Tan Xiaosheng: Business and Innovation in China’s Cybersecurity

“In an ideal world, the value of cybersecurity depends on the value of the assets being protected. During digital transformation, data becomes an asset with near-infinite value, but in reality the logic of the market is not like that.”

“There is a cost for the user layer to protect network security. In the event of an accident, he has a loss. There is a consideration between the cost and the loss. This consideration is his responsibility.”

“What stages will a network security company go through when it develops? The typical four stages are point-line-surface-body.”

“How big is the market size of the network security industry? We believe that the scientific statistical dimension is from the perspective of user budget. If we look at the cost of users, Guangdong, Zhejiang, Beijing, Jiangsu, and Fujian have the largest investment in network security in five economically developed regions. .”

——Tan Xiaosheng

On the afternoon of July 27th, Tan Xiaosheng, Chairman of Beijing Cyber ​​Yingjie Technology Co., Ltd. and former 360 Technology President, delivered a keynote speech on “Business and Innovation in China’s Cyber ​​Security” at the 9th ISC2021 Internet Security Conference.

　　Full text of the speech

First of all, I am very happy to be back on the ISC stage after a lapse of two years, and I am here to report to you what I have been doing in the past two years.

First, Zhengqi College (renamed as “Zhengqi Security Entrepreneurship Camp” in the future) will provide training for cybersecurity entrepreneurs; secondly, I have acquired the cybersecurity industry research institute Shushuo Security. I believe many of you have subscribed to Shushuo Security. Official account; thirdly, I started to make some investments in network security. I hope to form a small closed loop of industrial research, entrepreneurial training and investment. Today, I will share with you some of the research results of the past two years.

As we all know, the recent period of time may be the best period for China’s cybersecurity industry in more than 20 years. In the last month, I heard that many friends have successfully raised funds or are in the process of raising funds. How much has the company’s valuation increased? How much has the performance improved in half a year?

Last week, I attended two conferences held by students from Zhengqi College, one was the first DevSecOps conference of Hangjing Security, and the other was the conference of Xinglan Technology API Security. We can see that there are more and more new terms in network security. , but from the perspective of industry research, we need to find out the laws behind this.

The structure and development law of network security industry

What stage is China’s cybersecurity industry in now? The answer is in the process of changing from a two-dimensional industrial structure to a multi-dimensional industrial structure. The two-dimensional structure means that in the past ten years, network security has been divided into six basic security areas, including terminal security, network security, application security, identity and access management, physical security, and data security; plus security solutions Ten network security services including integration, security operation and maintenance, risk assessment, penetration testing, emergency response, red and blue confrontation, offensive and defensive training/shooting range, training certification, and security awareness education. The six major network security fields and the ten major network security services are eventually applied in various fields such as education, telecommunications, and government, forming an N×M matrix, which is a two-dimensional ecology.

Today, there have been several scenarios of cloud computing, big data, Internet of Things, mobile Internet, industrial Internet, artificial intelligence, etc., and the changes in the international situation have put Xinchuang on the agenda. more dimensions, even more than three. It can be seen that in the network security industry, various products are more and more subdivided. In this year’s digital security market panorama, the network security market has been divided into 13 major categories and 81 subcategories, and it is expected that there will be more classifications in the future.

Types and Development Laws of Cybersecurity Enterprises

What stages does a cybersecurity company go through? The typical four stages are “point-line-surface-body”.

a little. A network security start-up company is often produced by the founder relying on a certain technology or understanding of a certain problem to make a security product. This product may allow him to obtain a small tens of millions of sales revenue. This is a point-like company. . For example, Zero Trust has been very popular in the past two years. Start-up companies such as Yi Allianz and Shupeng have seized this opportunity and achieved tens of millions of income.

Second, the line. What should Dot-like companies do if they want to continue to develop and gain greater sales revenue? They are going to expand the product line. For example, Yuanjiang Shengbang did WAF in the early days, OEM for big manufacturers, then scanners, and now it is doing cyberspace asset surveying and mapping. It is a typical “point” to “line”, and now it is moving from “line” to “line” “Face” expansion. When a company goes from point to line, it can often achieve tens of millions or even hundreds of millions of sales revenue.

Three sides. If the company wants to go to the face, it needs to move from a product line to solve the problems of a certain type of users. For example, Zhongan Nebula and Meichuang, which are in the field of data security, are trying to gradually expand from the product “line” to the “surface”.

