This year, I have been fascinated by two books about the near future and how entrepreneurs should think about market opportunities. “Abundance” by Peter Diamandis and Steven Kotler, and “Exponential Organizations” by Salim Ismail, Mike Malone, and Yuri van Geest, offer impressive insights into how certain technologies, by virtue of their exponential growth, rapidly evolve into a state of abundance.
While the authors focus their attention on such areas as energy generation, communications networks, education delivery and healthcare distribution, I believe there is a strong parallel taking place today in the cybersecurity space. And, within the next decade, the exponential growth of cybersecurity solutions–like the other technologies that are the focus of these books–will transition from a scarce commodity to abundance, resulting in a re-architecture of the cybersecurity competitive landscape and a re-imagination of cybersecurity approaches by enterprises.
By now, we’ve all become familiar with Moore’s Law and its central tenet of the doubling of computer power every 18 months. And in their books, the authors discuss the exponential technologies concept and how it applies to a wide range of technologies in both performance advances and cost reductions. In fact, it was this focus on exponential technologies that led Diamandis and famous futurist Ray Kurzweil to found Singularity University a decade ago to “educate, inspire, and empower leaders to apply exponential technologies to address humanity’s grand challenges.” They then hired Ismail to be the school’s executive director and global ambassador. Diamandis published “Abundance” in order to explain the abundance concept to the world, and Ismail published “Exponential Organizations” to explain how modern business could take advantage of these exponential technologies and build leaner and more efficient companies in an abundant world.
Abundance is this radical idea that exponential technologies will flip our mindset about scarcity. For example, we all think about oil as a scarce resource because it is hard to get oil out of the ground. Oil companies make money by selling that scarcity because the typical consumer does not have the means to do it themselves. But in an abundant future described in these two books, the cost of solar power and the exponential technologies that drive it might become so cheap and so powerful that energy becomes essentially free for every person on the planet. That seems hard to believe when you say it out loud like that, but in both books, the authors track the cost and power of those exponential technologies, not just in energy but also across other similar technologies over the past 25-plus years.
Although cybersecurity was not one of the grand challenges mentioned in the books–which were published earlier this decade–I believe that cybersecurity is right at the beginning of exponentiation and nobody has noticed it yet. Let me explain.
Diamandis and Ismail talk about the Six Ds of Exponentiation, a maturity model to gauge where each exponential technology is in relation to becoming abundant. And we can take a lesson from the development of the solar energy industry and apply it to what I think is happening, and will continue to happen, in cybersecurity.
Digitization: Once a technology becomes digitized, it is easy to access, share, and distribute. Solar went digital about 25 years ago meaning that all of the data collected from the solar panels and all of the devices it takes to manage them have been put on line. Before the technology went digital, maintenance and repairs were all manual. But with the data online, solar farms can now remotely monitor and maintain their systems and some are even using machine learning algorithms to anticipate problems automatically. In the early days for the cybersecurity space, vendors sold network defenders a hardware appliance to preform one or more blocking functions down the intrusion kill chain. Today though, many vendors have already started to collect their customer data and process it in the cloud. They are starting to transform themselves from hardware manufacturers into Software as a Service (SaaS) companies where they deliver security services from the cloud. But this is just the beginning. Two years ago, Palo Alto Networks launched its security app store, called the Application Framework, but other vendors will likely do the same. The app store will deliver security services from many vendors but will use the already deployed Palo Alto Networks infrastructure to make enforcement decisions. This is the same model as the Apple App Store and the Google Play webstore. Many disparate commercial vendors make apps designed to run on the underlying phone. That is exactly what is just starting to happen in the cybersecurity space.
Deception: After digitization, growth becomes deceptively small until the numbers break the whole-number barrier. For instance, if the speed of your exponential technology grows from .034 to .068, most will not notice. But once it grows to 1.088, that is crossing the whole-number barrier. When it doubles ten more times, it becomes a very big number. The point to note is that the growth is not linear, but exponential.
Disruption: After the whole-number barrier is broken, the existing market is disrupted by the new market’s effectiveness and cost. In the energy business, pundits call this the Utility Death Spiral as many utility companies have banned together to lobby against the proliferation of solar. When this happens in the cybersecurity industry the disruption will impact vendors that have single-solution hardware appliances and point products. They will not be able to compete with vendors that deliver their services from the cloud. In 10 years, stand-alone hardware security products will be replaced as the dominant cybersecurity deployment method by a shared, cloud-based platform.
Demonetization: A core tenet of both books is that exponential technologies become dramatically cheaper to purchase, deploy and utilize. In 1998, residential solar power installation cost was $12 per watt, but by 2015, it was cut by two-thirds. In the cybersecurity space, once vendors can deliver point-product solutions as SaaS services from the cloud, the cost of hardware, maintenance, and training for each product goes to practically zero. All the security apps run over existing infrastructure. Yes, you will pay for the maintenance and training of the initial infrastructure, but you don’t have to pay those costs across multiple point products.
Dematerialization: In this phase, physical products are removed. In energy, as more people move to Solar power, oil company refineries will start to vanish. The reliance on utility companies to distribute power will disappear, as well, replaced by the individual homeowner’s ability to generate and store their own power. In the cybersecurity space, hardware-based point products will surely start to disappear; in fact, it is happening already.
Democratization. Once the first 5 Ds happen, the price for purchasing and deploying technology becomes so cheap that anybody can have it. The energy sector’s prime resource is flipping from being scarce to being abundant. The trick for the energy sector is one of business model: How does an energy supplier generate revenue when the formerly scarce resource becomes abundant? In the cybersecurity space, open-source/cloud-delivered security applications will emerge in much the same way as point-product open source projects happen today, such as Bro IDS, NMAP, and MetaSploit. The tools will become free, the data will become the value part of the equation , and everything will run on the underlying cybersecurity platform.
Diamandis and Ismail make a strong case that exponential technologies will help solve some of the world’s grandest challenges. They didn’t include cybersecurity in their set but it is clear to me that cybersecurity is entering the early stages of becoming an exponential–and eventually, abundant–technology. And like Diamandis’ and Ismail’s grand challenges, I expect cybersecurity to move through those six Ds fairly quickly–most likely in 10 years, the same timeframe that solar energy has experienced.
At the end of the Six D journey, entry-level software applications that enforce the prevention and detection services delivered from the cloud will be so low cost, they might as well be free. Cybersecurity tools will flip from being scarce in terms of being expensive to buy, deploy, and maintain to being abundant in terms of simply downloading and running a security tool from the app store in the same manner that you do with your iPhone today.
Rick Howard is Chief Security Officer at Palo Alto Networks.