Cybersecurity technology is not getting better: How can it be fixed?

Tech media has diligently reported all the various reasons cybersecurity is failing. However, a recent Garrison Technology-backed survey of business and cybersecurity leaders indicates there’s at least one reason that’s not getting much press. 

The survey’s report Cybersecurity Technology Efficacy: Is cybersecurity the new market for lemons? said even with more than a 50% increase in spending over the past five years, cybersecurity is not having much success. “A major cause of this failure is that the technology is not as effective as it needs to be, and this is the view shared by 90% of the survey participants in this study,” the report said. “While there has been a strong focus on improving people- and process-related issues in recent years, technology problems have in some way been accepted as inevitable and the norm.”

SEE: Security incident response policy (TechRepublic Premium)

The report summary quoted one survey participant: “We buy it, and then we cross our fingers hoping the technology will work.” 

It is important to define the parameters used to determine the effectiveness of cybersecurity technology as the following:

• Capability: When properly installed and configured, how well does the solution deliver its stated security mission? Is it fit for purpose?
• Practicality: How easy is it for organizations to implement, integrate, operate and maintain? Is it fit for use?
• Quality: How well designed is the solution? Are there any negative impacts? 
• Provenance: How much risk can be attributed to the vendor?

An inability to evaluate technology

The survey report suggested one very real issue plaguing cybersecurity products is the inability of buyers to effectively evaluate them, which in turn leads to the purchase of ineffective technology. The report also said the inability of customers to judge a product’s effectiveness incentivizes vendors to develop less-than-optimal technical solutions, reducing customer trust in cybersecurity technology. 

Henry Harrison, co-founder and CSO of Garrison Technology, said cybersecurity product developers base their designs on fundamental architecture and engineering details. “However, vendors can and will take different approaches when it comes to both architectural and engineering perspectives,” Harrison said. “And it’s critical that customers understand there are these differences in vendors and their cybersecurity applications.”

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

Harrison said customers don’t have resources to fully evaluate products. “It’s not fair to say that organizations lack a sophisticated understanding of cybersecurity technology in general,” Harrison said. “What is absolutely the case is that they lack the resources to gain a technical understanding of individual cybersecurity products. They cannot afford the time nor the skills to do the detailed design and source-code reviews that are required to gain that understanding.”

Solving the problem

Nearly two-thirds of survey participants suggested independent and transparent assessment of technology as the way to shed light on the differences between vendors. The survey report mentioned that this type of assessment would give:

• Customers better information when making purchasing decisions
• Vendors incentives to deliver more effective technology
• Customers more trust in vendors and their solutions

Another consideration championed by the report’s authors is to alter market standards to reflect assessment rather than the technology involved. The report said, “Assessment standards already exist in some markets. However, they are not widely understood nor used outside these areas.”

Change the market incentives

The report’s authors are well aware that creating a new model will require pushback from buyers asking for transparency in cybersecurity products. “This approach should remove the first-mover disadvantage and unlock the situation,” the report said. “Vendors, assessors and standards setters (typically industry associations or regulators) will also need to play their part in delivering the change, but if buyers create the demand, the incentive will exist.” 

Harrison offers another option. “What’s needed to fix the broken cybersecurity market above all is for the cost of evaluating cybersecurity products to be amortized across the large number of buyers,” Harrison said. “While buyers individually cannot afford that level of investigation, collectively they can more than afford it, and it will be more than paid back in terms of better security products and fewer security breaches.”

Harrison then asks some hard questions about creating the buying collective:

• Can the private sector pull together to create the coordination required?
• If regulation is required, how would that look on a global scale? 

These questions have yet to be answered, but hopefully will be answered so that all cybersecurity tools are easily researched.

Research methodology

Independent consultant Joseph Hubback conducted over 100 interviews with CISOs (representing around 50% of the whole group and coming from globally leading institutions, Fortune 500 companies, and elite government environments), cybersecurity vendors, technology vendors, enterprise leaders, assessment organizations, government agencies and industry associations or regulators. All interviews were conducted on a confidential and non-attributable basis. Debate Security published the survey report.

Also see