Top 5 Benefits of a New Cybersecurity Market Model

By objective measures, enterprises just aren't getting their money's worth out of their cybersecurity spending. In a fast-paced economic and cyber threat landscape, organizations often buy new technology solutions without being able to fully assess their efficacy and then are forced to move on to new issues and problems before they can make the tools they already have fully effective. In the worst cases, the result is a merry-go-round of spending on unproven technologies that don't address the problem as effectively as they could.


For example, cyber technology and services company Sygnia, which has completed hundreds of cybersecurity improvement engagements with clients, calculated that many of their improvement actions relate to optimization of the current technology stack because it isn't being used effectively.

Organizations need a new model for acquiring cybersecurity tools based on the true efficacy -- rather than the vendor promises. Efficacy is defined as the combination of the capability of a product (does it deliver the security mission?), practicality (is it fit for use?), quality (of the security build and architecture) and provenance (of the vendor and supply chain). This starts with buyers gaining visibility into available technologies and basing their purchasing decisions on detailed assessments of how well those technologies do what they're supposed to do.

As detailed in a research report by Debate Security, the current market model has turned cybersecurity into a "market for lemons," in which buyers are sold ineffective products because they can't properly differentiate the better from the worse. The report participants identified a new model that could change that by better informing buyers and delivering resultant benefits.

The problem isn't one of technology -- billions are invested every year on technology. It is one of market economics. The economic problem results from an information asymmetry between buyers and sellers. Security vendors are under pressure to bring new technologies to market as quickly as possible to try and gain or maintain traction -- even if those products aren't fully effective. Buyers likewise are under pressure from their boardrooms or regulators to meet their risk compliance standards, so sometimes, the easiest thing to do is buy what everyone else has. In the process, the majority of buyers don't get to fully assess technologies before purchasing them.


Benefits of focusing on efficacy

A new cybersecurity market model that achieves greater transparency on efficacy would deliver five essential benefits:

  1. More effective cybersecurity. Demanding transparency on a product's actual capabilities gives vendors a real incentive to invest more in efficacy. Users expect capabilities to match claims, practical features in areas such as integration and operation, and fewer vulnerabilities caused by quality deficiencies.
  2. More meaningful technology evaluations. Establishing a common view on efficacy will make it easier to evaluate technologies in operation, enabling enterprises to identify vulnerabilities and increase resilience.
  3. Better ability to set risk appetite. Having greater clarity on the strength of technical defenses will enable enterprises to better define the risk they're willing to accept in operational, cyber and enterprise terms.
  4. Better differentiation of security toward priority areas. In addition to setting risk appetite, a better understanding of products' efficacy enables an enterprise to use the most effective of them, which may be more expensive and difficult to manage, on the organization's "crown jewels," thereby protecting its most important assets.
  5. Better correlation between spend and efficacy. Better visibility and a clear understanding of product capability enable enterprises to make better informed tradeoffs when deciding what they can afford. It may not provide an absolute ROI calculation, but it will help organizations make their own risk-based decisions.


You can read this article in full in TechTarget.


Joe Hubback



Managing Director, EMEA, Academy Global MD

Joe Hubback is ISTARI's Managing Director EMEA and our Academy's Global Managing Director.

Joe has a broad background including McKinsey & Company (where he was a partner and co-led the creation of their cybersecurity practice), he is a published independent cybersecurity analyst and has also held corporate leadership roles (as MD for North West Europe in Keller running a full P&L).

He started his career in the industrial sector as an engineer designing and installing electronic control and robotics systems. He is also passionate about entrepreneurship and is a trustee of the Centre for Entrepreneurs charity.

Article Links

Top 5 Benefits of a New Cybersecurity Market Model Navigate Your Digital Risk Landscape Cybersecurity Technology Efficacy