- Barracuda acquiring PhishLine
- Microsoft adding limited phishing simulation to Office 365
- Yesterday’s announcement by Proofpoint of their intent to acquire Wombat Security Technologies
- Rapid7’s addition of a new simulated phishing testing product, and a few other rumblings that I'm catching wind of from other vendors.
As a former Gartner analyst who has been tracking this market for several years, I’ve received a number of questions about my reaction to this current market dynamic.
My response is: we’ve been expecting this type of thing for a while now.
The Security Awareness Computer-based training and simulated phishing market has been experiencing tremendous growth over the past few years. That growth was brought about by a perfect storm of conditions: the steady drip of security breaches traced to human error, the rise of business email compromise, the ransomware epidemic, and widespread and pervasive cybersecurity-related regulation that includes security awareness and training as a fundamental requirement.
In short: the security industry reached a crisis-point due to an over-reliance on technology to provide protection while neglecting the human element; and now the security industry is self-correcting by embracing awareness, training, and behavior management strategies.
So, what does this current dynamic mean for prospective customers in this market? Here’s my take in four points:
1: Acquisitions always inject a bit of uncertainty into things
On the acquisition front, there is a lot of ‘dust settling’ that has to be done. Acquisitions always inject a bit of uncertainty into things, even with the best of companies and combinations. With situations such as the Barracuda acquisition of PhishLine and Proofpoint's intent to acquire Wombat, there will be some uncertainty regarding roadmaps, technology reconciliation, corporate efficiency imperatives (e.g. potential reduction of employees to manage cost and reduce redundant functions), questions regarding potential technology integration timelines, and so on. We’ve seen situations like these go really well for the companies involved… and we’ve seen things not work out so well. We’ll have to wait and see… but, if you are evaluating a vendor who is being acquired, it is imperative that you get all vendor promises in writing. Don’t purchase based on something that might happen in the future; only purchase based on what exists right now and if the current version of the product meets your requirements.
2: Vendors trying to pivot the conversation back to a technology discussion
Be wary of traditional security technology vendors that offer free or cut-rate phishing simulation tools. Examples here include Rapid7’s new InsightPhish tool and TrendMicro’s PhishInsight tool -- nice naming guys. J The reason I give this warning is that most traditional security vendors are really trying to pivot the conversation back to a technology discussion. In other words, they are using the phishing attack vector to highlight the need to buy their tool… so it is about the cross-sell of up-sell rather than being about strengthening your human firewall. Additionally, the phishing simulation tools from these vendors are feature-stripped compared to those offered by Security Awareness Computer-based training vendors.
3: Content must be continually updated and kept current
Even Microsoft’s entry into this with their addition of simulated attack capabilities into O365 – while something to be applauded – is not without potential drawbacks. Making simulated phishing one more feature of 0365 can result in the feature not measuring-up to the offerings provided by market leaders. Additionally, we’ve yet to see how well they keep-up with adding new templates, just-in-time learning landing pages, and so on. Simulated phishing and security awareness related content must be continually updated and kept current, or it becomes stale and irrelevant. We don’t yet know if Microsoft has dedicated the necessary resources – or build the right ecosystem – to make that happen.
4: Be wary if there is no real mention of training and awareness as a goal
The trend with many of the newcomers to our space is to use phishing susceptibility as a way of showing the human problem so that they can then try to solve it via their preexisting technology rather than really innovate around shaping behavior. As such, we need to evaluate the new moves into this market based on the outcomes that the vendors are promising to their prospective clients. If you are evaluating new entrants to this market, be wary if there is no real mention of training and awareness as a goal or key aspect of the product. If not, then the features/functionality are likely focused on baselining and simply understanding your human-centric vulnerabilities without a path to remediation and behavior change.
I’m excited to see the simulated phishing market reach a critical mass where it is being embraced by the security technology market. It will be interesting to see how the dust settles over the next year or so. In the meantime, it is important that we don’t allow the noise and consolidation in this market to become a distraction from the main mission: to help employees make smarter security decisions, everyday.