Researchers have recently built a report based on interviews conducted with business and cybersecurity leaders from large enterprises across the world, that sheds light on why technology vendors are not incentivized to deliver products that are more effective at reducing cyber risk.
The report supports the statement that efficacy problems in the cybersecurity market are primarily due to economic issues and not due to technological ones. Three keys themes are addressed by researchers in the report and ultimately they arrive at an accord on how to approach the newly suggested model.
Cybersecurity is not as effective as it should be
A majority of the participants thoroughly believed that cybersecurity is not as effective as it should be and hence it fails to protect organizations from the risk of a cyber-attack. While the organization’s evaluation of cybersecurity technology efficacy and performance remains undefined, the overall trust in technology to deliver on its promises is low.
Ineffective technology has been accepted as normal and inevitable but efforts have been put to improve people and process-related issues.
Economics is the culprit and not Technology
As much as 92% of the participants reported having a breakdown in relationships between buyers and vendors with the majority of the population seeing deep-seated information asymmetries.
As part of their cybersecurity procurement process, a few buyers outside the government use detailed, independent cybersecurity efficacy assessment, and not even the largest organizations reported having the resources to conduct all the assessments themselves.
Consequently, vendors are incentivized to focus on other product features, and on marketing, deprioritizing cybersecurity technology efficacy.
With regulation, co-ordination between stakeholders can be achieved
Regulation may be the only way to address this issue unless buyers demand greater efficacy. To mend the broken broken cybersecurity technology market, overcoming first-mover disadvantages will be critical.
The majority of participants believed that coordinated action between all stakeholders can only be achieved through regulation – though some hold out hope that coordination could be achieved through sectoral associations. While more than half of the participants believed that independent, transparent assessment of technology would help solve the market breakdown. Rather than setting standards on technology, setting them on technology assessment could prevent stifling innovation.
Defining Cybersecurity technology adequacy
Participants in the research broadly agreed that four characteristics are required to comprehensively define cybersecurity technology efficacy.
To be effective, cybersecurity solutions need to have the capability to deliver their promise of security, have the practicality that enterprises demand to being implemented, integrated, and operated while maintaining them. They also need to have high quality in design and build to avoid vulnerabilities and negative impact and the provenance in the vendor company, the supply chain, and the people involved in it to avoid any additional risks being introduced in it.
The real problem in cybersecurity right now is that trust is hard to sell and a good security solution doesn’t always sell or it’s never easy to buy.
To read more, please check eScan Blog