The recent data leaks have definitely put cybersecurity on the agenda of all organizations. However, many companies still see cybersecurity as a cost and not an investment. Claranet, DRC, Multicert, Noesis, Warpcom and WhiteHat share their vision on Portuguese cybersecurity market, its challenges and opportunities
For some years now, cybersecurity market worldwide has been growing. Portugal is no exception; with companies going through their digital transformation processes, investing in cybersecurity is urgent. No company is too small to be attacked.
Changing mentalities is essential. Evangelization has been going on for several years, but the message has not yet reached all decision makers in small businesses. A security breach in a small business can, in certain cases, put larger organizations at risk.
Portuguese market growth
The latest data from IDC on the Portuguese cybersecurity market, for the year 2018, show that the market grew by 3.6% in this period. In total, the Portuguese market reached 135.97 million euros.
IDC also estimates that Portugal will have a growth of 6.71% between 2018 and 2022 in this market. In comparison, the same entity expects the cybersecurity market in Western Europe to grow slightly higher - 7.37%.
Bruno Rodrigues, Cybersecurity Specialist at Noesis, argues that, despite what the cybersecurity market is not yet fully defined, demand has, in fact, been growing. “Companies are more sensitive, they already make money available for that”, he indicates. “What has been seen is that cybersecurity was part of the costs and telling managers that it is more of a cost is a drag; Nobody like". In the opinion of Bruno Rodrigues, the Portuguese market will see “an integration of cybersecurity in the company's processes and be part of the business”. In this way, demand will rise and the market, in terms of value, will increase.
Nuno Mendes, CEO of WhiteHat, agrees that there has been growth in the Portuguese market. This growth, he says, will be related to “a greater perception of risk, as a result of the communication that has existed in the media and the emerging amount of information leakage from companies of all dimensions”. Nuno Mendes believes that these situations "are proof that small and medium-sized companies also have to be equally concerned with the security of their information".
On the other hand, the CEO of WhiteHat points out that there is still a mentality that cybersecurity is at the back of the strategy of many organizations. “If insurance is not mandatory, it becomes an option and an investment to avoid; it is rarely considered an investment. There is a need for more training and awareness in this area with companies”.
From the perspective of Warpcom, represented at the round table by Manfred Ferreira, Technical Architect Consulting, the market has seen “very sharp growth” in terms of cybersecurity requirements. The company found that although there were proactive requests, most were reactive, both in the public and private sectors. “We detected strong growth and requests in this area, not only for solutions, but also for consulting and identification, analysis and detection” of failures within the infrastructures of the various organizations. With the various leaks of information that have happened recently, Manfred Ferreira estimates that the growth may be higher than the estimated by IDC.
David Marques, Information Security Manager at DRC, points out that there is not only an effective market growth, but also a greater demand for this type of solutions. However, this search “no longer comes only from the IT or security department”. The demand for cybersecurity solutions came mainly from the IT department, which had certain concerns, “and now it is noticed that the demand comes from other channels, from top management, that there is often the driver for the search for solutions” from safety. David Marques says that many organizations have a concern with this type of services or solutions, but that there is not always “a strategy that can lead to this concern being satisfied, making the investments not structured”.
António Ribeiro, Head of Cybersecurity at Claranet, explains that, in his perception, there is a growth in the Portuguese market higher than that indicated by IDC. If organizations used to look at these issues exclusively as a cost, now “it is already an enabler, security is already part of the business itself”.
“There is no point in having a good technological solution”, warns António Ribeiro, who says, “It is necessary to have the right people”. At the same time, it is necessary to make a product change for the service, where companies stop selling just one product, like a firewall, to start selling services that actually bring more value to the customer. This change in the sales model is essential considering that “there are no resources”. Many of the customers thus turned to the services managed to fill the lack of talent in companies.
Regarding the IDC study, Luís Martins, Head of Cybersecurity at Multicert, says that there is a difference between software, hardware and services and the numbers show that services have a much smaller growth, even considering that this is the natural evolution in the sector.
Multicert's Head of Cybersecurity states that there will certainly be a path when moving from products to services, but it seems that this change is not yet happening in the Portuguese market.
Convincing who decides
Organizations have changed. The most advanced companies that understand the role of cybersecurity no longer delegate the role of choosing the best solution to the IT manager or CISO - when it exists. In many cases, it is the CFO or even the CEO who will show up and be present in the process of selecting the appropriate cybersecurity solution for the organization.
If large companies have specialized interlocutors in the areas of security, the vast majority of SMEs do not. Luís Martins (Multicert), indicates that “lacking resources” in small companies, he is often the head of IT who is the point of contact for questions about the organization's security. “From the point of view of the approach, you have to show with facts that a particular service is more effective than buying a solution or product that will not solve your problem. That must surely be the logic of conversation with SMEs ”. Portuguese small and medium-sized companies still do not have an approach of concern and there are organizations that, despite being aware of the news of data breaches, believe that they are not a target.
António Ribeiro, from Claranet, says that the easiest way to convince an SME to adopt security services is after the organization is attacked. This mentality is largely due to the knowledge - often limited - that companies have on these topics and for not realizing the need to protect their infrastructure, their operations and their own business. “The main issue in an SME is, once again, related to resources; at best, they have an IT manager, but there are no dedicated people who can see the whole puzzle, ”he says. In view of this lack of resources, companies must hire external services to manage the security of their infrastructures so that they can focus on their business and on what they do well.
