Risk & Resilience Practice

The unsolved
opportunities for
cybersecurity providers
With sophisticated cyberthreats on the rise, organizations must continue
evolving by using novel strategies and technology. For cybersecurity
providers, the challenges and opportunities are numerous.
by Bharath Aiyer, Jeffrey Caso, and Marc Sorel

© John M Lund Photography Inc/Getty Images

January 2022
 The COVID-19 pandemic has forced rapid of these challenges can help providers gain a
changes on corporate cybersecurity functions. sustainable edge in an ever-evolving, fragmented,
Chief information-security officers (CISOs) have and competitive market.
had to adjust their strategies to account for remote
working, pivoting from working on routine tasks
to working on long-term goals of establishing Visibility gap
secure connections for remote situations. Without visibility into digital infrastructure, it will
Managing business continuity has been the goal, be difficult for companies to recognize when,
with the patching of remote systems over virtual where, or why there is a problem. According
private networks, handling of those systems’ to a recent McKinsey survey of approximately
increased workloads, and monitoring of spiking 200 buyers of security-operations applications
cyberthreat levels and cyberattackers targeting (such as security-information and -event
at-home workers with an array of threats. In fact, management and security-orchestration,
a McKinsey survey of cybersecurity providers -automation, and -response tools) in the
found a near-sevenfold increase in spear-phishing enterprise market (companies with more than
attacks since the pandemic began.1 1,000 employees or topline revenue more
than $1 billion), around 60 percent of buyers
The challenges that face organizations are also analyze and triage less than 40 percent of their
forcing cybersecurity providers to pivot, adjusting enterprises’ log data. Worse, that figure may be
their strategies and their product and service understated: third-party and software-as-a-
offerings to meet postpandemic objectives. That service log data are often excluded, since they
must be done in a manner that accommodates the are not prioritized for collection and analysis in
new security landscape but continues to monitor many enterprise environments.
customers’ needs while adjusting sales, service,
and training accordingly. The elements that Today’s typical enterprise environment, though,
enterprises must secure (data, devices, people, can make that necessary visibility difficult (see
networks, machines, and applications), how they sidebar “Case example: Cybersecurity visibility”).
must secure them (prevention, detection, response, Chief information officers and CISOs also need
and remediation), and why it’s important to secure to rethink their analytics strategies, with an eye
them (to mitigate loss of lives and livelihoods) on deploying analytics designed for the volume
continue to evolve, and cybersecurity providers and nature of today’s data, both structured and
have yet to solve several crucial customer especially unstructured.
challenges. The stakes have never been higher.

Insights from the results of the cybersecurity-

provider survey revealed that CISOs and
Case example:
cybersecurity-operations teams will continue to Cybersecurity visibility
invest niche spending in the areas of perimeter
security, next-generation identity and access McKinsey worked with a large, multinational
controls, remote access, security automation, pharmaceutical company that had a security-
and security training. With a vast ecosystem of visibility problem made worse by its ongoing
technology platforms and partners, cybersecurity move to the cloud. One-fourth of its public-cloud
providers will need to differentiate themselves. workloads were not connecting to its system for
The research suggests that there remain security-information and -event management.
four unsolved challenges: the visibility gap, A forensics analysis discovered the issue when
fragmentation of technology, the talent gap, and responding to an active cyberthreat.
the measurement of ROI. Addressing even one

1
Venky Anant, Jeffrey Caso, and Andreas Schwarz, “COVID-19 crisis shifts cybersecurity priorities and budgets,” McKinsey, July 21, 2020.

