By Jim Damicis, Senior Vice President, Camoin Associates
What is Cybersecurity?
Hardly a day goes by with without news regarding cybersecurity threats. Whether it is about elections, eCommerce, business, or social media threats – digital systems are growing and creating both challenges and opportunities for business development. There are many definitions of cybersecurity. One I like to use is from computer systems leader, Cisco: “Cybersecurity is the convergence of people, processes and technology that come together to protect organizations, individuals or networks from digital attacks.1” I like this definition because like it goes beyond technology to include people and processes. This aligns well with how I view economic development as operating within a dynamic system of people, organizations and networks.
Why is Cybersecurity Such a Big Deal?
So why such a big deal about cybersecurity? The answer: it is increasingly impacting our ability to conduct business from communications and networking, to markets, trade, logistics, and transactions. Additionally, our response to such threats to develop systems, services, and products that detect, correct, and protect is creating economic and business development opportunities.
Companies have taken note about the risk and size of threats. Corporations increased the number of times they mentioned cybersecurity on earnings calls nearly three-fold since 2014. The increase in cybersecurity talk is not surprising given the fact that last year stolen data records worldwide exceeded two billion for the first time. Throughout 2017, the total number of enterprise records breached every day, hour, minute, and second each doubled from the year prior according to Breach Level Index (BLI)2. And, the threat is expensive worldwide. Cybercrime damages will cost the world $6 trillion annually by 20213, which is conservative as protection and restorative actions are often hard to track.
Cybersecurity Industry Sector Performance
In terms of business and economic development, Cybersecurity includes, but not limited to, the following subsectors4:
- IT Security Consulting - Businesses in this industry offer managed IT security services, such as firewalls, intrusion prevention, security threat analysis, proactive security vulnerability and penetration testing and incident preparation and response. In 2018, there were 15,067 U.S. businesses in IT security consulting. Revenues grew 5.2 percent annually during 2013 through 2018 to a level of $13 billion in 2018 and are projected to grow 2.2 percent annually through 2023.
- Identity Threat Protection Services - Companies in this industry primarily provide software and services aimed at reducing the risk of identity theft from online or electronic media. In 2018, there were 62 U.S. businesses in IT Threat Protection. Revenues grew 3.7 percent annually during 2013 through 2018 to a level of $2.1 billion in 2018 and are projected to grow 4.5 percent annually through 2023. Rising competition, including free services, has dampened curtailed industry revenue growth potential.
- Digital Forensic Services Industry - Businesses within the Digital Forensic Services industry provide data recovery and investigative support services related to data breaches and cybercrimes. In 2018, there were 1,651 U.S. businesses in Digital Forensic Services. Revenues grew 11.8 percent annually during 2013 through 2018 to a level of $2.2 billion in 2018 and are projected to grow 5.8 percent annually through 2023.
Top companies in Cybersecurity across the span of related subsectors include: Booz Allen Hamilton, Oracle, Deloitte LLP, Leidos Holdings, IBM, US Army and Navy, Lockheed Martin, Wells Fargo, Northrop Grumman, Accenture PLC, Hewlett Packard, Symantec Corporation, Intersections Inc., AccessData Group LLC, Guidance Software, Global Digital Forensics and Paraben Corporation.
Cyber industries have also been experiencing significant venture capital investment supporting startups and innovation. According to CB Insights, 2017 was a record year for venture financing deals in cybersecurity with $7.6 billion invested in 552 deals. The U.S. has lead in deals in past five years (69 percent of all deals) followed by Israel (seven percent) and UK (six percent). Leading companies include in the innovation space include Tanium, DUO Security, Illumio, Lookout, CyLance, CloudFlare, Avast and CrowdStrike5.
Emerging Trends in Cybersecurity Related to Industry
Beyond the sheer size of the threats and disruption to businesses, there are several factors driving growth and innovation in cybersecurity. These are related to the fact that digital technologies and processes have increased rapidly to the point where everything is connected. Nearly everything is, or can be, digital and therefore everything at risk.
Regulations: As threats increase so do regulations. As an example, the General Data Protection Regulation (GDPR): The new GDPR will be enforced to protect people’s data in the EU. Infringements of this regulation will result in fines of up to 20 million euros6. Despite this occurring in the EU, it will affect institutions in the U.S. serving international students, clients, and patients, particularly in the sectors of education and healthcare.
