Fundamental Principles for SAFER Cybersecurity Purchasing - answering the question "what does this do?"
We, as a community, want to see secure, prosperous and open digital societies. A secure digital environment is in our interests. Yet currently, that environment has too many structural insecurities, one being the continued failures in cybersecurity. This charter builds on the conclusions from the 2020 Debate Security report on cybersecurity technology efficacy, which clarified some of the structural problems hindering us from tackling cybersecurity effectively:
- Lack of transparency: too often, those who want to do the right thing and protect their assets don't have the right information to evaluate cybersecurity solutions;
- Excessive noise: those with innovative cybersecurity solutions to sell can't break through amidst the noise of the market; and
- Perverse incentives: current market incentives encourage cybersecurity vendors to focus on speed to market rather than security performance.
This is a market problem. It is best solved by free market solutions. We therefore want to improve the functioning of a free market in the public interest. As vendors, buyers and key members of the ecosystem alike, we want to work together to make this happen.
Through this Charter, we commit together to developing the Fundamental Principles for SAFER Cybersecurity Buying, through:
Symmetry of information between the buyer and vendor, adressing the fundamental imbalance at the root of the problem.
Assessment independence and approach which make it easier for vendors with effective solutions to navigate markets successfully and for buyers to access independent assurance.
Freedom of entry and innovation in the market, maintaining, as far as possible, low barriers to new entrants with demonstrably effective solutions.
Efficacy-based assurance, ensuring that assessors look at the total efficacy of a solution when assuring or reviewing cybersecurity solutions.
Risk-based buying decisions, providing buyers with solution efficacy information to drive a value-based buying decision, trading off likely risk reduction with cost.
All of this is underpinned by a commitment from buyers and vendors alike to conduct business in plain, understandable language. When it comes to a cybersecurity product or service, vendor and buyer alike must be able to explain clearly.
What does this do?
We undertake to work together with all parties to develop solutions and drive implementation of these principles. This undertaking is outlined by the commitments made in this charter.