Based on over 100 comprehensive interviews with business and cybersecurity leaders from large enterprises, together with vendors, assessment organizations, government agencies, industry associations and regulators, Debate Security’s research shines a light on why technology vendors are not incentivized to deliver products that are more effective at reducing cyber risk.
The report supports the view that efficacy problems in the cybersecurity market are primarily due to economic issues, not technological ones, and addresses three key themes to ultimately arrive at a consensus for how to approach a new model.
Cybersecurity is failing. Spend on cybersecurity is increasing every year (+58% over the past five years) , yet as the WEF has highlighted, business leaders still identify disruption from cyberattack as one of the top 5 growing risks in 2020 (and while the exact numbers are contestable, the direction is clear). A major cause of this failure is that the technology is not as effective as it needs to be, and this is the view shared by 90% of over 100 highly qualified research participants in this study. While there has been a strong focus on improving people and process related issues in recent years, - which are also undoubtedly contributors to cybersecurity failings - technology problems have in some way been accepted as inevitable and the norm.
As one Chief Information Security Officer (CISO) put it, “we buy it, and then we cross our fingers and hope the technology will work”. Trust in cybersecurity technology to deliver on its promise is low. Without improving technology efficacy, cybersecurity will continue to fail. Participants in this research broadly agree that four characteristics are required to comprehensively define cybersecurity technology efficacy. These are the Capability to deliver the security mission (fit-for-purpose), Practicality in operations (fit-for-use), Quality of security build and architecture, and Provenance of the vendor and supply chain.