EPISODE 72
The Failure of the Cybersecurity Market

EP 72: The Failure of the Cybersecurity Market

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

February 2, 2021

We’re collectively spending $100 billion each year to manage cyber risks and still the damages are going up. It’s due to a big disfunction in the marketplace. But there’s a cure! Learn more with Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, JD and Cybersecurity Practice Lead at Focal Law Group.

Tags:

Episode Transcript

Kip Boyle: Hi, I'm excited to share that we have a new free bonus just for you.

Jake Bernstein: We've started publishing our very own quarterly Cyber Risk Management journal. It's loaded with over 30 pages of useful content taken directly from our podcast. Here's how we make each new edition.

Kip Boyle: So we start by transcribing the four or five episodes that we've published in the previous three months.

Jake Bernstein: Next, we send our editor and designer the transcripts and our supporting materials for those episodes.

Kip Boyle: Then they revise all the text. They put clickable links in for all the resources and they create the best look and feel for each episode.

Jake Bernstein: And finally, we, Kip, and I make sure the finished PDF is ready for you.

Kip Boyle: So, download the current edition now, all you have to do is go to b.link/crmj. That's the letter b.link/crmj.

Jake Bernstein: And if you like it, share it with your friends and encourage them to subscribe to the Cyber Risk Management Podcast. Now on with the show.

Speaker 3: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cyber security council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Kip Boyle: Hey Jake, what are we going to talk about today?

Jake Bernstein: Hey, Kip. Today, we're going to talk about something a little different, economics and the failure of the cybersecurity market.

Kip Boyle: Well, it's not legal anyway.

Jake Bernstein: Not as much, but our source today is a study published by Debate Security and it's available free from their website at www.debatesecurity.com.

Kip Boyle: Okay. Yeah, that is different economics, but I like the variety so that's really good. I suppose we should say, as we've said a few times in the last several episodes that Debate Security is not a sponsor and we're only looking at this because we thought it was super interesting. But it's also kind of esoteric, right? This whole idea of economics and the failure of the cybersecurity market. So, let's tell our audience why they should care.

Jake Bernstein: Yeah, I agree. And personally, I'm actually betting that this becomes one of our most downloaded episodes because as esoteric as it sounds, it's a critical issue for our audience. Many of whom are truly mired in this failed market and may not realize it yet.

Kip Boyle: Oh, God. If anybody out there is a chief information security officer or works for one, I guarantee you that once we start unpacking this you're going to recognize the failure and you're going to know that you're in the middle of it. So, but what I've struggled with right, is knowing how to articulate this failure and what to do about it. So anyway, but let's go ahead and start unpacking it. So a failed market, that's a contradiction, right? On the surface anyway, because the market for cybersecurity products is actually enormous and getting bigger all the time. So how do you explain that conflict?

Jake Bernstein: So when I say market failure here, I'm talking about kind of an Adam Smith style, the market with a capital M and-

Kip Boyle: The invisible hand.

Jake Bernstein: The invisible hand. Exactly. And actually, the invisible hand is at work here. Absolutely. And specifically, the marketplace for cybersecurity technology and the failure, which we'll talk about is one of information asymmetry. But the bottom line is that the market isn't doing what it is supposed to be doing.

Kip Boyle: It's not doing what it's supposed to be doing. Okay. Let's keep going. So how is the market not doing what it's supposed to be doing? I mean, again, there's a lot of spending in this industry. The amount of spend is growing. The number of vendors is proliferating. If you're an investor, this is not failure at all.

Jake Bernstein: That's a fair point, but let me ask you this, how confident are you that the market is full of effective cybersecurity technology?

Kip Boyle: And here's where we start getting to the rub. Yeah. I mean, we've used this little phrase, this little turn of phrase before to kind of talk about the fact that a lot of people have blinky light security, so they've got these products that look cool and sound cool, but nobody has any idea if they actually do anything.

Jake Bernstein: And that's exactly right. It's more than that though. It's not just the blinky lights from hardware, it's the many, many, many promises that are made by numerous cybersecurity companies that quite honestly don't really get born out in practice.

Kip Boyle: Oh, God, man. As a SISO, I have had to spend a lot of money on products that I did my very best to scrutinize to identify which ones would actually help me. And only to find out that they only helped me in whole or almost never in whole, either only in part or not at all. And yeah. So, gosh, and I'm sure most of our listeners can relate to that. Right? They got really excited about a product, they brought it in, they actually paid money for, it and then it just failed to perform. I mean, that is a real, that is a real big problem that anybody with a budget has felt the sting of that. No doubt about it. But still, right? But is it fair to say that the market has failed just because we've got some trouble like this?

