Computer fraud, zombie accounts, identity theft, hacking, phishing, cyberattacks, viruses… Digital development and emerging technologies haven’t come without a price — suddenly it seems like the whole world has woken up to the threats of neglected cyber security efforts. And with good reason, as the cost of cybercrime around the world is expected to rise to $6 trillion annually by 2021.
“Facebook accidentally leaks phone numbers of 419 million users”, “Google Play scam apps downloaded more than 8 million times”, and “Stalking apps that spy on employees, partners and kids discovered”. These are only a few of the many examples of horror headlines concerning cyber security today. I’ve spent 17 years in the field, working as CTO and CSO of F-Secure to build one of the leading cyber security and privacy companies in the world. In those years, the security landscape evolved from simple worms and viruses spreading via storage media and email to advanced persistent threats using all possible means to gain unauthorized access to information and resources.
I saw the field evolve and was a part of this growth, but never before has the landscape been as challenging and intriguing as it is today. The ugly fact is that when there is big enough motivation and access to resources, no system is impenetrable. The focus has shifted from merely trying to prevent attacks to detecting, isolating and responding to them.
Even though the challenges placed by cybercrime are vast, the opportunities in this space are, too. End-user spending for the information security and risk management market is estimated to grow at a compound annual growth rate of 8.7% from 2018 through 2023 to reach 188 billion dollars (Gartner, 2019). While I’ve already left the daily world of cyber security behind, my interest towards the field hasn’t faded: quite the opposite. As an investor, I’ve awoken to the potential benefits and opportunities of the industry, most of which are still largely untapped. Next up: three domains and solutions in cyber security that I’m particularly interested in.
Solutions to cyber crime — three areas on an investor’s watchlist:
- Balancing asymmetry. Cyber security has been described as the asymmetrical game of war — this means that companies need to invest significant resources in building their defence, but the attacker only needs one loophole to win. In fact, defence alone is no longer enough, and many companies have adopted detect and respond solutions to be able to react quickly when defence lines fail. It’s clear that we need more solutions to deal with this imbalance. HackerOne is one example of a company that helps companies improve their defences: they enable organizations to find vulnerabilities before they are exploited by partnering with the global hacker community. Another approach is to improve detection capabilities by pooling together information and visibility from different organizations on what types of attacks are happening in the given moment, thus aiming for “herd immunity”. We will likely see many new innovative approaches in this field.
- Zero-Trust. Even though the term was coined already in 2010, only quite recently and gradually have technologies enabling zero-trust moved into mainstream and modern security aware companies started implementing architecture following these principles. The principle is pretty self-explanatory — it means that companies should not put their trust in any single entity inside or outside the organization, be it an individual person or program seeking access. In practice, it means cross-pollinating different methods of authentication and encryption to verify the identity and location of those seeking access to the organization’s information. Zero-trust also spills over to corporate policy, as organizations are encouraged to limit employees’ access to information in order to minimize their vulnerability. In an ideal situation, each employee is given the minimum amount of access needed for them to carry out their tasks. The age of superusers and skeleton keys is undeniably coming to an end. This calls for new solutions that make it simpler to develop, deploy and maintain zero-trust architecture.
- Deepfakes. Deepfake describes an event where AI is used to create lifelike headshots from a mass of selfies, tamper videos or audio clips by placing words in the mouths of people, showing people in locations they’ve never been and engaging with individuals they haven’t met before. We may have laughed at Bill Hader morphing into Tom Cruise, but let’s not forget that deepfake has a darker side. In the near future, it’s expected that deepfakes will be used for presenting politicians in bad light or by media reporting for false news, as well as individuals scamming others. The Verge already wrote about how a company executive was tricked into wiring €200K to their supplier after deepfake software was used to mimic the voice of his boss asking him to do the transfer. As the technologies develop, frauds such as these are likely to become even more advanced — thus, demanding novel methods to counter these threats, too.
Larger security vendors have been actively consolidating the market, but there is still ample room for new innovations and fresh faces to enter the field. The increasing complexity of IT systems and infrastructure combined with a shortage of skilled employees will continue to fuel the growth of the cyber security market, providing fertile ground for many new startups. We at Maki.vc currently have one cyber security company in our portfolio — sorry, they’re still in stealth mode! — but we are constantly on the lookout for more.
If you wish to keep yourself updated on what’s happening in the field, I’ve listed some of my favorite reads and podcasts on cyber security:
- Book: The Art of Deception — Controlling the Human Element of Security, Kevin D. Mitnick & William L. Simon
- Reports and News: Krebs on Security by Brian Krebs
- Podcast: Security Now! by Steve Gibson and Leo Laporte.
About the author: Partner at Maki.vc, investing in early-stage deep-tech and brand driven companies. Previously executive at Enevo and F-secure. IoT and music geek. @pppalomaki