Are cybersecurity companies motivated to solve for evolving threats?

One of the real problems with solving for this is the same one that affects industries that pollute: assessed from an insurance standpoint, it costs 10x in real risk/reward to fix the pollutant I'm pumping into the river than it does to potentially pay the fine if I get found out. Given the $5 million ransom for that pipeline company, do you know how much it would cost them to put in all the security they needed to make sure that that never happened—based on today's models—over the period of time where the risk might occur?

On a five-year scale, they'll spend a lot more than $5 million. They would probably spend more than that on software alone for an organization that big, let alone additional people and training, plus the impact on operations and so on. So that in and of itself is a problem: the attack surface is so distributed, that the individual pain points aren't enough to cause change. It only sounds bad when you look at the aggregate of the fact that ransomware thieves are taking in tens of billions of dollars a year. Then it looks really bad.

If somebody had a magic lamp to end war and grant world peace forever, they would be sniped out before they could use it because there are so many incentives on the ironmongers to maintain global conflict. Cyber conflict is very similar in the sense that there's a lot of money to be made, there are people who are incentivized to do it.