Why CISOs have been talking about lemons

Henry Harrison

By Henry Harrison

Commercial

Government

As the CSO at Garrison, I spend one half of my time worrying about my enterprise customers – for example, the large retail banking customer that uses Garrison to ensure that staff can click on web links without worrying about bringing malware into their organisation. I spend the other half of my time worrying about my government customers – typically sensitive government agencies (across a range of countries) who use Garrison to provide Internet access to operatives working with highly sensitive government data.

My colleagues and I reflect constantly on one extraordinary difference in the way that we engage with those two different markets. In our government market, customers will not buy security technology from the likes of us until their technical experts (or at least, technical experts from one of their allies) have thoroughly tested it to determine whether it actually delivers on the security promises that the vendor makes.

With our commercial engagements, that pretty much never happens.

The difference was so stark that we decided – through an organisation we’re part of called Debate Security – to fund some independent research to explore why it is that we don’t see this sort of efficacy assessment taking place in the commercial market. Is it simply a reflection of different risk priorities? Do commercial buyers simply feel they have better ways of making buying decisions?

Funded by us but working independently, Joe Hubback (an ex-McKinsey partner and now – since completion of the research – Client Director at cybersecurity investment fund Istari) conducted more than 100 interviews with cybersecurity and business leaders at some of the world’s largest and most sophisticated organisations. The resulting report was launched on 20th October 2020 with a panel event chaired by the World Economic Forum and involving Ciaran Martin (until recently the CEO of the UK’s National Cyber Security Centre), John Cryan (Chairman Man Group and formerly CEO Deutsche Bank) and Laura Deaner (CISO, S&P).

The findings of Joe’s interviews were perhaps surprising: broad consensus among interviewees that the way the commercial market buys cybersecurity technology is broken and failing to deliver value to buyers. CISOs are overwhelmed by the sheer number of products in the market; they know that many of them are not actually very effective; and they don’t have good ways of determining which products are or are not effective.

In fact, Joe concludes in his report that the cybersecurity technology market is a “Market for Lemons”, in the technical economic sense of Joseph Akerlof’s Nobel prize-winning research from 1970. A market for lemons (“lemons” being US slang for a poor quality product, as compared with a “peach”) is one where an inability for buyers to distinguish high quality from poor quality products leads to high quality products being crowded out of the market.

It’s a fascinating conclusion: that a significant part of our difficulties addressing cyber risk are not down to technical or operational issues, but to economic ones. If we could address the information asymmetry at the heart of the buying process, the efficacy of cybersecurity technologies would dramatically improve, and the balance of cyber risk could be redressed in favour of the defender.

It’s a conclusion that rings true to us here at Garrison: undoubtedly the fact that our government customers are looking over our shoulders at what we’re doing – and are certainly not shy of saying so if they think we might be missing a trick on security – keeps our engineering processes focused on quality and efficacy. And they tell us that as a result, they have high confidence that we are effectively defending their and their allies’ systems from even highly sophisticated attacks.

What Joe’s conclusions don’t imply though is that this is a problem that’s trivial to solve. Individual commercial buyers – even the largest banks – just don’t have the resources and budgets to carry out the sort of in-depth product testing and assessment that leading nation-state governments can do. That means that addressing the economics is a question of coordination.

The open question therefore is whether and how that coordination can be achieved. Most of the study’s interviewees seem to believe the only way out of this situation is through regulation. In my experience though, regulation is never pretty, and I’d personally like to hope that there are other avenues for coordination – the WEF, for example – that might help get us there without regulation. But if regulation is coming, let’s make sure we get on the front foot and ensure it’s focusing on what this study suggests is the right thing: fixing a broken market. The alternative is that regulators try to define how technologists should innovate, and that’s not a future I for one look forward to.

If you would like to read the full report or watch the virtual debate you can do that here.