“Today, it is not difficult to talk to security decision makers; there are very specific concerns in this regard,”says David Marques (DRC), who adds, however, that there is “an enormous difficulty in prioritizing investments. The budget is limited and it is often our fault, because of the solutions and services, with new and different concepts. It is very difficult for the decision maker to know how he will prioritize the investment; he has a budget, but he is not sure where and how he will spend it”. David Marques says that it is also important that the various companies that work with cybersecurity simplify the concepts as much as possible so that those on the side of the decision can understand them in an easy way.
“Our approach is not to sell cybersecurity; our approach is to go to clients and understand their pain, their needs and the level of maturity” to be able to help the client, explains Manfred Ferreira (Warpcom). It is also necessary to bear in mind that customers “do not live the same concerns as we do”, but companies that sell cybersecurity services or products have to “put on shoes” for customers and understand what their needs are and help with the investment of companies. Solutions or services that they should invest.
Nuno Mendes, from WhiteHat, recalls that the vast majority of the Portuguese business fabric are SMEs and that it is necessary to raise awareness of the issue related to cybersecurity. “It is necessary to pass the message of cybersecurity from the top - where there is already a complete domain on the topic -, to the element that is in contact with the client. This is a big challenge”. The CEO of WhiteHat indicates that it all comes down to raising awareness among companies and decision makers within SMEs, doing a risk analysis so that organizations can understand where they are exposed, where they should make their first investments and how they should approach the topic of best possible way.
Bruno Rodrigues, from Noesis, explains that it should not be necessary to convince an SME that it is necessary to invest in cybersecurity. On awareness, Bruno Rodrigues argues, “there is no need for more awareness”. “Companies don't have to be cybersecurity experts, the subject is too wide. Unfortunately, threats evolve too fast, but there doesn't have to be any more awareness; there must be common sense”, he indicates. On the other hand, cybersecurity is not a “sexy topic” and, possibly, it is necessary for the industry to transform the most attractive topic for the various organizations to invest more in these topics within their business.
Artificial intelligence presents itself to the service
It is known that Artificial Intelligence (AI) is increasingly present in the daily operations of organizations and in the lives of people in general. In cybersecurity it is no exception. It is the AI that allows analyzing a large amount of attack data and perceiving patterns, identifying the main targets of attacks and assisting in the defense of systems.
At the same time, artificial intelligence can - and is - used on 'the other side'. It is not only those who defend that have AI at their disposal; the dark side also uses artificial intelligence for any number of possibilities in an attack on one or more organizations.
Luís Martins (Multicert) believes that artificial intelligence “is the inevitable path” to cybersecurity. However, he recalls, the difference between those who defend and those who attack is that those who defend “are always a little behind”. “Any more committed attacker uses data analysis techniques to get the information that is exposed. It is possible to make easy scripts to reach quick conclusions” to have an “interesting database” to attack an organization. Those who defend, on the other hand, are not yet using their full potential to protect themselves in the best way and there is still a “structuring path” to follow to reach all of that potential.
IoT devices have broadened the base of possible entry points for all companies. Thus, an automation model of incident analysis is necessary so that it is possible to analyze the large amount of data generated. António Ribeiro (Claranet) says that artificial intelligence can help a lot in a first line of attacks, where there may not even be human intervention and be addressed in a fully automatic way. The next step will be the predictive models where you can stop talking about “zero days” and start talking about “negative days”. These models, combined with artificial intelligence, will perceive certain patterns that lead to a cyberattack.
Noesis' Cybersecurity Specialist says that AI “is a sexy topic” where “everyone wants to know, but almost nobody will implement it”. The struggle between defenders and attackers in this field is "extremely uneven". While advocates have a difficult task to get datasets for machine learning, hackers, some who have multiple infected networks, have access to an almost endless amount of data.
Instead of artificial intelligence, Noesis prefers the term “assisted intelligence” that analyzes information and delivers to the person what is most relevant so that the employee can better protect the organization that is suffering an attack, distributing its effort depending on the severity of the attacks.
Warpcom's Technical Architect Consulting reveals that the digital transformation means that there is more and more information that is not always valid, and where the validity of that information is increasingly reduced. “Artificial intelligence is still quite behind schedule and the boom will now happen with 5G, where we will have access to massive data, be able to extract it and analyze it in real time to take actions”, says Manfred Ferreira, adding that "Then yes, artificial intelligence will be one more component, it will not be the only one".
DRC's Information Security Manager believes that the market “is still in a very early stage of exploiting potential” of what AI can do. However, he warns, "if most organizations don't have the basics, how much more are we talking about machine learning and artificial intelligence". “There are areas where automation, orchestration and the issue of changing the workforce make perfect sense. Because of everything that these new capabilities bring to organizations, it is very likely that what SOC 24/7 will be transformed”, where artificial intelligence will certainly play an important role. “Now, until we get there, there is a very, very large amount of human work to be able to leverage these capacities effectively,” he says.
WhiteHat's CEO says that, in practical terms, what we are seeing in Portugal are simpler actions that do not involve artificial intelligence, but that leave a severe impact on each organization. "There are, however, other threat vectors that take advantage of massive attacks that do not require profiling and recognition in order to understand what the vulnerabilities are," says Nuno Mendes. As a rule, he says, attacks in Portugal take advantage of already-known vulnerabilities and zero-day threats, and there is a need for systems that can identify these types of threats.
*Published in IT insight