• A new report claims that the cybersecurity market is broken.
  • It argues that better products are being driven out of the market because it is too difficult to assess quality.
  • Here are three ways to fix the market and protect consumers and companies.

Globally we spending more on defending ourselves from digital attacks. Collective cybersecurity spending is projected to grow to $433.6 billion annually by 2030. In 2020, at the height of the global pandemic, business leaders identified the risk of cyber-attack as the third biggest risk their organizations were facing. This is driving major investment: cybersecurity start-ups receive nearly $9 billion a year.

But an increase in investment is not translating to a reduction in risk. Attacks are continuing to go up, and policymakers, industry leaders and the security community are starting to ask why.

Many are starting to believe that the problem isn't technology; it's economics. As early as 2009 the US House Committee on Homeland Security urged the Obama administration to intervene in what they saw as a market-led approach that was “inadequate” for protecting American assets and urging strict regulation.

Half of businesses are concerned about cybersecurity due to the shift in working patterns.
Half of businesses are concerned about cybersecurity due to the shift in working patterns.
Image: World Economic Forum

A recent report by Debate Security, with inputs from the World Economic Forum cybersecurity community, declared that the cybersecurity market is broken - a market of lemons - based on the foundational findings of Nobel Prize-winning Economist George Akerlov in the 1970s. Akerlov's study was based on the used-cars industry and explains why your brand new car loses 30% of its value as soon as you drive it out of the showroom.

This theory holds that buyers are unable to tell the difference between a “peach” or a “lemon,” and as such will pay an average of the two prices. This will ultimately result in driving better-quality products out of the market.

The problem in the market

Effective cybersecurity strategies are about maintaining the upper-hand in the attack-defender balance. Many organizations appoint a Chief Information Security Officer (CISO) to be responsible for winning that balance and ensuring investment in four key areas:

  • Strategy: knowing what to defend and how to defend it;
  • Processes: having the most effective security procedures in place;
  • People: employing the right workers and ensuring end users are aware of the risks;
  • Technology: deploying the right hardware and software to deliver all of the above.

The report outlines that in the "technology" area, CISOs have a fundamental problem with “information asymmetry.” Faced with constant challenges - including keeping up with the latest attacks, deploying security in a complex enterprise environment, a board reliance on compliance-driven frameworks and a raft of new vendor solutions - results in overstretched CISOs without the tools or resources to make the best decisions. Suppliers and not buyers hold all the key information.

For suppliers, the market is also appearing to be fractured and increasingly crowded. Hundreds of new companies are launched each year, leading many to suggest cybersecurity is a bubble. Faced with this competitive environment, many are forced to bring solutions too quickly for an overly broad customer target, and then have to engineer their solutions as bespoke product once deployed using a minimal viable product approach.

3 ways to fix it

Broken markets can be fixed. Governments can intervene through instruments like regulation, taxation and subsidies.

The US fixed Akerlov's used-car problem with a succession of "Lemon Laws," which fixed the information-asymmetry issue by providing buyers with warranties, consumer protection and clear information about the mileage and history of a vehicle. Other markets have responded differently - for example, with brand loyalty schemes, consumer awards or online review websites.

Here are three ways that the security community could fix its broken market:

1. Conduct independent assessments.

Establishing independent verification for security products and services is one way to fix the issue, but is fraught with difficulties to implement. Assessments have to keep up with technology, and given there is little incentive for suppliers to engage, government regulation or establishment of trade associations is necessary. Even then these types of measures might be out of reach for smaller companies, who already struggle with security resourcing, requiring further government protection and sector-specific regulation.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum's Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority.

Our community has three key priorities:

Strengthening Global Cooperation - to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.

Understanding Future Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.

Building Cyber Resilience - to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.

Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.

The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.

For more information, please contact us.

2. Ensure corporate governance.

Many boards, while aware of the risk of cybersecurity, still believe this is an area of esoteric subject matter expertise. That has to change. Faced with what they view as too technical an issue, direct responsibilities are too often delegated to an overstretched security team, large consultancies, compliance requirements or industry spend benchmarking. Corporate leaders need better tools, guidance and ultimately accountability to address and manage cybersecurity as effectively as any other enterprise risk.

3. Offer legal protection and liability transfer.

To drive a major change in what is primarily a business-to-business market, more fundamental interventions might be required. Real change might only come from much better positive incentives focused on protective benefits, like liability protections, insurance, warranties and legal protection if products fail. This too might not be easy, with some saying that cyber-Insurance is one claim from disaster already.

Cybersecurity is a complex problem, and the market is still relatively immature. Recognizing there is a problem is the first step. The cybersecurity ecosystem will be one of the most important in the Fourth Industrial Revolution, and now is the time to establish whether the market alone can drive the response the world needs to ensure the integrity of our digital systems.