2 The unsolved opportunities for cybersecurity providers

The best way to begin any compliance or architects, analysts, and other personnel are
security program is to assure telemetry at the critical in identifying puzzle pieces that are
endpoint, thus helping ensure that automated missing (or redundant) as part of the presales
communication processes from multiple data process to demonstrate to security buyers how a
sources are normalized and standardized technology will close visibility gaps.
for faster and more consistent analysis. That
element alone can contribute to better customer — Reduce false positives, forcing the
experience, application health, quality, and organization to approach cyberthreats
performance, in addition to more scrutiny from proactively, not reactively. The improved
a security standpoint. The sad truth is that few, use of AI and machine learning provides a
if any, enterprises are confident that they have holistic view of an entire security program,
accurate and comprehensive telemetry to detect including on-premises, in the cloud, across
an intrusion in their environment. In solving geographies, within business units, and from
the telemetry and visibility gap, cybersecurity remote networks. Transparency here allows
providers should perform the following actions: an organization to prioritize potential threats.
By reducing false positives, it has a clearer
— Rethink the ‘pay by the drink’ approach picture of cyberthreats such as vulnerabilities,
(such as pay per log) to volume-based unpatched systems, and misconfigurations.
pricing models. Such payment mechanisms
are unsustainable at scale for enterprises,
particularly when considering an enterprise’s Technology-fragmentation challenge
consumption models for cloud architecture and Part of a CISO’s job has an impossibility element.
infrastructure. Offerings should be adjusted to Their teams are supposed to protect against
solve rate limits of mass data processing at the future cyberattacks, with the nature, method,
peta- or terabyte level. timing, scale, and identity of those attackers
unknown. Those frightening unknowns fuel a fear
— Identify the missing puzzle pieces to building a of reducing the number of security applications,
360° view. The security-telemetry implication is even seemingly redundant ones (perhaps
often the tip of the iceberg. In many companies, obtained through an acquisition), because it’s
the broader ecosystems for IT- and data- possible that the targeted app might be the one to
asset management have not matured to keep save the enterprise.
up with the security approaches. Leading
providers will build tooling that can construct Enterprises grapple with the timeliness challenge
an outside-in view of the puzzle and identify the of technology decisions (where and how to
critical missing pieces. Such business-aware, balance agile-best integrated options with
intelligent tooling provides substantial value to fragile, fragmented, best-of-breed options), since
a cybersecurity-function because it shifts the different technology, applications, and providers
conversation with business leaders away from are used across an organization. Often, a company
numbers to the value chain and revenue streams may have more than 100 third-party security tools
of the business. Educating customers on how in use. In many cases, that number is driven by the
to plan for cost reduction and be purposeful CISO’s expanding mandate—and desire not to be
about which logs they select to ingest, as well as the one who cancels the tool that might prevent the
building low-cost data lakes that can affordably next big breach. There are several key drivers of
collect all logs for pretriage to feed into the this security complexity.
system of choice for security-information
and -event management, can bridge the gap The enterprise perimeter has changed in recent
in the interim. That means that sales engineers, years as the paths to access data assets has

The unsolved opportunities for cybersecurity providers 3

 soared, with no single perimeter existing. The influx tooling today, cybersecurity providers need to
of IT functions hosting on-premises, private- and perform the following actions:
public-cloud environments is upon us. As a result,
multi- and hybrid-cloud security will continue — Produce offerings that allow for seamless
to be critical, and CISOs will be willing to pay for simplification of sprawl. Deploy a product that
increasingly hard-to-find skills (such as mainframe takes over incumbent functionality, generates
security) from a service provider. data to show the efficacy of the new layer
offering (such as recurring money and time
With many industries, the first challenge of saved by rationalizing tooling), and enables the
operational-technology (OT) security is identifying sunsetting of old, legacy approaches.
who “owns” it. Once resolved, the logical next
questions follow: Who funds it, who operates it, — Use cloud and software-as-a-service
and what are the intersection points between IT adoption or updates as an opportunity for
and OT security? A duplication of security controls, tool rationalization. Providers must maintain
policies, frameworks, and vendors across both IT relationships with major cloud platforms,
and OT only drives complexity further. emphasizing native integration with software
and platform leaders, as hybrid scenarios with
The interlinkages among data governance, data on-premises, public- and private-cloud expand.
privacy, and cybersecurity have precariously Many major platform players have invested
positioned the CISO as the only first-line enforcer significantly in managing their relationships with
amid a second-line function. With the continued cloud service providers.
expansion of data regulations, data-sovereignty
laws, and customer interest in data privacy, the — Engage all stakeholders, make business-
CISO is increasingly asked to add tooling, process, based simplification decisions, and don’t
and prioritization to retrofit privacy into security. put all the cybersecurity burden on the CISO.
In many cases, that has led to a proliferation Organizations should empower their CISOs
of tooling, such as data classification, data to make risk-based simplification decisions,
tagging, data-access governance, and privacy gaining cross-functional support for key
management, where the operating model between simplification decisions so the burden (and after
information security and privacy (compliance any incident, the blame) do not rest solely on
concerns) can get blurry. the CISO.

While CISOs report varying degrees to which they

have a seat at the table during M&A, one thing is Cybersecurity-talent gap
for sure: after M&A, they will have plenty of cleanup With more than 3.12 million jobs in cybersecurity
to do. Companies are vulnerable to cyberattacks estimated to be unfilled in 2021,2 the talent
during acquisitions, which means that the last shortage is a massive problem, and it’s
thing a CISO wants to do is rip and replace the affecting both clients and providers. The use of
tooling, leaving unknown vulnerabilities exposed. technology—primarily AI and its machine-learning
To understand capabilities, cyberthreats, and offspring—has helped slightly, especially in a
critical data, integration teams can prioritize a security-operations center dealing with an active
target’s function-specific technology applications cyberattack. But the technology is primarily
by categorizing each. Here lies an opportunity for supplementing security analysts, allowing human
cybersecurity providers to offer material value. capacity to be more efficient and to focus more
on tasks where their experience and creativity
To help CISOs extract themselves from the “one- are essential. Addressing the talent gap takes
way ratchet” that is enterprise cybersecurity innovation and persistence:

2
“Cybersecurity workforce demand,” US National Initiative for Cybersecurity Education, 2021.

