How do companies know if they chose the right cybersecurity solution? The simplistic answer would be this: if their devices or networks are kept free from security breaches. Things are not that simple, though. If the basis of cybersecurity success is the complete absence of breaches, then it would be fair to say that no company has managed to choose the right cybersecurity solution.
Also, measuring the success of cybersecurity solutions this way will be an indefinite process without established benchmarks. There are no established standards as to how effective certain security solutions are. There are best practices, but there are no objective and quantitative approaches in examining the efficacy of such solutions. Most consumers have at present are reviewed by tech sites and users themselves which rarely offer reassuring conclusions.
Often, cybersecurity solutions tend to be underused. Many security software solutions provide a host of features and functions that are not taken advantage of by most companies. Then, there’s the habit of buying new cybersecurity technologies supposedly to address new threats even though organizations have not conducted thorough evaluations of the efficacy of their existing system.
This situation calls for a new model in acquiring cybersecurity solutions–one that focuses on real efficacy instead of what vendors claim to offer. Companies or users of security products need to have a better understanding of their security needs and the technologies they are getting.
In search of the best solution
A research report by Debate Security suggests that the cybersecurity industry has become a “market for lemons,” largely because buyers are incapable of differentiating good from bad (or ineffective) products. The study interviewed over 100 cybersecurity leaders and businesses to dig deep into the efficacy of cybersecurity technology.
While there are many effective cybersecurity innovations such as automated purple team simulation that expands security visibility and optimization, there are also numerous gimmicky or downright ineffective features and functions being introduced. As Debate Security’s research revealed, an overwhelming majority of organizations are not confident in the effectiveness of the solutions they obtain. “We buy it, and then we cross our fingers and hope the technology will work,” said one CISO quoted in the study.
There is prevalently low trust in cybersecurity solutions at present. This is understandable given the many high-profile security breaches reported recently and throughout the course of the pandemic. Research respondents agree that cybersecurity solutions should be evaluated by their capability (to deliver on what they are designed to do), practicality, security build and architecture quality, and vendor and supply chain provenance. However, they are unsure why it is still difficult for them to find the best solution for their needs.
An economics problem, not technology-driven
While Debate Security’s study highlights the low trust in cybersecurity technology efficacy, it also argues that the failure of cybersecurity at present is not attributable to technology but to economics. The study cites reasons that lay the blame on the disconnect between supply and demand.
There has been no problem with technology since billions and billions are being invested into cybersecurity every year. According to the Canalys Global Cybersecurity 2020 Forecast, cybersecurity investment in 2020 is expected to have grown by up to 5.6 percent. This shows how there is sustained interest in improving cybersecurity year after year.
Security firms and organizations ceaselessly develop new ways to address cyber threats and attacks. They continuously monitor cyber activities to detect the most recent tactics and strategies cyber criminals employ, so that they can come up with the appropriate countermeasures.
Additionally, there are collaborative cybersecurity endeavors aimed at leveraging the expertise of various security firms, organizations, and watchdogs to help everyone prepare for the most recent attacks. The MITRE ATT&CK framework, for example, is being integrated into security solutions to help prepare organizations for the newest methods bad actors employ to defeat cyber defenses or exploit vulnerabilities.
Again, the problem is not in technology but in the economics of cybersecurity. As mentioned in the Debate Security research, buyers of security products are generally eager to get their hands on the latest and supposedly most effective solutions on the market to keep up with risk compliance standards. On the other hand, security vendors tend to rush the development of their products and offer them to consumers—even when they are not proven to be fully effective.
Buyers become too focused on compliance while vendors try to cash in as much as possible in the ever-growing cybersecurity market demand. This needs to stop. Organizations need to adopt a new model of security tech acquisition that emphasizes real efficacy more than compliance and the need to be up-to-date with the latest trends.
Creating a new cybersecurity acquisition model
Debate Security offers a new cybersecurity model that seeks to reform the “information asymmetry” between those that purchase security solutions and those that sell them. This mismatch is identified as the reason why most of the products that enter the security market tend to be not as effective as they ought to be. There need to be changes in the overall dynamics between buyers and vendors in relation to the technologies being offered, product promotions, and stakeholder perspectives.
The new model has to focus on efficacy to deliver the following benefits outlined in Debate Security’s research, namely:
- Greater cybersecurity effectiveness – If businesses understand their security risks thoroughly, they will know what they really need and they can find the right products for them provided that security providers are truthful and transparent with their claims.
- Meaningful technology evaluations – When buyers and vendors are all concerned about efficacy, they can establish common standards on what makes a product effective and optimized for specific use cases.
- Improved ability to set risk appetite – When organizations know what their security solutions can and cannot do, they can define the risks they are willing to take more accurately.
- More informed security differentiation and prioritization – Security products come in different plans or packages. More features and coverage mean higher plan prices. If security vendors are transparent and realistic with their claims, buyers can prioritize their cybersecurity spending or investments better.
- Correlation between security spending and efficacy – Ultimately, if there is transparency in the cybersecurity market, buyers can spend for the right solutions and level of protection that match their needs and risk factors.
How can this new cybersecurity economic model be implemented? Debate Security’s study suggests the creation of an independent and transparent technology assessment program alongside the creation of incentives for vendors and approaches for customers. This new model needs to convince buyers that vendors can be trustworthy for them to examine security products according to their capabilities and other attributes instead of over-relying on security compliance requirements.
Improving cybersecurity for everyone
With the rapid evolution of cyber threats and the overwhelming volume of attacks, there are compelling reasons for businesses to get the best cybersecurity solution and for vendors to deliver the most effective features and functions. The cybersecurity industry cannot be a mere money-making market for security vendors. Buyers must be mindful of their product choices, but vendors should also be truthful in the efficacy of their products at the same time.