Jake Bernstein: I think it is fair. And I think it's fair because the problem overall is that the spend on cybersecurity continues to increase, but I don't think we can honestly say that companies are as secure as they should be based on that spend. And we haven't actually given the full name of this report and I think that the full name is really interesting and it's call Cybersecurity Technology Efficacy. Is cybersecurity the "new market for lemons?" and the market for lemons language comes from a 1970s economics paper that basically talks about the specific market failure that is the subject of this episode and this report, which comes down to, and it is esoteric. This is not necessarily easy to summarize, but we're going to try to do that.

Kip Boyle: Okay. All right. Well, okay. So first of all, a new market for lemons, and then you say 1970, and all I can think of is like American manufactured automobiles that were uniformly so bad in so many ways, certain product lines that we actually have a whole section of lemon laws, right? To protect consumers from having to buy and put up with shotty products.

Jake Bernstein: Yeah. And they called those lemon laws. I enforced Washington's lemon law when I was an assistant attorney general.

Kip Boyle: Yeah. So the idea of a market full of lemons is absolutely not new, I think it's great that we're finally starting to talk like this about cybersecurity products, but I don't know. I think to our listeners, this still probably might sound like a bold claim, but you know, if you unpack this report and I'm going to put the URL to this report in the show notes, but you can probably find it by Googling this report by its title, which again is cybersecurity technology efficacy. And it was commissioned and published by an organization called debatesecurity.com. So you should be able to go retrieve this, but I didn't crack it at all.

Jake Bernstein: I didn't know we had show notes now, Kip.

Kip Boyle: Oh.

Jake Bernstein: That's exciting.

Kip Boyle: Oh, my goodness. You're just jabbing me like crazy today. You jabbed me about my age before we even started recording the podcast.

Jake Bernstein: You're way younger than... You seem way younger than you are. Wait, I think I just did it again.

Kip Boyle: Yeah, yeah, yeah, yeah.

Jake Bernstein: So let's move on.

Kip Boyle: So according to the report, right? Spend on cybersecurity is increasing every year and it's up 58% over the last few years. And in terms of absolute numbers, we're talking about 100 billion dollars more, right? Over 100 billion dollars every year. So I mean, the quantity of money is just crazy and at the same time, are we seeing a falling off of cyber attacks? No.

Jake Bernstein: The opposite. If anything, the opposite.

Kip Boyle: Yeah. The opposite happened. In fact, I saw a recent article by Cybersecurity Ventures, they published a lot of stuff and they said that if you took all the cyber in a year and you aggregated it, and then if you treated that number as though it were the gross domestic product of a country, it would be the third largest economy in the world.

Jake Bernstein: Oh, that's depressing.

Kip Boyle: Yeah. And it's only going to get worse.

Jake Bernstein: It is.

Kip Boyle: So, okay. So for those of you who thought it was a bold claim, the way we opened up this show, I hope you're beginning to accept the fact that it's not as bold as it may seem now that we're unpacking this. And I can tell you absolutely squares with my personal experience.

Jake Bernstein: And mine too. And I think it's important to point out that this study isn't a hit piece on vendors. In fact, Debate Security was founded by the vendor community. I think instead what we're seeing is I think that at large the vendor community knows there's a problem and we'll get into some of the details, but quite frankly, they're probably tired of spending almost half of their income on marketing. And I think that this article, this report, and the suggested fixes would help with that. So let me quickly just point out that the study was basically a deep dive interviews with more than 100 business and government leaders across the industry, including the buy-side and sell-side. And that in fact, yes, the cybersecurity marketplace does have all the hallmarks of a failed market. Similar to that market for lemons, Quality Uncertainty and the Market Mechanism, that was the name of the paper published in 1970 and stealing your line. The problem is an information asymmetry breakdown. And this is really fascinating to me. It's the whole buyer beware type concept, caveat, and poor.

Kip Boyle: Oh. And you know all about that.

