A year after Equifax, cybersecurity is still seeking its Holy Grail

EFX + 0.18%

143 million customers, that figure has grown to up to 148 million. Apache Struts, a popular open-source web software. As recently as Aug. 22, another vulnerability was detected in Apache Struts by Semmle software engineering analytics company.

Over the course of the past few months, MarketWatch interviews several top cybersecurity executives for the industry in the wake of the Equifax Disclosure, and the need for consolidation in the most recurring theme. See see Str Str Str Str Str Str Str Str Str Str Str Str Str Str Str Str Str Str Str Str Str Str Struts patch at Equifax – more likely.

"I think you will see consolidation," FireEye Inc.

feye, + 2.10%

Chief Executive Kevin Mandia told MarketWatch in a recent interview. "The best of breed is not sticking out as much anymore."

SailPoint Technologies Holdings Inc.

SAIL + 3.16%

CEO Mark McClain had one thing to say for CISOs having to deal with it: "Good luck."

"There are many nuanced, isolated, specialty offerings, so the word you hear is 'fragmentation':" We have a massive fragmentation challenge in the world of security, "McClain told MarketWatch. "You're hearing a lot of frustration in the buyer side."

Gearing up for cybersecurity platform wars

Security, security, identity protection, firewall, identity protection, firewall and on and on.

What is more, is a single-pane, FireEye's Mandia said.

"It's a journey and I do not think anyone else is at it yet," Mandia told MarketWatch.

In a recent post blog, Jon Oltsik, an analyst with ESG Market Research, said that 62% of businesses polled want to buy a security suite from a single vendor.

"So, we are at the onset of cybersecurity 'platform wars' where vendors compete for bigger, lucrative deals," Oltsik said.

Competing in the world, it is expected to hit $ 114.15 billion in 2018 and grow to $ 124.12 billion in 2019, according to research firm Gartner. It could cost a lot to become a competitor, though – Cisco Systems Inc.

CSCO, -0.72%

$ 2.35 billion to acquire Duo Security for identity management, which adds to its $ 2.7 billion purchase from Sourcefire in 2013 and $ 635 million acquisition of OpenDNS in 2015, among others.

FireEye's Mandia told MarketWatch, that of all security vendors, Cisco has been providing an "envelope" platform.

Gee Rittenhouse, the general manager of Cisco's security business, said MarketWatch that delays in security-incident detection and complexity due to juggling multiple vendors cobbled together to form a coherent cyberdefense is driving consolidation. Rittenhouse said 20% of customers polled by Cisco in 2016 said they were using 10 to 20 vendors for their cybersecurity systems. Today, about 25% of customers are said to be 20 to 50 vendors.

"When you have multiple vendors built into your systems," says Rittenhouse, "it is a matter of fact.

"It's just becoming harder to deal with the complexity of adding in all these elements," Rittenhouse said. "And before you know it you just do not have enough staff to operate the gear that you have."

An eat or be-eaten business

International Business Machines Corp.

IBM, -0.63%

is another deep-pocketed Dow Jones Industrial Average

DJIA, -0.54%

which is grooming itself as a security player as it tries to move away from its legacy mainframe business toward services. In its most recent quarterly earnings, IBM reported that revenue surged 79% from a year ago to $ 1 billion, its fastest-growing segment, but one that accounted for only 5% of IBM's sales for the quarter.

For startups and younger customers, the marketplace is one of the largest markets in the world. All these companies want to be Salesforce.com Inc.

CRM + 0.65%

Gold Workday Inc.

WDAY, + 0.40%

of cybersecurity, a purely cloud-based and engineered software-as-a-service approach that uses add-on widgets for upgrades and system flexibility.

Both Salesforce and Workday were cited by Zscaler Inc.

ZS + 8.67%

Chief Executive Jay Chaudhry and CrowdStrike Inc. Chief Executive George Kurtz as the future of enterprise cybersecurity needs to be. Not surprisingly, both CEOs extol their products as cloud-native approaches as opposed to legacy, moat-based applications retrofitted for the cloud.

Zscaler's Chaudhry said the need for security has become a reality for the first time, and that makes it a very difficult task.

"There's so much noise out there, overfunding of security companies," Chaudhry told MarketWatch. "How many products does an enterprise really want? There's too much stuff going on. I think some of this stuff has to get cleared up. There's no room for these companies out there. "

Speaking of funding, privately-held CrowdStrike has been a big beneficiary of it. With $ 481 million raised, $ 200 million in June, CrowdStrike stands at $ 3 billion, according to the company's CEO.

"Everybody talks about a platform, not everybody has it," Kurtz told MarketWatch. "You have to have that cloud-native architecture to be a true SaaS platform, so you look at the investors who came in at $ 3 trillion plus, they're expecting a return on that."

At the same time, CrowdStrike does not appear to be grooming itself as an acquisition target. Kurtz said CrowdStrike is currently at a size that they could go public at any time.

"We can go out today if we wanted to go out," Kurtz said in late July. "This is not years out."

If CrowdStrike were to go public this year, the company would join cybersecurity companies like Zscaler, Carbon Black Inc.

CBLK, -1.54%

and Tenable Holdings Ltd.

NBPT, + 0.19%

that have IPOed in 2018.

ETFMG Prime Cyber ​​Security ETF Investors seem to be pricing in the potential for acquisitions

HACK, + 0.80%

has gained 36% in the past 12 months, while the First Trust NASDAQ Cybersecurity ETF

CIBR, + 0.18%

has risen 33%, compared with a 17% advance in the S & P 500 index

SPX, -0.35%

and a 26% rise in the tech-heavy Nasdaq Composite

COMP -0.13%

How to stop that 0.1% threat?

Of course, even consolidation is not going to stop the next Equifax, executives said, as data systems can be vulnerable even if everything is being done correctly.

"If you stop 99.9% of something, it's a big enough number, 0.1% is still a lot," SailPoint's McClain said.

"In some cases I think the industry is starting to get a little bit in all these breaches," CrowdStrike's Kurtz said. "In general, I think it's a fact that the technologies that people are buying, this defense-in-depth kind of approach, are failing because people are still getting breached."

FireEye's Mandia painted the struggle against a persistent hacker.

"One person has infinite scale on offense on the internet, can create work for [and] it's literally impact every freaking organization on the planet, "Mandia said.

"That asymmetry between offense and defense is more than I can explain," the FireEye CEO continued. "It's almost like the size of the universe, nobody gets it. The one good hacker is infinitely scalable and every nation we're up against has that guy. "

Mandia, whose company worked with Equifax following the hack and threats of state-sponsored hacking threats like Iran, urged that people need to start beating up the perpetrators rather than the victims of hacking.

"I think we have to step back and start recognizing some of these breaches are done by professionals that if they can go unimpeded with no risk or repercussion, we better start treating the victims because we're setting a bar that's unreasonable," Mandia , who declined to discuss Equifax specifically in his interview, said. "We're beating them up for something that actually the government can not stop."

Some even used the Equifax hack as a marketing tool. Back in October, Oracle Corp.

ORCL, -0.17%

Chairman Larry Ellison chided Equifax for not updating their security patches in a timely manner and claimed his new automated cloud security product would be able to protect against such a breach.

When all is said and done, it is the weakest link, and for most organizations, that weakest link is people, such as the employee who clicks on that legitimate-looking email link.

In the meantime, for cybersecurity companies that are looking to grow through acquisitions, the price of growth is becoming significantly higher over the past year.