Top 5 benefits of a new cybersecurity market model
By objective measures, enterprises just aren’t getting their money’s worth out of their cybersecurity spending. In a fast-paced economic and cyber threat landscape, organizations often buy new technology solutions without being able to fully assess their efficacy and then are forced to move on to new issues and problems before they can make the tools they already have fully effective. In the worst cases, the result is a merry-go-round of spending on unproven technologies that don’t address the problem as effectively as they could.
For example, cyber technology and services company Sygnia, which has completed hundreds of cybersecurity improvement engagements with clients, calculated that many of their improvement actions relate to optimization of the current technology stack because it isn’t being used effectively.
Organizations need a new model for acquiring cybersecurity tools based on the true efficacy — rather than the vendor promises. Efficacy is defined as the combination of the capability of a product (does it deliver the security mission?), practicality (is it fit for use?), quality (of the security build and architecture) and provenance (of the vendor and supply chain). This starts with buyers gaining visibility into available technologies and basing their purchasing decisions on detailed assessments of how well those technologies do what they’re supposed to do.
As detailed in a research report The problem isn’t one of technology — billions are invested every year on technology. It is one of market economics. The economic problem results from an information asymmetry between buyers and sellers. Security vendors are under pressure to bring new technologies to market as quickly as possible to try and gain or maintain traction — even if those products aren’t fully effective. Buyers likewise are under pressure from their boardrooms or regulators to meet their risk compliance standards, so sometimes, the easiest thing to do is buy what everyone else has. In the process, the majority of buyers don’t get to fully assess technologies before purchasing them.
Benefits of focusing on efficacy
A new cybersecurity market model that achieves greater transparency on efficacy would deliver five essential benefits:
- More effective cybersecurity. Demanding transparency on a product’s actual capabilities gives vendors a real incentive to invest more in efficacy. Users expect capabilities to match claims, practical features in areas such as integration and operation, and fewer vulnerabilities caused The concept of a minimum viable product — in which products are released early so the market can determine their development — is being played out in cybersecurity. But it’s failing in this case because customers don’t get the chance to properly assess the efficacy of those products, which would help drive their improvement. The technology for better security exists — customers can buy more secure solutions. But the current model and the way today’s market operates too often prevent buyers from finding them.
A new, better model would be based on better understanding of technology efficacy, using detailed assessments. Assessments require transparency and compliance from vendors, but in a new model, vendors would benefit as well since the stronger technologies would be more evident. Security vendors would need to submit their solutions for assessment to an independent organization with full transparency, requiring real trust between the parties.
Aside from protecting the buyers, a new model would also need to protect vendors; it would be equally important to ensure that vendors are protected from any potential loss or compromise of intellectual property.
The proposed new model identified About the author
Joe Hubback has a broad background, including serving as a partner at McKinsey, where he co-led the creation of its cybersecurity service line, as a published independent cybersecurity analyst and also in corporate leadership as managing director for Northwest Europe at Keller running a full profit and loss. He started his career in the industrial sector as an engineer designing and installing electronic control and robotics systems.