Jake Bernstein: I do. It ties back into the first eight years of my practice as everyone by now knows. I was an assistant attorney general and consumer protection. This is what the FTC does. This is what state AGS do. Now that's on the B2C, business to consumer. This is all, this is the same problem, but it's B2B. And because of that, you don't get the consumer protection agencies and the FTC spending their time on this. In fact, those agencies assume that the market will take care of this type of problem, but it hasn't. And that is because the information asymmetry here is super, super complex. So for example, Kip, when I say to you've been a buyer, how do you understand cyber security technology efficacy? On one level the question is, well, does the product work, but what does that mean?

Kip Boyle: Yeah. And boy, when you say information asymmetry in the market, there's no doubt that's the case. And if so, if you're a buyer, this symmetry favors the vendor, let's be clear about that. All right. And again, we're not trying to bash vendors, we're just trying to describe a dynamic that's in play here. And I think conceptually, it's interesting to compare information asymmetry in favor of the vendor, very similarly, to as asymmetry in warfare in favor of the attackers. Right? So as a SISO, I'm on the losing end of both these asymmetric dynamics.

Jake Bernstein: You totally are. It sucks to be a SISO. Well, Kip, it's a tough job and that's probably why I'm skipping ahead in the script, but that's what we do here on this show. That no wonder the average tenure of a SISO is only 26 months due to the high stress and burnout.

Kip Boyle: Yeah, or the tape goes.

Jake Bernstein: Yeah. You're on the wrong end of two asymmetries that are not fun.

Kip Boyle: Yeah. It's really tough. Now, having said that, it's not an excuse for failure, it's just an explanation for why the tenure is so low and why a lot of SISOs are perceived to have failed when they leave companies. It is just the job is just so damn hard and there are real systemic issues, right? Like data breaches, I think in general, when the Equifax data breach happened a few years ago and I started studying it, that's when it really was driven home to me that this is another economics term but there's a lot of externalities associated with data breaches. In other words, when a data breach happens, the negative consequences disproportionately fall on the people whose records were compromised and not on the company who was in control of them.

And so we have a lot of things going on right now to try to correct asymmetry. We've got GDPR, California's cranking out privacy laws every other year high rates, you know? So there are forces at work trying to correct that economic dysfunction. And so, yeah. So once I started thinking about it, I realized, do know what? There's a lot of market place dysfunction with respect to the job that a SISO is expected to do, and no SISO is going to be able to change any of that on their own.

Jake Bernstein: Yep. It's true. And I don't think we're going to have time to get in-depth on the kind of factors on the buy-side that contribute to this problem. That's probably another episode, honestly, but I do want to point out that they are there. We may end up focusing the rest of this episode on some of the what may sound like vendor-type issues, but really there are problems on all sides.

Kip Boyle: There are problems on all sides. And in the last few years, I've learned how to do marketing more than I've ever tried to learn how to do marketing before. And there's this Averroism in marketing and I learned this from a very, very talented marketer. And he said to me, half of all the money spent on marketing is wasted. The only problem is we don't know which half.

Jake Bernstein: Yeah, that's exactly right.

Kip Boyle: And when I heard him say that I started reflecting and I was like, well, I don't think half of my SISO budget is being wasted, but it's a significant percentage because you have to spend money in order to find out what works in marketing. And I'm afraid that's also the true when it comes to technology.

Jake Bernstein: Yep.

Kip Boyle: You generally have to spend a lot of money to figure out what works and that there are a lot of incentives for you to buy whatever's considered to be the market leader, because you want to stay with the crowd, because that's what regulators expect, blah, blah, blah. So it's really interesting, but let's keep unpacking this report.

Jake Bernstein: Yeah, exactly. So what I was going to say is the study authors suggest four characteristics are required in order to comprehensively define "cybersecurity technology efficacy." And those four characteristics are capability basically is something fit for purpose. Practicality, is it fit for use? The actual quality of the security build and architecture, and then the providence of the vendor and supply chain. Obviously, you might be suspicious of something that meets the other three if it's made by the people's liberation army.

Kip Boyle: You went there, good for you.

Jake Bernstein: I did go there. I did go there. And the details of all of that are in the report, but here's my summary. Are you ready for this Kip? This is a major thought, and you have to imagine every word in this next sentence to be capitalized.

Kip Boyle: All right.

Jake Bernstein: Security is hard, and more importantly, figuring out, like you just said, what works is not merely non-trivial, it's almost as hard as doing the security right in the first place.

Kip Boyle: Oh, yeah.