Fourth, the body. After a company reaches the “face”, it will often have several hundred million in sales revenue at this time. At this time, he has to go to a more difficult stage, from “face” to “body”. Qiming, NSFOCUS, Tianrongxin, and Qi Anxin are “body” companies. They often have a lot of products and services, which can cover users in multiple fields. The sales revenue of such companies in all fields and scenarios can be achieved. billions or more. However, the leap from face to body is very difficult. The only successful company in the past few years is Anheng, and the next step is AsiaInfo.

A company’s development stage, from point-line-surface-body, every step is life and death, and every step is a success in N companies.

The value of cybersecurity

The cyberspace market has always had the phenomenon of “two layers of ice and fire”. Industry people feel that it is quite bitter, but outsiders, especially some investors who are not familiar with this field, think this market is simply too good. Everyone can see that the general secretary also In high regard: “There is no national security without cybersecurity”.

In fact, looking at the market of network security calmly, there will be such a deviation. (Figure 1) This is the market space everyone imagines in the upper right corner. In imagination, the value of network security depends on the value of the protected assets. During digital transformation, data has become an asset, and its value is almost unlimited, but In fact, the logic of the market is not like this.

First of all, there is a cost for the user layer to protect network security. If an accident occurs, he will suffer a loss. There is a consideration between the cost and the loss, and this consideration is the responsibility to be assumed.

In the early years, there were many problems of data loss, and the losses after data leakage were also very heavy. I have encountered many such customer cases in 360 before. Now that the “Data Security Law” has been promulgated, if data loss is caused, it may have to bear a fine of tens of millions. At this time, users will be more willing to invest in security. A series of laws and regulations such as “Cyber ​​Security Law”, “Data Security Law”, “Personal Privacy Protection Law” will promote the network security market, so the actual market space is gradually moving towards the market space imagined in the upper right corner.

Network security itself has both commercial and military attributes. In the past period of time, the commercial attributes have played relatively well, and it is a relatively free competition market, and users will balance between input and output. However, with the changes in the international situation, the military attributes are becoming more and more important. Under the dominance of military attributes, users will invest more in security in order to obtain higher security. Compared with commercial attributes, it will appear regardless of the cost. This sounds like good news for the network security industry. But on another level, in the state of strong military industry, state-owned monopoly may become more serious. In the past two years, more and more security companies have actively accepted investment from state-owned enterprises, trying to put a red hat on themselves.

Cybersecurity Innovation

The theme of this conference is that network security needs new tactics and new frameworks. To sum up, innovation is needed. What is innovation? Invention is not necessarily innovation, and entrepreneurship is not necessarily innovation. Creating new value for customers, turning unmet and potential needs into opportunities, and creating new things that satisfy users is called innovation.

Network security innovation can be roughly divided into two categories: one is to solve a problem that has not been solved. This kind of innovation is often iterative innovation, and what changes is the stock market. For example, vulnerability management is a problem that has not been solved very well. We can tell users to patch when they find a vulnerability, but the reality is that it is impossible to find all the vulnerabilities. The patch cannot be installed in the scenario. Vulcan, one of the top 10 innovation sandboxes at last year’s RSA Conference, is engaged in intelligent vulnerability management, and provides vulnerability repair and mitigation strategies through community-based operations.

The second kind of innovation is to solve an unsolved problem. We call it breakthrough innovation. For example, in the fields of intelligent networked vehicle security, industrial Internet security, and data security, there are a lot of breakthrough innovation opportunities. Another example is homomorphic computing, secure multi-party computing, and federated computing, which are trying to solve the contradiction between privacy protection and the convenience and efficiency brought by big data.

We divide the problem into new problems and old problems, and divide the methods of solving problems into new methods and old methods, forming a 2×2 matrix. New problems are solved with old methods. For example, in industrial control scenarios, we use industrial control firewalls, industrial control IPS, and IDS to solve industrial control security problems. This is to solve new problems with old methods. Using artificial intelligence and big data technology to solve some problems in the industrial Internet belongs to solving new problems with new methods. Using artificial intelligence and big data to solve intrusion detection problems belongs to solving old problems with new methods. From the market analysis, we can see that the IPS and IDS market is shrinking and the number of suppliers is decreasing, but the new NTA equipment and advanced threat detection equipment based on big data and artificial intelligence have risen very fast in the past two years. fast.

