Today’s marketing strategies of many organisations within the cyber security sector can make for exciting reading, but contribute to a level of uncertainty for buyers as to how best to optimize their cyber security investment. The market is further complicated by an analyst community on which many buyers depend, who are unable themselves to base their advice on an assessment of security properties.
Consequently, many procurement processes fail to explicitly state security requirements. Buyers instead depend upon arbitrary precedents set by their peers, or marketing-based output from analysts, to attempt to address their increasing cyber-related liabilities. As cyber security vendor marketing budgets vastly out-strip research and development investments, the competitive and fast-paced market can discourage vendors from implementing and managing appropriately secure software development life-cycles.
The vast range of quality and relevance of resulting security products, coupled with the lack of ability to easily differentiate between good and bad, means that many organisations are making misguided investments in cyber security technology, and are unable to quantify or justify the investments made. Information asymmetry between buyers and suppliers is leading to market failure.
Assurance to the rescue?
Formal product assurance and certification processes can be of significant value in certain circumstances, by making security functionality of products explicit and independently validated. The right scheme in the right context can be valued by vendors and buyers, however full certification may not always be appropriate for all products or solutions. Product certification schemes can be misused, with the outputs of schemes often being misapplied, or the certificates themselves acting as a proxy for informed risk management.
Furthermore, the pace of evolution of technology and innovation within cyber, renders the application of product certification to the market in its entirety an impossible task, given the scope and dynamic nature of deployed systems and the evolving threat landscape.While certification schemes have played an important role, today’s diverse cyber security market requires additional levers to promote and value best practice within the vendor community.
Spin-free Cyber is an idea and an approach that HAUK are developing, aimed at encouraging cyber security vendors and suppliers to voluntarily join, and align their product development, product marketing and product management processes to improved industry norms. The initiative seeks to make explicit the security outcomes sought, and provide meaningful information regarding how these are achieved from both process and functionality perspectives. Spin-free cyber could make use of a combination of: company pledge, an online platform for information exchange, and a set of communication guidelines.
As we develop this line of thinking we'll post again here soon. But please let us know if you have any related views or challenges.