How used-cars sales explain the cybersecurity market - and how we can fix it

Globally we spending more on defending ourselves from digital attacks. Collective cybersecurity spending is projected to grow to $433.6 billion annually by 2030. In 2020, at the height of the global pandemic, business leaders identified the risk of cyber-attack as the third biggest risk their organizations were facing. This is driving major investment: cybersecurity start-ups receive nearly $9 billion a year.

But an increase in investment is not translating to a reduction in risk. Attacks are continuing to go up, and policymakers, industry leaders and the security community are starting to ask why.

Many are starting to believe that the problem isn't technology; it's economics. As early as 2009 the US House Committee on Homeland Security urged the Obama administration to intervene in what they saw as a market-led approach that was “inadequate” for protecting American assets and urging strict regulation.

A recent report by Debate Security, with inputs from the World Economic Forum cybersecurity community, declared that the cybersecurity market is broken - a market of lemons - based on the foundational findings of Nobel Prize-winning Economist George Akerlov in the 1970s. Akerlov's study was based on the used-cars industry and explains why your brand new car loses 30% of its value as soon as you drive it out of the showroom.

This theory holds that buyers are unable to tell the difference between a “peach” or a “lemon,” and as such will pay an average of the two prices. This will ultimately result in driving better-quality products out of the market.

Effective cybersecurity strategies are about maintaining the upper-hand in the attack-defender balance. Many organizations appoint a Chief Information Security Officer (CISO) to be responsible for winning that balance and ensuring investment in four key areas:

The report outlines that in the "technology" area, CISOs have a fundamental problem with “information asymmetry.” Faced with constant challenges - including keeping up with the latest attacks, deploying security in a complex enterprise environment, a board reliance on compliance-driven frameworks and a raft of new vendor solutions - results in overstretched CISOs without the tools or resources to make the best decisions. Suppliers and not buyers hold all the key information.

For suppliers, the market is also appearing to be fractured and increasingly crowded. Hundreds of new companies are launched each year, leading many to suggest cybersecurity is a bubble. Faced with this competitive environment, many are forced to bring solutions too quickly for an overly broad customer target, and then have to engineer their solutions as bespoke product once deployed using a minimal viable product approach.

Broken markets can be fixed. Governments can intervene through instruments like regulation, taxation and subsidies.

The US fixed Akerlov's used-car problem with a succession of "Lemon Laws," which fixed the information-asymmetry issue by providing buyers with warranties, consumer protection and clear information about the mileage and history of a vehicle. Other markets have responded differently - for example, with brand loyalty schemes, consumer awards or online review websites.

Here are three ways that the security community could fix its broken market:

1. Conduct independent assessments.

Establishing independent verification for security products and services is one way to fix the issue, but is fraught with difficulties to implement. Assessments have to keep up with technology, and given there is little incentive for suppliers to engage, government regulation or establishment of trade associations is necessary. Even then these types of measures might be out of reach for smaller companies, who already struggle with security resourcing, requiring further government protection and sector-specific regulation.

2. Ensure corporate governance.

Many boards, while aware of the risk of cybersecurity, still believe this is an area of esoteric subject matter expertise. That has to change. Faced with what they view as too technical an issue, direct responsibilities are too often delegated to an overstretched security team, large consultancies, compliance requirements or industry spend benchmarking. Corporate leaders need better tools, guidance and ultimately accountability to address and manage cybersecurity as effectively as any other enterprise risk.

3. Offer legal protection and liability transfer.

To drive a major change in what is primarily a business-to-business market, more fundamental interventions might be required. Real change might only come from much better positive incentives focused on protective benefits, like liability protections, insurance, warranties and legal protection if products fail. This too might not be easy, with some saying that cyber-Insurance is one claim from disaster already.

Cybersecurity is a complex problem, and the market is still relatively immature. Recognizing there is a problem is the first step. The cybersecurity ecosystem will be one of the most important in the Fourth Industrial Revolution, and now is the time to establish whether the market alone can drive the response the world needs to ensure the integrity of our digital systems.