1. Cybersecurity is failing because the technology is not as effective as it needs to be

Cybersecurity is failing. Spend on cybersecurity is increasing every year (+58% over the past five years1) , yet as the WEF has highlighted2, business leaders still identify disruption from cyberattack as one of the top 5 growing risks in 2020 (and while the exact numbers are contestable, the direction is clear). A major cause of this failure is that the technology is not as effective as it needs to be, and this is the view shared by 90% of over 100 highly qualified research participants in this study. While there has been a strong focus on improving people and process related issues in recent years, - which are also undoubtedly contributors to cybersecurity failings - technology problems have in some way been accepted as inevitable and the norm. As one Chief Information Security Officer (CISO) put it, “we buy it, and then we cross our fingers and hope the technology will work”. Trust in cybersecurity technology to deliver on its promise is low. Without improving technology efficacy, cybersecurity will continue to fail. Participants in this research broadly agree that four characteristics are required to comprehensively define cybersecurity technology efficacy. These are the Capability to deliver the security mission (fit-for-purpose), Practicality in operations (fit-for-use), Quality of security build and architecture, and Provenance of the vendor and supply chain. 


2. The underlying problem is economics, not technology

The root of the efficacy problem is primarily economic rather than technical, characterized by a breakdown in the market relationship between buyers and vendors (‘buyers’ includes CISOs and the broader enterprise team, not only procurement). The core breakdown is an information asymmetry between the parties that prevents buyers from effectively evaluating technology and incentivizes vendors to bring sub-optimal solutions to the market. This mis-match results in products coming to market that are not as effective as promised and which reduce trust in cybersecurity technology. Broken markets have been studied, and solved, before, as evidenced by Akerlof’s 1970 paper ‘Market for Lemons: quality, uncertainty and the market mechanism’. This new research builds on Akerlof’s work and provides the evidence for the breakdown in the market by looking at the overall system dynamics, stakeholder perspectives, buying practices, technology, and vendor landscape; all based on deep interviews and discussion sessions with expert practitioners.


3. Independent transparent technology assessment is proposed as the likely solution

Solving the economic problem requires a new model, creating new incentives for vendors and new approaches for customers. Around 2/3 of the research participants proposed independent and transparent efficacy assessment of technology as the way to solve the information asymmetry, and to rebuild customer trust in the solutions. 

Independent and transparent efficacy assessment would give customers better information to make risk-based purchasing decisions and would give vendors stronger incentives to deliver technology with greater efficacy. Over time, improved technology would clearly reduce the likelihood of successful attacks and would have the additional benefit of reducing dependency on
people and process (so potentially also reducing the talent gap in cybersecurity). From a vendor perspective, efficacy transparency could help innovation penetrate the market, reducing the need to spend excessively on marketing and sales to gain traction. For efficacy assessment to keep up with and support technology innovation, market standards should be set for assessment rather than technology. Assessment, rather than technology,
standards already exist in some markets and in parts of security today (eg, GSMA NESAS), however, they are not widely understood or used outside these areas.


4. Changing market incentives will require concerted effort on the buy-side

Delivering a new model will require coordinated action on the part of buyers to change the market incentives by demanding efficacy transparency before they trust technology. This approach should remove the first mover disadvantage and unlock the situation. Clearly vendors, assessors and standards setters (typically industry associations or regulators) will also need to play their part in delivering the change, but if buyers create the demand the incentive will exist to do so. The idea of independent transparent technology assessment is not new, but there is little incentive for it in the commercial market today: this study suggests that the time may be right to revisit how this can work. The findings of this work may prompt new questions and debates within organizations and the wider market, some of which will be challenging discussions given the issues identified. However, every effort has been made to give a fair representation of the cohort’s views and the intention of this report is to be a catalyst for improvement of the industry and better outcomes for all parties.


5. Research methodology

The perspectives shared in this research have been developed based on 100+ deep interviews with CISOs (representing around 50% of the whole group and coming from globally leading institutions, Fortune 500 companies and elite government environments), cybersecurity vendors, technology vendors, enterprise leaders (Chairs / CEOs), assessment organizations, government agencies and industry associations or regulators. All interviews were conducted on a confidential and non-attributable basis (encouraging candid responses) in between April and September. The interviewees were asked open questions to avoid bias. The author of this research is Joseph Hubback (working as an independent consultant) and it is published by Debate Security, an independent group that brings together industry experts to talk about the cyber market and how it can be improved. Garrison Technology funded Hubback’s time while all interviewees contributed on a voluntary basis.


Access the full report here