27 January 2022 - 2021 was a pivotal year for OT security for many reasons. It was the year which raised global awareness to the real consequence of a critical infrastructure cyber breach in the U.S. Colonial Pipelines. It was the second year of living with Covid19 which did not dissipate with vaccines failing to keep up with persistent variants. But what must make even the perennial pessimist pause to rethink was, in spite of the covid-induced slowdown for OT security deployment, we saw the first OT security unicorns with VCs not slowing but accelerating investments into the market. Whilst cyber incident induced regulations are further driving investor optimism in search of new unsolved gaps (e.g. supply chain security), it’s worth revisiting 3 evergreen cyber problems to understand how we got here and where we may be headed.
Telemetry gap (aka visibility gap)
The OT security unicorns found early product market fit in leveraging threat anomaly detection to first identify OT assets and continue to scale their total addressable market (TAM) across new verticals (e.g. Armis with IT-OT, Claroty with healthcare). Whilst this has benefited higher valuations and the emergence of unicorns, customers continue to suffer alert fatigue from an avalanche of telemetries that cripples timely remediation to contain impact. The sad truth today is that few, if any, enterprises are confident that they have accurate and comprehensive telemetry to detect and respond timely to an intrusion in their OT environment. OT security offerings will need to evolve beyond visibility (you can’t protect what you can’t see) to sense making (you can’t respond to what you can’t understand).
Technology fragmentation (aka tool sprawl)
The first challenge of OT security is often identifying who “owns” it. The logical next questions follow: Who funds and operates it, and what are the intersection points between IT and OT security. This leads to duplication of security controls and vendors across both IT and OT. Add to this the timeless challenge of balancing integrated “best of suite” solutions with fragmented “best of breed” innovations. With the soar in cloud and WFH, CISOs are now tasked to further add tooling to retrofit security. But what has not changed is the impossibility element of a CISO’s job: their teams are supposed to know today how to protect against future and unknown cyberattacks. Those frightening unknowns seed the fear of removing existing security applications, even seemingly redundant ones, and anchor tool sprawl. OT security that simplifies sprawl by generating data that measures the efficacy of a new solution offering would enable the sunsetting of old, legacy approaches. This is not new and Breach Attack Simulation vendors in IT security (e.g. Safebreach, XMCyber) have already started to demonstrate value on this front and anecdotally, we are starting to see incumbents being removed when deemed irrelevant which may seed confidence for adoption in OT.
Tangibility gap (aka ROI gap)
Organisations today struggle with understanding how to measure the return or value of a dollar spent on cybersecurity, as well as how to communicate its value to internal stakeholders, such as C-suite and board members. To address this, many vendors sell competitive market benchmarks to help justify security investments. However, if an industry is not implementing the right cybersecurity programmes and therefore spending less than their needs demand, there is no comfort in looking at its neighbours from a comparison standpoint. The deep-rooted misconception is that the most successful cybersecurity programme is one that no one notices and that enables the underlying business to function unhindered. CISOs need to align their work to business outcomes and take credit for their accomplishments. OT security vendors that structure their output, reporting and dashboard to speak to business and technical audiences can unlock this much needed market demand.
Putting it together
All three market gaps have a common cornerstone in solution building : the data telemetries from the interplay between internal enterprise and external threat environments that fuel the OT cyber capabilities in 1) sense making for timely incident response, 2) the breach simulation for tool efficacy, and 3) investment rationalisation on returns and resiliency. The network effect of data and insights generated, if executed well, can eventually build tremendous long term moat. Perhaps this was the view of the early smart money that invested in today’s OT security unicorns to build access to some of these data telemetries. Another emerging endeavour to bridge these evergreen gaps has been the pivot of OT security pure plays in threat anomaly detection to OT Breach Attack Simulation (e.g. Otorio and Radiflow). Who knows, we may very soon be seeing the next generation of OT security unicorns from startup nation.