Jake Bernstein: And if you think about this, it's really kind of unfair, right? It feels really unfair. As a SISO, not only are you responsible for doing security right, you also have to figure out how to do security right. And you also have to figure out what products out there, all of whom claim to do security right, actually work in order to do your security. And you know, what is it that we have said for years now? Cybersecurity isn't something you buy, it's something you do. It's what you do and it's a practice, not a product. Ooh, I just came up with that. But that's a good one.

Kip Boyle: But we need products, right.

Jake Bernstein: We do need.

Kip Boyle: As much as I've been burnt by technology trying to solve problems and as much as I try to lean on people and process and good management practices to sort of compensate technology failures, I can't eliminate technology as one of the things that I need to use.

Jake Bernstein: You can't. Thinking about a hypothetical business that could get as close to perfect security as possible, which of course, is not possible. There's an asymptote there.

Kip Boyle: Optimized security. Yep.

Jake Bernstein: Optimized security. Without technology to benefit really, other than like basic computer skills would be a company with a grand total of one employee and one endpoint who can sit there and personally monitor the one device. Not much of a company.

Kip Boyle: Yeah.

Jake Bernstein: Right?

Kip Boyle: No.

Jake Bernstein: And so we need the technology and yeah.

Kip Boyle: And I think we need the technology and in large part, because there's actually a lot of security stuff that can be automated because it's highly repeatable. It's drudgery work that human beings are absolutely terrible at. And so I think there are some great use cases for technology. So yeah.

Jake Bernstein: And it's only fair. Right? One of the things that we talk about is how the bad guys are heavily automated. So it seems only fair that the good guys should be able to automate as well, and they can, it's just a question of when and how, and whether it works.

Kip Boyle: And in the new era of artificial intelligence against machine learning, right? The bad guys already have it, they're using it against us. The idea that we're going to fight IML without our own IML, I mean, I just don't know that's realistic.

Jake Bernstein: It's not, but be careful because you also just slipped into marketing speak. And that's one of the things that we're dealing with here.

Kip Boyle: Oh, yeah. Gosh, I've seen it. I've seen it come in wave after wave. Once something gets really popular, everybody is that, right? So once AI started getting popular, all of a sudden, every vendor out there yesterday who wasn't AI enabled is now AI enabled.

Jake Bernstein: Is now Ai enabled exactly.

Kip Boyle: And totally abusing that term to the point of becoming meaningless. So, yeah.

Jake Bernstein: Okay. So here's the thing, the study says that buyers don't have the resources to measure efficacy as we just defined it. I'm going to say specifically, private sector buyers, there's a whole discussion in there about how government procurement, particularly, high-security procurement is a different story. And let's just say it is a different story, if you want to know more, check out the report. I don't think we're going to talk about that right now, because everything about it is just different from the private sector. So we'll continue here. So in the private sector, because of the lack of resources and the confusing nature of efficacy and the information asymmetry, you boil all that down, and basically, everything is going to sell whether it's good or not.

So the market, and this is the argument, the market pressures lead to low efficacy products, because it isn't rational in a market sense to spend the time or money to make a high efficacy product. And this is really interesting, way back in the dawn of time, otherwise known as March 2009, Jim Lewis, who's a gentleman at the center for strategic and international studies, he testified to the house committee on Homeland Security about market issues. And he said, and this is a quote, "our report concluded that the market would never deliver adequate security and the government must establish regulatory thresholds for critical and infrastructure." Ouch. But also I'd say the last 11 years has kind of proven his statement to be correct.

Kip Boyle: Oh, yeah. Yeah. And I think when I was talking about externalities for data breaches, well, externalities are very similar to what created the environmental protection agency in the US government.

Jake Bernstein: Actually, they are externalities are. That's like the big word in environmental law.

Kip Boyle: Yeah. Right. Because why? Okay. So if I own a lead smelter and I discharge waste up my smokestacks and that waste falls in form of particulate matter over a vast swath of land that is downwind from my factory, before the EPA came along, there was no way to stop me from doing that as the factory owner or held me accountable for the damages, the same for sewage discharge into lakes and streams and rivers, and it took an entire government agency in order to correct that imbalance, that extra balance.

Jake Bernstein: And a generation of a lifetime, 20, 25 years to really clean things up. I mean, you and I live in Seattle and I've heard stories that lake Washington at one point, you wouldn't dare go in it.

Kip Boyle: Right. Yeah. And in the Midwest, there were rivers that metaphorically anyway were on fire. They were so damaged and full of such toxins and filth that you could practically light a fire with all of the affluence of everything. And yeah, nobody would dare to touch the water, let alone eat anything that they might catch out of that water. And I really think that's a good parallel for what we're seeing with cybersecurity today. There are all these externalities and then the market's just not naturally corrected.

