Consistent with Akerlof’s classic Nobel prize-winning definition of a “market for lemons”, investigative study details the broken economic model of the $60B cybersecurity technology market
LONDON--(BUSINESS WIRE)--Debate Security, an independent organization that brings together industry experts to debate how the cyber market can be improved, today revealed research that suggests a failing cybersecurity market is contributing to ineffective performance of cybersecurity technology. Based on over 100 comprehensive interviews with business and cybersecurity leaders from large enterprises, together with vendors, assessment organizations, government agencies, industry associations and regulators, Debate Security’s research shines a light on why technology vendors are not incentivized to deliver products that are more effective at reducing cyber risk.
The report, Cybersecurity Technology Efficacy: Is Cybersecurity The New “Market for Lemons”?, supports the view that efficacy problems in the cybersecurity market are primarily due to economic issues, not technological ones. The research addresses three key themes and ultimately arrives at a consensus for how to approach a new model:
Cybersecurity is failing because the technology is not as effective as it needs to be.
90% of participants reported that cybersecurity technology is not as effective as it should be when it comes to protecting organizations from cyber risk. Trust in technology to deliver on its promises is low, and yet when asked how organizations evaluate cybersecurity technology efficacy and performance, there was not a single common definition. Pressure has been placed on improving people and process related issues, but ineffective technology has become accepted as normal - and shamefully - inevitable.
The underlying problem is one of economics, not technology.
92% of participants reported that there is a breakdown in the market relationship between buyers and vendors, with many seeing deep-seated information asymmetries. Outside government, few buyers today use detailed, independent cybersecurity efficacy assessment as part of their cybersecurity procurement process, and not even the largest organizations reported having the resources to conduct all the assessments themselves. As a result, vendors are incentivized to focus on other product features, and on marketing, deprioritizing cybersecurity technology efficacy – one of several classic signs of a “market for lemons”.
Unless buyers demand greater efficacy, regulation may be the only way to address the issue.
Overcoming first-mover disadvantages will be critical to fixing the broken cybersecurity technology market. Many research participants believe that coordinated action between all stakeholders can only be achieved through regulation – though some hold out hope that coordination could be achieved through sectoral associations. In either case, 70% of respondents feel that independent, transparent assessment of technology would help solve the market breakdown. Setting standards on technology assessment rather than on technology itself could prevent stifling innovation.
Participants in this research broadly agree that four characteristics are required to comprehensively define cybersecurity technology efficacy. To be effective, cybersecurity solutions need to have the Capability to deliver the stated security mission (be fit-for-purpose), have the Practicality that enterprises need to implement, integrate, operate and maintain them (be fit-for-use), have the Quality in design and build to avoid vulnerabilities and negative impact, and the Provenance in the vendor company, its people and supply chain such that these do not introduce additional security risk.
“In cybersecurity right now, trust doesn’t always sell, and good security doesn’t always sell and isn’t always easy to buy. That’s a real problem,” said Ciaran Martin, former CEO of the UK’s National Cyber Security Centre (a part of GCHQ) and advisory board member, Garrison Technology. “Why we’re in this position is a bit of a mystery. This report helps us understand it. Fixing the problem is harder. But our species has fixed harder problems and we badly need the debate this report calls for, and industry-led action to follow it up.”
“Company boards are well aware that cybersecurity poses potentially existential risk, but are generally not well equipped to provide oversight on matters of technical detail,” said John Cryan, Chairman Man Group and former CEO of Deutsche Bank. “Boards are much better equipped when it comes to the issues of incentives and market dynamics revealed by this research. Even if government regulation proves inevitable, I would encourage business leaders to consider these findings and to determine how, as buyers, corporates can best ensure that cybersecurity solutions offered by the market are fit for purpose.”
“As a technologist and developer of cybersecurity products, I really feel for cybersecurity professionals who are faced with significant challenges when trying to select effective technologies,” said Henry Harrison, CSO of Garrison Technology, a founding member of Debate Security. “We see two noticeable differences when selling to our two classes of prospects. For security-sensitive government customers, technology efficacy assessment is central to buying behavior – but we rarely see anything similar when dealing with even the most security-sensitive commercial customers. We take from this study that in many cases this has less to do with differing risk appetites and more to do with structural market issues.”
To download the full report, please click here.
About Debate Security
Debate Security’s mission is to bring together industry experts from a wide variety of sources and experiences to discuss and debate the cybersecurity market and how it can be improved. Debate Security is a member-based organization that hosts a variety of public and private events and contributes content that aims to expand the debate around meaningful cybersecurity. To learn more, please visit https://www.debatesecurity.com/.
About the Report
All interviews for this research were conducted in 2020. Participants contributed their perspectives on a voluntary, confidential and non-attributable basis in order to encourage candid responses. The author of this research is Joseph Hubback, working as an independent consultant funded by Garrison Technology. Mr. Hubback has since been appointed as the Head of Northern Europe for ISTARI, a global network of experts and service providers that help businesses manage their cyber risks.