Product hype and a lack of oversight from senior executives have created a “broken” market in cybersecurity technology, experts say, with urgent action needed from both vendors and customers.
Bombarded with pitches from a raft of new as well as established cybersecurity vendors, chief information security officers often have a difficult time assessing whether technology will actually do what it promises until it is put into operation, said Laura Deaner, CISO at financial-data company S&P Global Inc.
“I shouldn’t have to say my fingers are crossed when I’m implementing a technology—that is proof that the market is broken,” Ms. Deaner said, speaking on a virtual panel hosted Wednesday by Debate Security, a research group formed by a number of security vendors.
Keeping up with hackers requires cybersecurity vendors to update technology frequently, but this can stymie CISOs, who often don’t have enough information or resources to properly size up products, she said.
“There’s something that’s not quite working,” said Ciaran Martin, the former head of the U.K.’s National Cyber Security Centre and currently an adviser for Garrison Technology Ltd., a member of Debate Security, speaking on the same panel.
Indeed, cybersecurity might fit the definition of a “lemon” market, according to research published Wednesday by the group. The label harks back to an economic theory developed by George Akerlof in 1970, which holds that buyers unable to tell the difference between a “peach” or a “lemon” will pay an average of the two prices, eventually driving better-quality products out of the market.
In cybersecurity, information about a product’s capabilities, efficacy and quality are mostly understood by vendors alone, with customers often relying on them for insights instead of doing their own in-depth appraisal, the report argued.
Vendors recognize this, said Joseph Hubback, an analyst who wrote the Debate Security report. And they face unique pressures. In addition to a competitive environment where they have to bring products to market quickly, he said, they are often forced to design products to serve an overly broad swath of customers.
“ It’s a very thorny area for corporate governance. It’s an area of quite esoteric subject-matter expertise. ”
“This kind of minimum viable product approach doesn’t seem to be working in cybersecurity the way it does in broader technology markets, because the users actually aren’t able to play that intelligent customer role,” he said.
A lack of cybersecurity oversight from board-level executives can contribute to this information asymmetry, said John Cryan, chairman of hedge fund operator Man Group, speaking on the same panel.
For instance, many boards push cyber risk assessments onto risk committees, or outsource evaluations of cybersecurity preparedness to consultancies and other organizations to avoid direct culpability when things go wrong, he said.
While boards also rely on input from CISOs, they recognize that this creates a dependency on a single employee, which they tend to disdain, he said. This can result in cybersecurity investment decisions being made for compliance reasons, for instance, rather than because a particular technology or product is the right functional fit.
“It’s a very thorny area for corporate governance. It’s an area of quite esoteric subject-matter expertise,” said Mr. Cryan, who is the former chief executive of Deutsche Bank AG.
Mr. Martin said corporate leaders have long been allowed to rely on excuses that cybersecurity is too technical or niche to fully understand. When he ran the NCSC, he said, he used to ask energy executives why they were able to understand deeply technical processes such as offshore oil extraction, but couldn’t get to grips with network security.
“It’s nonsense, and we allowed that infantilization to go on for too long,” Mr. Martin said.
Fixing the market involves better conversations between CISOs and boards, and could include the creation of independent assessment organizations or certification bodies to analyze vendor offerings, said S&P’s Ms. Deaner. Such assessments would include, for instance, testing platforms against common attack methods, and having vendors explain in detail how their products work.
Giving the private sector a chance to solve problems through dialogue between vendors and companies would be ideal, said Mr. Martin, rather than involving regulators or government.
But Mr. Cryan disagreed. Relying on the industry to fix itself might not work, he said. Other avenues, such as legal protections and warranties against products that don’t work might be a way to force vendors to live up to their claims.
“I am still not sure whether or not the right solution is to let the market solve this,” he said.
Write to James Rundle at [email protected]