Internet of Things (IoT): The first wave of the internet centered on connecting people with other people and information. The current wave is connecting things to things, meaning products, equipment, and machinery. This brings us to the emerging future where everything and everybody is or can potentially be connected. In manufacturing this is known as industry 4.0. Industry 4.0 is a term used to describe the fourth wave of technological advancement in manufacturing where multiple, if not all, parts of the manufacturing supply chain system are digitally interconnected including machines used in production, monitoring and control systems, and logistics all communicating with each other. More specifically with Industry 4.0 sensors, machines, workpieces, and IT systems will be connected along the value chain beyond a single enterprise. Since IoT devices become more integrated into our daily lives, it seems inevitable that we begin to use and understand them; however, we consistently fail to recognize their lack of basic security features. A recent survey from strategy consulting firm Altman Vilandrie & Company showed nearly 50 percent of U.S. companies using an IoT network have experienced a security breach7. Companies are well aware of this risk in their plans and strategies to adopt Industry 4.0 practices. A survey of industry by PWC flagged a wide range of concerns around data security, with operational interruption from cybersecurity breaches at the top of their list. Other issues like liability risks, unauthorized access to data and damage to company reputation are on the radar too8.
Industry and policymakers recognizing the significance are laying the groundwork for risk mitigation from cyber threats. The Aspen Cybersecurity Group, a cross-sector public-private forum comprised of leader in industry, policy, and academia have come together and put forth a set of security first principals for IoT. They include9:
- IoT devices should have appropriate security “Baked-In”
- There should be transparency on product security and privacy
- Manufacturers/developers should be held accountable for the security of their devices
- IoT devices should have updateable security
- Security should be in multiple layers
- Device features should be limited by necessity
As some are making way into standards and regulations it will increase the integration of cybersecurity into manufacturing and logistics.
Smart Cities: We are increasingly experiencing the integration of digital technologies, information, and applications for communities, or what are known as smart communities or cities. The integration of digital technologies, data, is happening across many different community service areas including infrastructure (transportation, sewer, water), public safety, health, planning, and governance. This has the ability to make communities more efficient, effective and responsive, but it also increases risk for cyber threats of all kinds and with serious potential impacts. Recent high profile cyber breeches have occurred in San Diego, Atlanta, Baltimore, New York City and Houston.
Rise of eCommerce and eServices: eCommerce (eRetail alone) has grown at an estimated annual rate of 14.3 percent reaching $509.9 billion in sales in 201810. Additionally, this growth in eCommerce is also being experienced in many services including health, business, and personal services. The resulting convenience to consumers and new business opportunities for industry is accompanied by increase cyber threats.
All these emerging trends are driving market demand across the cybersecurity industry.
Employment Trends in Cybersecurity
Cybersecurity employment is difficult to measure precisely because job skills and responsibility cut across multiple potential occupations including IT and management analysists, network administrators, software and application developers, and other IT related jobs. However, one specific occupation that is dedicated to cybersecurity related functions is Information Security Analysts (SOC 15-1122). This occupation is responsible for planning, implementing, upgrading, or monitoring security measures for the protection of computer networks and information. Related job titles include Computer Security Specialist, Information Systems Security Officer, Security Engineer Security Analyst, Network Security Analyst, Information Security Manager, Information Security Analyst, Security Specialist, Network Security Engineer, and Information Technology Security Analyst11.
Job growth has been swift and expected to continue. In 2018, there were 113,692 Information Security Analysts in the U.S. This was an increase of 36 percent from 2013, a rapid surge as the digital economy blossomed. Jobs in this field are projected to grow 15 percent by 2023 reaching 130,72112.
Information Security Analyst jobs are distributed across multiple industry sectors with the highest at 27 percent, being employed within Computer Systems Design and Related Services. Beyond this sector employment is highly distributed indicating these positions are important to many sectors.
In terms of states with the most Information Security Analysts, Virginia tops the list by a long stretch with 13,899 jobs in 2018 driven by access to federal agencies and contracts. Additionally, all the top ten states experienced employment growth in excess of 25 percent between 2013 and 2018.
So what kind of education do information security analysts have? Based on 2018 data on occupations 79 percent of persons employed as information security analysts have a bachelor’s degree or more, with bachelor’s degree being the most prevalent at 53 percent.
Talent is Key
While there are several factors that drive business and economic development success in cybersecurity including access to market, innovation, and digital infrastructure, industry experts stress the development, however retention of talent and skills is the most critical. Findings from the Aspen Institute Cyber Security Group state this well, “The U.S. currently has a cyber workforce shortage of 300,000 individuals, and the trend line predicts an increasing gap. This is largely because demand is significantly outpacing supply, large candidate pools are left untapped, employer requirements aren’t well synced to the skills needed, and awareness of cyber career paths remains low. Additionally, by 2021, we estimate there will be at least 470,000 unfilled cybersecurity jobs in the United States if we don’t start thinking – and acting – differently about how we identify and develop talent.13” To address this critical workforce challenge the Group established core principles for actions. These include simplifying and clarifying job announcements, making jobs available for those without college degrees, increasing non-degree training opportunities, and launching apprenticeship programs.
What Can Business and Economic Development Professionals Do to Support Expansion of this Industry?