We give it a total of six categories:

1. Policy-driven innovation. In the past few years, the market has been driven by a large number of policies and regulations. The government has issued various laws and regulations, forcing governments at all levels, large state-owned enterprises, and private enterprises to comply with regulations. Why can such things as firewalls sell so much? Because It is listed as an essential product in compliance. In recent years, the promotion of compliance to the market is still the first driving force.

2. Scenario-driven innovation. For example, new applications generated by new user scenarios such as today’s cloud computing, big data, and the Internet of Things are also the driving force for innovation.

3. Business-driven innovation. Changes in business forms such as Internet fraud, cybercrime, and car networking security will also drive innovation.

4. Innovation of safety concept. For example, innovations brought by new offensive and defensive ideas such as Zero Trust, DevSecOps, and ATT&CK will transform a number of network security products or solutions.

5. Technological innovation. For example, the use of big data, artificial intelligence and other technologies to solve the problem of enterprise security will bring about innovations in upgrading and transformation of products in the entire industrial chain.

6. Model innovation. It mainly refers to changes in service models. From the annual reports of Sangfor, Qiming, NSFOCUS, and Tianrongxin, it can be seen that their network security services are all strengthened. I understand that there are companies with very small revenue scales such as cybersecurity managed services, MDR (managed services for detection and response), etc., but they are doing very well with gross margins. At present, network security talents are scarce, so obtaining the corresponding security capabilities through cloud-based security services is a very cost-effective thing that can meet the needs of users… Innovations brought about by security as a service, security operations, and security insurance, It is also an important part of industrial innovation.

Network Security Market Situation Analysis

Network security market data analysis is a service currently being done by Shushuo Security. We analyzed the data of millions of projects in the network security industry from 2016 to the present, and obtained some analysis conclusions, including where customers are and what customers generate. What is the order quantity. The number of customer orders generated by Beijing is the largest, and the number of customers in the southeast coast is the largest (this is directly related to economic development). In the past two years, the Central Region and the Western Region have been on the rise, which is what we can see from the data.

In terms of the number of transactions, the network security market has steadily increased in the past three years, and the trend has been steadily improving. We tracked that the network security orders in the first half of this year were very good. Except for a little less orders in May and June, the number of orders from January to April was much higher than in previous years.

The size of the network security market has always been a mystery, and the statistical results from different dimensions are different. We believe that the scientific statistical dimension is from the perspective of user budget. If we look at the cost of users, the five categories of Guangdong, Zhejiang, Beijing, Jiangsu, and Fujian are Regions with relatively developed economies invest the most in network security. Looking down at Shandong, Henan, Sichuan, Anhui, and Guangxi, the central and southwestern regions are relatively good. In terms of cities, Beishangguang is firmly in the first camp. Here, we can also see that Suzhou has a relatively developed economy, and the investment in network security is also very good.

The construction of network security has quarterly characteristics. The first quarter, especially February, has the lowest sales revenue, and everyone is busy with the New Year; National Day is also relatively low in October, but the overall trend is that it is steadily increasing every quarter. It shows that it is more than ten percent in the first quarter, more than 20 percent in the second quarter, and more than 30 percent in the third and fourth quarter. This is also in line with our experience. Everyone is in the network security industry. , Every year is the busiest at the end of the year, and December 31st is definitely the busiest day of the year.

From the hot words in the network market in 2020, we can see that in addition to the common words of “information security” and “network security”, “level protection”, “equal protection”, “level protection evaluation”, “equal protection evaluation” A few words are in the first camp. As of today, the wait-and-see evaluation has become a good starting point for the governance of the network security industry. In addition, the popularity of “security service” is similar to that of “waiting for guarantee evaluation”, indicating that security services have begun to be recognized by users, and they have also been verified from customer budgets, because this hot word is extracted from various bidding data. It shows that customer acceptance is supported by a budget behind it.

It’s a little surprising that “data security” is actually not very conspicuous in it. From the data of 2020, the actual orders of data security are not well reflected. Things related to “threat situational awareness” are the security monitoring and early warning platform, industrial information security situational awareness, etc., which have been well recognized; and the industrial Internet, industrial information situation, etc. are also relatively prominent positions, indicating that its rising speed is very fast. Quick, this picture refers to the area with a relatively large amount of rising. Data encryption, data management and control platforms, etc. are also areas that are rising rapidly.

The above is what I have reported to you in the past two years. I hope to provide some help for the development of the industry. Thank you!