By objective measures, enterprises just aren’t getting their money’s worth out of their cybersecurity spending. In a fast-paced economic and cyber threat landscape, organizations often buy new technology solutions without being able to fully assess their efficacy and then are forced to move on to new issues and problems before they can make the tools they already have fully effective. In the worst cases, the result is a merry-go-round of spending on unproven technologies that don’t address the problem as effectively as they could.
For example, cyber technology and services company Sygnia, which has completed hundreds of cybersecurity improvement engagements with clients, calculated that many of their improvement actions relate to optimization of the current technology stack because it isn’t being used effectively.
Organizations need a new model for acquiring cybersecurity tools based on the true efficacy — rather than the vendor promises. Efficacy is defined as the combination of the capability of a product (does it deliver the security mission?), practicality (is it fit for use?), quality (of the security build and architecture) and provenance (of the vendor and supply chain). This starts with buyers gaining visibility into available technologies and basing their purchasing decisions on detailed assessments of how well those technologies do what they’re supposed to do.
As detailed in a research report by Debate Security, the current market model has turned cybersecurity into a “market for lemons,” in which buyers are sold ineffective products because they can’t properly differentiate the better from the worse. The report participants identified a new model that could change that by better informing buyers and delivering resultant benefits.
The problem isn’t one of technology — billions are invested every year on technology. It is one of market economics. The economic problem results from an information asymmetry between buyers and sellers. Security vendors are under pressure to bring new technologies to market as quickly as possible to try and gain or maintain traction — even if those products aren’t fully effective. Buyers likewise are under pressure from their boardrooms or regulators to meet their risk compliance standards, so sometimes, the easiest thing to do is buy what everyone else has. In the process, the majority of buyers don’t get to fully assess technologies before purchasing them.
Benefits of focusing on efficacy
A new cybersecurity market model that achieves greater transparency on efficacy would deliver five essential benefits:
- More effective cybersecurity. Demanding transparency on a product’s actual capabilities gives vendors a real incentive to invest more in efficacy. Users expect capabilities to match claims, practical features in areas such as integration and operation, and fewer vulnerabilities caused by quality deficiencies.
- More meaningful technology evaluations. Establishing a common view on efficacy will make it easier to evaluate technologies in operation, enabling enterprises to identify vulnerabilities and increase resilience.
- Better ability to set risk appetite. Having greater clarity on the strength of technical defenses will enable enterprises to better define the risk they’re willing to accept in operational, cyber and enterprise terms.
- Better differentiation of security toward priority areas. In addition to setting risk appetite, a better understanding of products’ efficacy enables an enterprise to use the most effective of them, which may be more expensive and difficult to manage, on the organization’s “crown jewels,” thereby protecting its most important assets.
- Better correlation between spend and efficacy. Better visibility and a clear understanding of product capability enable enterprises to make better informed tradeoffs when deciding what they can afford. It may not provide an absolute ROI calculation, but it will help organizations make their own risk-based decisions.
Implementing a new market model
The concept of a minimum viable product — in which products are released early so the market can determine their development — is being played out in cybersecurity. But it’s failing in this case because customers don’t get the chance to properly assess the efficacy of those products, which would help drive their improvement. The technology for better security exists — customers can buy more secure solutions. But the current model and the way today’s market operates too often prevent buyers from finding them.
A new, better model would be based on better understanding of technology efficacy, using detailed assessments. Assessments require transparency and compliance from vendors, but in a new model, vendors would benefit as well since the stronger technologies would be more evident. Security vendors would need to submit their solutions for assessment to an independent organization with full transparency, requiring real trust between the parties.
Aside from protecting the buyers, a new model would also need to protect vendors; it would be equally important to ensure that vendors are protected from any potential loss or compromise of intellectual property.
The proposed new model identified by the research participants is a starting place for discussion, will take time and is also complex. It is not intended as a finished product. But it is clear that organizations in the market for more effective security products — whether private or public sector — could start forcing the issue by focusing on technology efficacy, knowing how well a product or service will perform before they buy. A new model based on efficacy will lead to better products, better security or more wisely spent cybersecurity dollars.
About the author
Joe Hubback has a broad background, including serving as a partner at McKinsey, where he co-led the creation of its cybersecurity service line, as a published independent cybersecurity analyst and also in corporate leadership as managing director for Northwest Europe at Keller running a full profit and loss. He started his career in the industrial sector as an engineer designing and installing electronic control and robotics systems.