The cybersecurity market is failing because the technology isn’t as effective as it needs to be.
“The cybersecurity industry, whose job is to protect its customers from […] attacks, looks increasingly ineffective” noted The Economist in its cover story of 25 June 2021, a report prompted by what some have referred to as an epidemic of ransomware and other security breaches in 2020 and 2021. This recent spate of strategically harmful espionage operations and business-disrupting criminal attacks has shown both the inadequacy of cyber defences and the increasingly awful consequences for governments, businesses and societies.
The Economist’s diagnosis of long-standing problems in the cybersecurity industry drew heavily on Debate Security’s 2020 report by a group of experts led by Joseph Hubback (now of Istari, UK), into the efficacy of cybersecurity technology. Based on an unprecedented series of interviews with cybersecurity vendors and their buyers, the report provided ample evidence that cybersecurity is the new “market for lemons”, drawing on the famous paper by the economist George Akerlof in the 1970s, demonstrating that good sellers of second hand cars were being driven out of the market because they couldn’t prove the quality and cost-effectiveness of their products.
So it is becoming with cybersecurity, a huge global industry with many examples of technical and operational brilliance. But this is a problem of microeconomics, not one of technology or innovation. Hardly any of the Chief Information Security Officers (CISO) – the buyers – interviewed said they knew how to assess the effectiveness of what was on offer.
The research has identified a broken market, so what can be done? The next step is to catalyse action to address this market failing, and raise the bar for cybersecurity technology. The SAFER Cybersecurity Buyer’s Charter, authored by Ciaran Martin and Joe Hubback details a framework of activities designed to drive this change, based on the following principles:
|Symmetry of information between buyer and vendor||Assessment frameworks and practices||Freedom of entry and innovation in the market||Efficacy-based Assurance||Risk-based decision making|
Cybersecurity Technology Efficacy: The Research
Based on over 100 comprehensive interviews with business and cybersecurity leaders from large enterprises, together with vendors, assessment organizations, government agencies, industry associations and regulators, Debate Security’s research shines a light on why technology vendors are not incentivized to deliver products that are more effective at reducing cyber risk.
The report supports the view that efficacy problems in the cybersecurity market are primarily due to economic issues, not technological ones, and addresses three key themes to ultimately arrive at a consensus for how to approach a new model.