Understand Key Location and Investment Drivers and Your Regions' Assets
First it important to understand key location and investment drivers and your regions' assets. Howard County, Maryland conducted a detailed assessment of cybersecurity opportunities and their ability to support industry growth14. Results indicated that cybersecurity companies are attracted to regions with an existing base of other companies in the industry and a highly skilled and educated workforce. Other critical factors include the quality of cyber-education and training, proximity to federal agencies for contracts, and access to other markets. Insights for the assessment enabled regional economic partners including the Howard County Economic Development Authority and the Howard Tech Council to develop and implement strategies to continue growing this sector and supporting existing companies as well as startups.
Grow and Retain Talent
A key take-a-way from this article is that talent is critical to success in growing and supporting the cybersecurity industry. As with all workforce development, partnerships and collaboration among industry, education, and service providers are a must. A best practice example of such focused partnerships is the efforts by the Northern Virginia Community College, NOVA15. NOVA serves the Northern VA region and through strong connections and partnerships with the industry offers timely, relevant, and industry-specific training and education. This includes partnerships with training and certification leaders the EC-Council and CompTIA to offer students industry certification vouchers at an academic discount. It also includes curriculum that is mapped to Federal National Security Agency and the Department of Homeland Security cybersecurity education standards. To further provide hands-on experience and training NOVA offers cybersecurity students many opportunities to participate in regional and national competitions including with the National Cyber League, Mid-Atlantic Collegiate Cyber Defense Competition, and Educause Security Awareness Video and Poster Contest.
Another best practice is the College of Marin in the San Francisco region, which has developed an industry responsive cybersecurity certificate. “Offered in collaboration with Cisco, the program offers six modules, each with their own computer network certification. The first module, ‘IT Essentials,’ offers a certification in CompTIA A+, while the sixth culminates in the cybersecurity certification itself. No college prerequisites are necessary and students need not commit to all six modules, making the course highly accessible for people (such as recently displaced workers) interested in rapid training16.”
A specific example of an industry lead initiative is the IBM Apprenticeship Program, which was launched in 2017, as a Department of Labor Registered Apprenticeship program. “IBM Cybersecurity Analyst apprentices complete a 12-month training program that includes over 400 hours of structured learning, coupled with mentorship and on-the-job activities like performing network and wireless intrusion detection, security activity monitoring, incident response processes, scans of databases, web applications, anti-virus and others. In addition, apprentices complete required learning and exam preparation for the CompTIA Security+ Certification17.
Integrate with Smart Cities
Smart city/community practices and principals are growing rapidly from an emerging trend to a best practice, and soon to become industry standard in local and regional governance. This is being accompanied by significant investments by communities. Leveraging these efforts and resources with business and workforce development can help grow local and regional economic opportunities. The City of Los Angeles offers a best practice example as they invest in a cybersecurity lab and boost security across the city. Bolstered by a $3 million grant from the U.S. Department of Homeland Security, the City of Los Angeles is expanding the capabilities of a public-private partnership to protect the city against hacker attacks and support the cybersecurity industry. The expansion will allow the Los Angeles Cyber Lab to build a universal platform for threat intelligence. Partners in the public and private sector will be able to submit threats to the Lab for analysis and distribution to other participants. To support growth in the cybersecurity industry, the Lab will also invest in an innovation incubator, which will open the program to students, researchers and product developers. Organizers will also expand trainings and conferences18.
Find your Niche
It is important to understand that solutions don’t need to be large region or city. Find the niche with existing industry that have cyber concerns – healthcare, logistics, manufacturing, etc. Obviously, this is easier for localities and regions with large companies and institutions that face constant threat but play to the companies and institutions you have.
About the Author: Jim is Camoin Associates’ Senior Vice President. He has more than 25 years of experience in public policy research and analysis. Jim brings a holistic, innovative approach to Camoin’s data-driven economic development planning efforts. Through his work with the Communities of the Future and World Future Society, he is a national leader in preparing the profession, communities, and regions for an emerging economic future.
5 2018 Cyber Defenders, CB Insights, 2018, hKps://www.cbinsights.com/research/report/cyber-defenders-2018/
6 8 cybersecurity trends to watch for 2018 by Michelle Drolet
7 New Survey Says Half of US Companies Using IoT Have Been Breached by Ken Briodagh
8 2016 Global Industry 4.0 Survey - What we mean by Industry 4.0 / Survey key findings / Blueprint for digital success, www.pwc.com/industry40
14 #HOCOGOESCYBER: A Study on Cybersecurity Companies In Howard County, Maryland, www.hceda.org/business-support/htc/
17 Principles for Growing and Sustaining the NaAon’s Cybersecurity Workforce, Aspen Cybersecurity Group, Aspen InsAtute, November 2018, www.aspeninsAtute.org/publicaAons/principles-for-growing-and-sustainingthenaAons-cybersecurity-workforce/