Marktkommentar #12: How Good Are the Career Prospects in the Cybersecurity Industry?

Cybersecurity: The ultimate industry to provide very lucrative but ineffective solutions, writes the FT with a wink and the reference to the fact that the number of successful attacks is increasing despite constantly increasing security spending. Shlomo Kramer (CEO, CATO Networks) is quoted as saying “This entire economy in security is broken, and it’s getting worse and worse“. Let’s see what the future holds – we may actually see more results-based compensation models.

Also interesting: The open letter from CISO and CISSP veteran Ira Winkler, in which he accuses ISC2 of overstating statistics on the number of open cybersecurity positions by several orders of magnitude (one can assume, on purpose).

A few figures that emerge from the discourse:

  • Worldwide, an estimated ~5 million full-time employees currently earn their money with cybersecurity
  • However, the number of employees is stagnating, contrary to popular claims
  • In Europe and North America, the number of security workers has been declining for 3 years
  • Germany , a prime example: In 2024, there was a decline of ~4% to approx. 440,000 employees (NIS-2 and CRA may help us here in the short term)

What fits in with this: Everyone is talking about security as a major growth market. But when I ask security experts in private whether they believe that there will be more security employees in Germany in 20 years than today, the almost unanimous opinion is: No.

The main reasons given, perhaps in more detail at a later date:

  • Increasing standardization + automation (not only of security, but of the underlying IT infrastructure)
  • As a sub-point of this: Cloud migration = > increase in productivity through centralization
  • Vendor Consolidation
  • Relocation of activities to eastern EU countries
  • Prohibitions/restrictions on ransomware payments

I see a particularly high discrepancy between the advertising of training providers such as SANS, private universities with cybersecurity distance learning courses (“No previous technical knowledge necessary”) and reality in the case of entry-level positions and the salaries promised for them. Broadly speaking, experts with professional experience are sought. Career changers without solid IT knowledge with quick bleaching via a generic basic security education will usually not simply get a well-paid job on either the user or the provider side. Well paid in the sense of: Better paid than an IT administrator. This is logical: In most companies, there are only small security teams, for whom the approval of every additional headcount is a grueling battle against the guardians of the budget caps. Who hires newbies? And even in sales, there are now enough people who may have little expertise, but make up for it with a good network of IT decision-makers.

By the way , Forbes picked up the story about Gili Ranaan and Cyberstarts . Since June, the remuneration of CISOs when their employers bought the products of the VC fund (“Sunrise”) has been suspended. In the past, up to 250k USD was probably paid out. At least I could be bribed with less, but in the USA you can just get a small coffee for it.

Thoma Bravo has been busy again: The portfolio company Proofpoint has acquired the Data Security Posture Management (DSPM) provider Normalyze . What can such a DSPM tool actually do?

  • Automatically classify data (avoid manual tagging)
  • Depending on the classification and customer-specific rules (e.g. consideration of security measures), the data is then automatically assigned to risks
  • Depending on the risk class, the configurations of cloud storage services, for example, can then be tested against benchmarks
  • In contrast to CASB/DLP tools, there is no detection or blocking of access/downloads
  • In addition to standalone DSPM tools such as Varonis, many providers have strengthened themselves through acquisitions with similar features, e.g. Palo Alto with Dig, Tenable with Eureka, Fortinet with Next DLP and Crowdstrike with Flow

Sophos (or Thoma Bravo again) has bought Secureworks (main owner Dell) for ~860 million USD – a respectable multiple for a managed service provider whose revenue has shrunk by 20% compared to the previous year (to ~370 million USD), which has been unprofitable for at least 5 years and sometimes has the wrong sign on the cash flow side. There must be a lot of synergies priced in. Probably on the customer side (US/UK) and in development. The press release reads as saying that Sophos will rely on the Secureworks “Taegis” XDR platform in the future. Sophos has already offered its MDR service on the basis of Microsoft Defender, a rather individual strategy in the manufacturer landscape that has expressed little confidence in the superiority of its own tech platform.

By the way, you can see from Broadcom/VMWare that decisions on the product can drag on quite a bit: At it-sa, I was told that both EDR solutions Carbon Black and Symantec are still offered in parallel and that no integration or merging of the development is planned so far. Anyone who understands this is welcome to get in touch.

Crowdstrike and ZScaler have announced a deepening of their existing alliance to offer a comprehensive Zero Trust alternative to the MS Defender/Entra/Purview ecosystem from a single source. Will we see a takeover here in the future? I guess not. At the moment, ZScaler is still valued at ~20 billion USD, but Crowdstrike can also develop a lot of CASB / SASE functionality itself. And they already have the stronger brand anyway. This is also supported by the fact that a new partnership with Fortinet was published shortly afterwards. Obviously, they are keeping all options open in terms of network security and also see a future for perimeter firewalls.

What surprised me once again: Armis is now worth more than USD 4 billion (factor ~20 on sales) based on the new funding round. The VC cybersecurity game is really the trip to Jerusalem, isn’t it? The main thing is to catch a chair when the music stops.

