How used-cars sales explain the cybersecurity market - and how we can fix it
A market for lemons? Image: REUTERS/Mike Blake
- A new report claims that the cybersecurity market is broken.
- It argues that better products are being driven out of the market because it is too difficult to assess quality.
- Here are three ways to fix the market and protect consumers and companies.
Globally we spending more on defending ourselves from digital attacks. Collective cybersecurity spending is projected to grow to $433.6 billion annually by 2030. In 2020, at the height of the global pandemic, business leaders identified the risk of cyber-attack as the third biggest risk their organizations were facing. This is driving major investment: cybersecurity start-ups receive nearly $9 billion a year.
But an increase in investment is not translating to a reduction in risk. Attacks are continuing to go up, and policymakers, industry leaders and the security community are starting to ask why.
Many are starting to believe that the problem isn't technology; it's economics. As early as 2009 the US House Committee on Homeland Security urged the Obama administration to intervene in what they saw as a market-led approach that was “inadequate” for protecting American assets and urging strict regulation.
A recent report by Debate Security, with inputs from the World Economic Forum cybersecurity community, declared that the cybersecurity market is broken - a market of lemons - based on the foundational findings of Nobel Prize-winning Economist George Akerlov in the 1970s. Akerlov's study was based on the used-cars industry and explains why your brand new car loses 30% of its value as soon as you drive it out of the showroom.
This theory holds that buyers are unable to tell the difference between a “peach” or a “lemon,” and as such will pay an average of the two prices. This will ultimately result in driving better-quality products out of the market.
The problem in the market
Effective cybersecurity strategies are about maintaining the upper-hand in the attack-defender balance. Many organizations appoint a Chief Information Security Officer (CISO) to be responsible for winning that balance and ensuring investment in four key areas:
- Strategy: knowing what to defend and how to defend it;
- Processes: having the most effective security procedures in place;
- People: employing the right workers and ensuring end users are aware of the risks;
- Technology: deploying the right hardware and software to deliver all of the above.
The report outlines that in the "technology" area, CISOs have a fundamental problem with “information asymmetry.” Faced with constant challenges - including keeping up with the latest attacks, deploying security in a complex enterprise environment, a board reliance on compliance-driven frameworks and a raft of new vendor solutions - results in overstretched CISOs without the tools or resources to make the best decisions. Suppliers and not buyers hold all the key information.
For suppliers, the market is also appearing to be fractured and increasingly crowded. Hundreds of new companies are launched each year, leading many to suggest cybersecurity is a bubble. Faced with this competitive environment, many are forced to bring solutions too quickly for an overly broad customer target, and then have to engineer their solutions as bespoke product once deployed using a minimal viable product approach.
3 ways to fix it
Broken markets can be fixed. Governments can intervene through instruments like regulation, taxation and subsidies.
The US fixed Akerlov's used-car problem with a succession of "Lemon Laws," which fixed the information-asymmetry issue by providing buyers with warranties, consumer protection and clear information about the mileage and history of a vehicle. Other markets have responded differently - for example, with brand loyalty schemes, consumer awards or online review websites.
Here are three ways that the security community could fix its broken market:
1. Conduct independent assessments.
Establishing independent verification for security products and services is one way to fix the issue, but is fraught with difficulties to implement. Assessments have to keep up with technology, and given there is little incentive for suppliers to engage, government regulation or establishment of trade associations is necessary. Even then these types of measures might be out of reach for smaller companies, who already struggle with security resourcing, requiring further government protection and sector-specific regulation.
How is the Forum tackling global cybersecurity challenges?
2. Ensure corporate governance.
Many boards, while aware of the risk of cybersecurity, still believe this is an area of esoteric subject matter expertise. That has to change. Faced with what they view as too technical an issue, direct responsibilities are too often delegated to an overstretched security team, large consultancies, compliance requirements or industry spend benchmarking. Corporate leaders need better tools, guidance and ultimately accountability to address and manage cybersecurity as effectively as any other enterprise risk.
3. Offer legal protection and liability transfer.
To drive a major change in what is primarily a business-to-business market, more fundamental interventions might be required. Real change might only come from much better positive incentives focused on protective benefits, like liability protections, insurance, warranties and legal protection if products fail. This too might not be easy, with some saying that cyber-Insurance is one claim from disaster already.
Cybersecurity is a complex problem, and the market is still relatively immature. Recognizing there is a problem is the first step. The cybersecurity ecosystem will be one of the most important in the Fourth Industrial Revolution, and now is the time to establish whether the market alone can drive the response the world needs to ensure the integrity of our digital systems.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
Stay up to date:
Cybersecurity
Related topics:
Forum Stories newsletter
Bringing you weekly curated insights and analysis on the global issues that matter.
More on CybersecuritySee all
Kate Whiting
December 12, 2024