Jake Bernstein: You're right. That really is. And though this is not a podcast about capitalism and politics I will say that having been a regulator for eight years, the market does have failures and there aren't that many ways to correct those. And this is one where I think really the regulation is just as it was with EPA, it's necessary here.

Kip Boyle: Yeah. Well, there's self-regulation, that's an option.

Jake Bernstein: It is.

Kip Boyle: The payment card industry data security standard is a prime example of an industry that knew that it had a lot of cyber security problems because all the card data breaches and all the fraud. And they said, all right, we're going to regulate ourselves because we don't want the government to regulate us. And so they've been doing that now for years and years and years, and we can argue about the efficacy of their self-regulation, but that's an option.

Jake Bernstein: Yeah. Well, and I think even this report and this and this debate security organization is an example of potentially worthwhile self-regulation by the industry. Right? If you're a bright-eyed visionary CEO or founder of a cybersecurity technology company and you want your product to work well, you know that economically you're going to struggle in the current market circumstances. So it makes sense that you would try to start correcting that with self-regulation and that's kind of what I think this is.

Kip Boyle: Mm-hmm (affirmative). Well, why don't we skip through some of the high points, some of the remaining high points of the report, before we wrap up the episode here so that people can get a better idea about what this report says and what it recommends?

Jake Bernstein: Yeah. And interestingly enough, I was actually just talking about the conclusion and I think I'm just going to mention it right now, even though it's probably not the most relevant to our audience, just because it's very simple. The cybersecurity technology market needs independent transparent assessment as soon as possible. And regulation, whether it's government imposed or self-regulation, will probably be a key component of that. And that's a pretty typical so-called collective action problem, but let's focus on what the listeners can do today.

Kip Boyle: Yeah, yeah, yeah. So what's the practical stuff? I mean, because no answer that conforms to this report's recommendation is going to happen anytime soon, but people will have this problem now. So, yeah. So let's be practical and see if we can help people spend their money more efficiently.

Jake Bernstein: Yep. And I think the idea... So one of the interesting facts here is that 90% of the study participants agree that basically, cybersecurity technology doesn't work as well as it should. You spend a lot of money and you don't necessarily end up more secure. That's a problem. And there're many reasons for that. One of the reasons is that the skill and capabilities of attackers has grown while the defensive capabilities do feel mired in unfulfilled marketing promises, and that's really what we see here.

Kip Boyle: Yeah. And it takes a lot less time for an attacker to innovate to find a new way to attack us than it takes the vendor community to innovate their products. And a good example of this I think is antivirus blacklisting as an approach. For years and years and years it's worked really, really well. And then the attackers innovated and they started releasing a malicious code that defied the blacklist technology's ability to put a single signature that would detect all variants reliably and that was the beginning of the end of blacklisting technology. And since then, companies have struggled, the vendors that sell anti-malicious code have struggled to figure out how can they adapt to a world where the blacklisting approach just simply doesn't work anymore. And I think the jury is still out on it is on how well they've adapted to it, but there's a ton of money and effort being put into it. And here's the thing, as soon as they get it figured out, then the attackers will innovate again and will be standing on our heels instead of standing on our toes.

Jake Bernstein: Very much so, very much so.

Kip Boyle: So it's hard. Right? It's just super, super difficult, but yeah. So what's another high point of the report that our audience would want to know?

Jake Bernstein: I think one of the things that's interesting here, and this is intuitive, but the study asks, what is it about cybersecurity industry that necessitates such a brutal investment in persuasion, which is just a great quote, but what it's talking about is that, well, I'll just give you a number. I think people will figure it out right away. On average, the top six companies who publicly report data reported annual revenue of 9.8 billion with a sales and marketing expenditure of 4.1 billion, 41% revenue being fed into selling products, by comparison, other B2B firms like Cisco, Microsoft, et cetera, they spend less than half of that percentage. And there's no way to say that this isn't part of the problem. It's definitely part of the problem. And in terms of what to do about it, I'm not sure Kip. I mean, you're the buyer. What is your reaction to that statistic?

Kip Boyle: Well, I can tell you for sure that I have lived that statistic. I mean, SISOs and anybody with a budget that can be used to solve cybersecurity problems and manage cyber risk are hunted. I mean, they are, they're actively hunted.

