber was not interested in focusing on SMB’s future security state.

During one “advisory” — an on-site consulting session with an analyst hired by a big company to advise them on market trends and opportunities — a Big Cyber executive showed his true colors with me in the room. It was eye-opening for me.

The crux of the conversation was about how the company could grow revenue and win more deals. Of course, that makes sense. We all sell stuff after all, and part of the reason I was there was to help them sell more, better. After spending days looking at market trends and searching for indicators pointing to real opportunity in an already saturated market where every Big Cyber vendor was battling for the same Global 2000 accounts, my answer was simple: “Sell to small and midsize enterprises.” With years of experience analyzing trends behind me, it was clear that the long sales cycle, bloated market, and most importantly, real threats that needed to be addressed indicated that the best opportunity to do some good and grow the company’s revenue at the same time lay in selling cyber solutions specifically to small and midsize enterprises.

The executive’s reaction to my proposed approach was priceless. He laughed out loud. Then he literally rolled his eyes in disbelief, looked up at the ceiling, let out a “huff,” and smiled like the cat that just ate a canary. “We spend more on our sales kick-off breakfast buffet than we would make with a SMB deal,” he said, as he pulled on the cuff of his monogrammed silk shirt.  “For us, the SMB market’s a non-starter. We can’t incentivize our sales force to spend their time and effort on piddly two-comma deals. To be frank, they’re just not worth our time. If SMBs want our technology, they can come to us to get it. It’s here, available to anyone.”

“Ok, sir,” I replied. “It’s a fair point and I understand the economics. But I am not talking about one deal.  I mean, if you focus your efforts around designing a ‘right-sized’ security solution for SMBs and put the right sales and marketing machine in place with the right structuring of deals and incentives, you can close smaller deals faster and quickly grow. Another benefit – competition is not nearly as thick in that segment, so you can really stand out and gain share by helping businesses that need your solutions. It’s a win all around if done correctly.”

I continued, “Heck, MSSPs can be the ones to deploy and manage everything. All your reps need to do is sell and work with those partners in a focused manner, and good things will happen. Plus, you get a leg up by helping successful SMBs who cannot afford big technology portfolios and will be targets for compromise as bad guys move downstream—and are also likely to grow into bigger customers in the future.”

“Noted, thanks, let’s move on,” he said as a scowl rolled across his smug face. Clearly, what he meant—but was paying too much for my advice to come out and say—was, “Not gonna happen. Move on.”  Now, the unprofessional me wanted to verbally blast him then and there not only for his hubris, lack of vision, and disrespect—but also for his cavalier attitude and disregard for smart, facts-based advice that would benefit employees and stockholders who were far less well-fed than he. Of course, I couldn’t do that then, but I still get a chuckle by picturing how I wished it had played out.

That was two years ago. And now, today, Zero Trust is being adopted and is helping to address strategic cybersecurity issues and the Global 2000 are finally seeing a small but notable reduction trend in their overall cybersecurity-related failures. In the enterprise space. In the meantime, the response and identification of exploits is down to about 280 days in 2020 from over 340 in 2019–not great, but an improvement, nonetheless. Major enterprise investment in cybersecurity is up about 9 percent year over year and expected to reach over $130 billion in 2021.  Things are trending “better” in the enterprise space relative to cybersecurity needs, that’s not the case for the SMBs though.

To be blunt, major enterprises have the money to buy better cyber outcomes and will continue to throw money at vulnerabilities until they become the hardest targets in town, which is good for them.  But that forces the adversaries to look for the next easy target that can’t spend their way into “good” cybersecurity posturing.

Those SMBs that were already underserved two years ago still don’t have the funds to buy their way out of the threat space. SMBs will increasingly be the low-hanging fruit for hackers to pick, the slow gazelle on the cyber-Serengeti. But here’s the unforeseen hitch for those would-be secure big enterprises despite all their spending. Because SMBs are connected to those big enterprises and networked with them, if the SMBs are attacked big enterprise cyber investment and efforts are invalidated and undermined, too. In the world of cyber, if somebody gets hacked, everyone’s risk increases.

In fact, it does not take much effort to see how small businesses and midsize enterprises are used as jump boxes for bad guys. We already see this in past-year trends of third-party provider and vendor exploitation. Those numbers are up exponentially, and we have plenty of evidence that they will continue to rise.  If SMBs can’t find budget-appropriate technologies to help them do better at cyber, then nothing gets fixed. And if those solutions increase the burdensome human capital debt that SMBs already face, they will not be sufficiently attack-resistant to keep the whole ecosystem from falling prey.

Big Cyber has no real incentive to make their “cures” available, affordable, and manageable for SMBs.  As evidenced from my personal interactions with Big Cyber executives, and it wasn’t just one executive that thought that way.  That response was commonplace no matter how many advisories I did.  Big Cyber’s business model and its solutions, for that matter, are not aligned to make things work as SMBs need them to. They are not priced to be leveraged correctly by SMBs and they admittedly cannot make the economics work for their sales forces to even get their solutions in the right SMB’s leaders’ hands.  Big Cyber’s technology stacks lack the form factor simplicity essential for SMBs that lack the financial and human resources and training needed to manage and deploy those Big Cyber solutions. While you might see Big Cyber firms claim that “SMB and midsize enterprises are a focus for us” it’s usually just lip service.

I’m sorry to say, but Big Cyber would rather continue selling lots of big solutions to big-budget buyers – it’s in their DNA, it’s what they do, it’s literally how they exist and operate. It’s their comfort zone and that is where they have the experience of serving. But when you really think about it without fixing cybersecurity for small and medium enterprises, Big Cyber is essentially building a house of cards on a foundation of sand as they help to secure major enterprises but fail to help secure the future conduits for compromise, the SMBs.

It’s time we all recognized it and understood that if we don’t adopt a new approach now, and secure all organizations, of all sizes, effectively, with optimally priced solution portfolios up and down the business food chain we’ll never emerge from the ominous shadow of cyber threats.

---

Share this on:

---

About Dr. Chase Cunningham

Creator of the Zero Trust eXtended framework and a cybersecurity expert with decades of operational experience in NSA, US Navy, FBI Cyber, and other government mission groups, Chase is responsible for Ericom’s overall strategy and technology alignment. Chase was previously VP and Principal Analyst at Forrester Research; Director of Threat Intelligence for Armor; Director of Cyber Analytics for Decisive Analytics; and Chief Cryptologic Technician, US Navy. He’s author of the Cynja series and Cyber Warfare: Truth, Tactics, and Strategies.