Before we continue with the usual notes from vendor briefings, a “shoutout” to a solo entrepreneur in the field of detection engineering, who is highly praised by our customers: Alex Teixeira. If you run your own SIEM and/or EDR, you may already know him – just like his buddy Kostas from DFIR Report, who compares EDR telemetry on the side (see also the screenshot attached – it’s worth taking a look from time to time, currently working on the Linux versions). Awesome Threat Detection is also a good way to delve deeper into the topic, a more comprehensive compendium is probably not possible. But now off to the notepad:

EON. IO:

  • American startup for cloud backup and recovery (i.e., for backups of cloud data sources)
  • Typical problems with Cohesity, Commvault, VEEAM or Rubrik, the EON. IO: Agents have to be installed in each cloud segment, manual tagging + configuration of data is necessary, snapshots are not searchable, no recovery of individual files possible
  • No agents to install
  • Newly created resources (e.g. a database on an EC2 instance) are automatically discovered, the data is classified (e.g. PII) and linked to backup policies (e.g. frequency, object lock)
  • Backups can then even be searched with e.g. SQL queries => Had the impression that this was no longer any difference to a normal data lake
  • Currently still focusing on AWS, other cloud providers are on the roadmap
  • ISO27001 + SOC2 certified
  • Approx. 50 employees, 130 million USD funding, but almost no customers yet
  • Costs probably 20-50% less than the standard snapshot backups from AWS or Azure

D3 (Update):

  • Canadian SOAR provider (alternative to e.g. Palo Alto XSOAR or OTRS STORM)
  • Approx. 160 corporate customers, including Disney, Cummins, S&P Global, and of course many MSSPs (also some in the EU)
  • Flexibles Deployment on prem/hybrid/SaaS
  • Response playbooks for each individual MITRE ATT&CK TTP (the connected tools must of course be configured in each case)
  • Drag&Drop GUI for creating your own workflows
  • The secret sauce is apparently the normalization of different data models with different naming conventions
  • License costs only depend on the number of users (i.e., not on log volume, number of playbooks / integrations or similar)
  • AI assistance still in “beta”, I couldn’t look at it

Dragos (Update):

  • Many of you probably know this from the OT NIDS / ICS anomaly detection and vulnerability management market (i.e., similar to Claroty, Nozomi, Rhebo, Cisco, Omicron…)
  • In addition, there is also a strong focus on OT-specific threat intelligence, architecture consulting, emergency drills, managed detection + incident response and incident = > advantage of covering many OT security topics
  • On the basis of your own TI, individual events are grouped relatively clearly into incidents or classified as harmless, which enables good prioritization
  • In the meantime, 500 employees and > 400 customers >, as usual with OT, including a lot of critical infrastructure, up to NATO. In the healthcare sector, it is probably even weaker. Reference customers in the DACH region include Deutsche Bahn and Lindt & Sprüngli
  • Architecture as usual: optional edge collectors as Docker containers on switches/routers, sensor as hardware appliance on switch with pre-analysis function and deduplication of data traffic, central engine on prem or in (possibly private) cloud
  • License model a bit unusual: Not dependent on the number of assets, but on bandwidth on the input ports
  • We are also looking for other channel partners and SOC partners who want to strengthen themselves selectively with OT expertise (also possible as a white label) => If you are interested, I will be happy to put you in touch

Horizon3 (Update):

  • “Autonomous pen tests” with harmless exploit code (similar to Pentera or AttackIQ)
  • Either targeted testing of individual vulnerabilities possible, or “exploratory” with a different automation approach than the competitors: “Most likely next step of the attacker in this context” instead of “All possible attack chains pre-programmed”
  • Based on a few examples, I had the impression that the corresponding exploit with test was available at Horizon3 no later than 2 weeks after a new critical vulnerability was announced. However, as a customer, you are not entitled to have an exploit developed for every relevant vulnerability.
  • Detailed logging of the executed actions => This allows you to check the effectiveness of EDR/NDR/SIEM etc. at least manually
  • Unfortunately, there are almost no out-of-the-box integrations with security tools (so far only Splunk), but there will be more to come
  • Identity Attack Surface: AWS or Azure Entra ID Pentests (start with normal user credentials, then test whether privilege escalation is possible). Seems to be expandable.
  • Tripwires: These are deception “decoys” (example: AWS Credential File, database dumps) that are placed on exploitable assets and that trigger alarms when accessed. I didn’t even know it in combination with a pen test tool. A kind of interim solution until the patch.
  • Approx. 100 corporate customers in the EU, primarily corporations with their own red teams, of course. Also used a lot by MSSPs (such as EY, Deloitte) because multi-tenant capable and easily scalable
  • What still needs to be supplemented by manual tests: e.g. targeted scenarios in which admin credentials for SAP, firewalls or backup systems are to be captured, or tests of customer-specific web applications
  • License prices depend on the number of IP addresses. Business case is likely to work as soon as 2-3 manual pen tests per year can be replaced
  • At some point I’ll have to take a closer look at MITRE Caldera (Open Source, “Adversary Emulation Platform”). This means that even more complex pen tests are now possible semi-automatically, and obviously a community is working on constant further development. If anyone has experience => Feel free to raise your hand

As always, questions, suggestions, comments, experience reports and also opposing opinions, corrections are welcome by email. And again a big thank you to all the interviewees who had an open ear for my questions!

If you want to subscribe or unsubscribe for further market commentaries, or search our archive e.g. by provider name: Register now for market commentary – CyberCompare

Regards

Jannis Stemmann