4 The unsolved opportunities for cybersecurity providers

— Recruiting realities. To manage the skill gap, dashboards to speak to business audiences, as
cybersecurity providers may want to focus on well as technical audiences. Provider solutions
offerings that are not as people intensive to should take credit for all their accomplishments.
deploy and manage or maintain. To remain talent
competitive, providers should get creative when If an industry is not implementing the right
it comes to recruiting, training, and retaining cybersecurity programs and therefore spending
talent, such as looking beyond traditional places, less than their needs demand, there is no comfort
finding individuals with similar skills sets that in looking at its neighbors from a comparison
can be trained, looking beyond formal education, standpoint. Maturity in no way guarantees
and so on. resilience, but it does help define and measure
ROI appropriately. To have a true security
— More one-shop and full-stack-service providers proposition, there are at least three dimensions
(such as ‘infra in a box’). Companies are that the cybersecurity provider community
moving away from the approach of product- should consider:
delivery deployment and moving toward annual
subscription models that include service delivery. — Business value. Do the organization’s security
offerings reflect the priorities of its customers’
— Impact of delivery preferences on customers’ businesses today? When those business
key buying factors. Delivery preferences are priorities change, can its security program
critical. For example, the rate of false positives adjust its priorities effectively? When there’s
has historically been a top buying factor in a crisis, can it quickly map online services to
several security-product markets, for a logical business processes?
reason: the more false positives, the more
frustration and manual effort for security- — Customer value. Does the customer see
operations teams to trudge through every day. the organization’s security capabilities as a
However, as the delivery of those products has differentiator? Do they know it is managing
shifted to a service-driven approach, buyers top risks?
care less about false positives because they
no longer see level-one and -two data. Instead, — Market value. Do external stakeholders,
the triage stage is outsourced almost entirely including investors, vendors, and third-party
by the product provider’s service team. Buying supply chains, understand the organization’s
preference moves farther right along the value security journey and the impact of the security
chain to the value and actionability of the team over time? Are security capabilities
intelligence, response time, and so on. included as part of the company’s valuation?
How does the organization talk about security to
“the Street”?
Cybersecurity’s ROI
The most successful cybersecurity program is
one that no one notices and that enables the Continuing to evolve
underlying business to function unhindered. For cybersecurity providers, the ability to offer
Organizations today struggle with understanding customers real-time technology and services
how to measure the return or value of a dollar that speak to the business, not only the CISO, is
spent on cybersecurity, as well as how to crucial. They also need to demonstrate the right
communicate its value to internal stakeholders, value and key performance indicators to measure
such as C-suite and board members. Providers outcomes, which is the first step on the journey
should structure their output, reporting, and to helping its customers differentiate as security-
minded businesses.

The unsolved opportunities for cybersecurity providers 5

 The four challenges detailed in this article can
be solved, and a wait-and-see approach is Case example: Cybersecurity trust
not advised. It is important to realize that the
Following a series of public breaches, a global
challenges are fundamental to the industry and to
software provider created the position of chief
define the constraints within which the industry
trust officer. It empowered that leader to be
operates. Executives must be cognizant of such
the company’s external-facing cybersecurity
issues, as well as try to solve them. But most
ambassador to the market. The role serves as a
importantly, cybersecurity professionals need to
bridge between customer-account teams and
be open and transparent about them with internal
technical information security, as well as a convener
stakeholders, working in collaboration to solve
role (for example, promoting industry-wide
each challenge (see sidebar “Case example:
collaboration on cybersecurity and establishing a
Cybersecurity trust”).
regular cadence of cybersecurity discussions with
key customer accounts).
From a go-to-market perspective, cybersecurity
vendors that can appeal to business, functional,
and technology executives alike will have more
success in becoming household names.

Bharath Aiyer is an associate partner in McKinsey’s Bay Area office; Jeffrey Caso is an associate partner in the Washington,
DC, office; and Marc Sorel is a partner in the Boston office.
Designed by McKinsey Global Publishing
Copyright © 2022 McKinsey & Company. All rights reserved.

6 The unsolved opportunities for cybersecurity providers