- A new report claims that the cybersecurity market is broken.
- It argues that better products are being driven out of the market because it is too difficult to assess quality.
- Here are three ways to fix the market and protect consumers and companies.
Globally we spending more on defending ourselves from digital attacks. Collective cybersecurity spending is projected to grow to $433.6 billion annually by 2030. In 2020, at the height of the global pandemic, business leaders identified the risk of cyber-attack as the third biggest risk their organizations were facing. This is driving major investment: cybersecurity start-ups receive nearly $9 billion a year.
But an increase in investment is not translating to a reduction in risk. Attacks are continuing to go up, and policymakers, industry leaders and the security community are starting to ask why.
Many are starting to believe that the problem isn't technology; it's economics. As early as 2009 the US House Committee on Homeland Security urged the Obama administration to intervene in what they saw as a market-led approach that was “inadequate” for protecting American assets and urging strict regulation.
A recent report by Debate Security, with inputs from the World Economic Forum cybersecurity community, declared that the cybersecurity market is broken - a market of lemons - based on the foundational findings of Nobel Prize-winning Economist George Akerlov in the 1970s. Akerlov's study was based on the used-cars industry and explains why your brand new car loses 30% of its value as soon as you drive it out of the showroom.
This theory holds that buyers are unable to tell the difference between a “peach” or a “lemon,” and as such will pay an average of the two prices. This will ultimately result in driving better-quality products out of the market.
The problem in the market
Effective cybersecurity strategies are about maintaining the upper-hand in the attack-defender balance. Many organizations appoint a Chief Information Security Officer (CISO) to be responsible for winning that balance and ensuring investment in four key areas:
- Strategy: knowing what to defend and how to defend it;
- Processes: having the most effective security procedures in place;
- People: employing the right workers and ensuring end users are aware of the risks;
- Technology: deploying the right hardware and software to deliver all of the above.
The report outlines that in the "technology" area, CISOs have a fundamental problem with “information asymmetry.” Faced with constant challenges - including keeping up with the latest attacks, deploying security in a complex enterprise environment, a board reliance on compliance-driven frameworks and a raft of new vendor solutions - results in overstretched CISOs without the tools or resources to make the best decisions. Suppliers and not buyers hold all the key information.
For suppliers, the market is also appearing to be fractured and increasingly crowded. Hundreds of new companies are launched each year, leading many to suggest cybersecurity is a bubble. Faced with this competitive environment, many are forced to bring solutions too quickly for an overly broad customer target, and then have to engineer their solutions as bespoke product once deployed using a minimal viable product approach.
Have you read?
3 ways to fix it
Broken markets can be fixed. Governments can intervene through instruments like regulation, taxation and subsidies.
The US fixed Akerlov's used-car problem with a succession of "Lemon Laws," which fixed the information-asymmetry issue by providing buyers with warranties, consumer protection and clear information about the mileage and history of a vehicle. Other markets have responded differently - for example, with brand loyalty schemes, consumer awards or online review websites.
Here are three ways that the security community could fix its broken market:
1. Conduct independent assessments.
Establishing independent verification for security products and services is one way to fix the issue, but is fraught with difficulties to implement. Assessments have to keep up with technology, and given there is little incentive for suppliers to engage, government regulation or establishment of trade associations is necessary. Even then these types of measures might be out of reach for smaller companies, who already struggle with security resourcing, requiring further government protection and sector-specific regulation.
What is the World Economic Forum doing on cybersecurity
The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.
Platform activities focus on three main challenges:
Strengthening Global Cooperation for Digital Trust and Security - to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future - to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.
The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.
For more information, please contact us.
2. Ensure corporate governance.
Many boards, while aware of the risk of cybersecurity, still believe this is an area of esoteric subject matter expertise. That has to change. Faced with what they view as too technical an issue, direct responsibilities are too often delegated to an overstretched security team, large consultancies, compliance requirements or industry spend benchmarking. Corporate leaders need better tools, guidance and ultimately accountability to address and manage cybersecurity as effectively as any other enterprise risk.
3. Offer legal protection and liability transfer.
To drive a major change in what is primarily a business-to-business market, more fundamental interventions might be required. Real change might only come from much better positive incentives focused on protective benefits, like liability protections, insurance, warranties and legal protection if products fail. This too might not be easy, with some saying that cyber-Insurance is one claim from disaster already.
Cybersecurity is a complex problem, and the market is still relatively immature. Recognizing there is a problem is the first step. The cybersecurity ecosystem will be one of the most important in the Fourth Industrial Revolution, and now is the time to establish whether the market alone can drive the response the world needs to ensure the integrity of our digital systems.