Jake Bernstein: You're under attack.

Kip Boyle: By sales tenure.

Jake Bernstein: You're under attack by the good guys and the bad guys.

Kip Boyle: That's right.

Jake Bernstein: No wonder SISOs quit at alarming rates.

Kip Boyle: Yeah. Or they just pull up the draw bridges and just hide in their castles behind their moats. They can't be found. They can't be spoken to, nobody knows how to reach them by telephone. The emails just go into a black hole and the skepticism is through the roof, through the roof. So yeah, I've lived it. And I'm sure a lot of our listeners have lived it.

Jake Bernstein: Yeah. There's this great quote from a September 2019 article published by McKinsey that was called securing software as a service. And though I don't have any more information on it, more than 70% of respondents to that article's survey said that uninformed or misleading claims about security capabilities were in cause of dissatisfaction. And I love this SISO who actually complained that they were sick of receiving glossy marketing materials, which are "essentially snake oil when it comes to security features." Many, many vendors will claim their security features are better than what a very simple assessment will reveal it's the truth.

Kip Boyle: Oh, yeah, yeah. It is the truth. And if you read Bruce inaudible, he talks about snake oil. He talks about security theater, all of that stuff's in play. And all of that is contributing to this mess that we're talking about right now. And of course, we can unpack that as a separate topic in another episode. But yeah, those forces are in play too. And I mean, it just makes everything nuance.

Jake Bernstein: And we might need to, because we're already at 32 minutes here, so.

Kip Boyle: I know. What else in the report is worth mentioning?

Jake Bernstein: So again, I mentioned it earlier, but there's an issue about company boards demanding compliance all the time while the SISOs are under these attacks. And also as it's pretty common, most as those spend their time firefighting, which makes it even harder to really strategically plan and investigate and evaluate the technology that you could buy.

Kip Boyle: Yeah. And compliance isn't security we know that, but the boards don't understand what real digital security is and they don't really want to spend money on that stuff anyway. And so just being compliant is a way to get regulators and lawmakers off your back. And if something bad happens, then you can say, well, we were compliant, you gave us bad advice. We followed it and we still got hacked so it's not our fault. And we learned about the blame games several episodes ago when we talked about Josephine Wolf's book, where she laid that out bare that a lot of the conversations supposed to breach are about blame and they're not about the root cause and how to actually stop those style of attacks from happening in the future.

Jake Bernstein: Exactly. So let's go ahead and conclude now with action items. I'll give the buyer an action item, try to act a little more like a high security government agency during your procurement process.

Kip Boyle: I know.

Jake Bernstein: In other words, demand evidence of efficacy and resilience. Don't just look for a basic technical and operational fit. And this is something, I mean, oh my gosh. I talk about personal experience. Don't measure yourself solely by whether or not you can form to so-called market norms. The number of times Kip, I mean, honestly, but the other guys doing it too, is a top 10 excuse in when I was a regulator, I don't care if the other guys are doing it, maybe I'll look at them later as a regulator, but right now the eye of Soran is on you. And so that's not an excuse.

Kip Boyle: It's a powerful force though.

Jake Bernstein: It is.

Kip Boyle: You have to acknowledge the fact that human beings tend to move in concert with each other and it's just a natural human inclination.

Jake Bernstein: It is. And I understand that.

Kip Boyle: But it's a natural urge.

Jake Bernstein: But here's what's so fascinating, and you and I have both personally seen this, there is a massive difference in management level interest and engagement with cybersecurity after any particular management team has gone through hell. It's simply the case, which says to me that there really is still this educational component that's missing. When someone goes through it, they know just how bad it is and those guys, I mean, I literally, I heard this quote the other day, we never want to go through this again. And that was from a company president dealing with ransomware attacks. Is that company going to behave the same way towards cybersecurity now and going forward as it did in the past? Absolutely not. And you know, one of the things they're going to do and one thing that everyone should do, and this is from the report out your internal understanding of security efficacy and what you can do about it. Like if you can do nothing but rely on marketing materials, you're not going to succeed.

Kip Boyle: Yeah. Okay. Well, there's nothing for me to say because...

Jake Bernstein: No, you get to give advice to the sellers because we care about them too, because we need them, we need them.

Kip Boyle: We do, we do need them. Yeah, absolutely. So, all right. So if you're a seller, if you're a vendor, then you've just got to work with your customers more to provide greater transparency on the efficacy of your solution. And that's going to do more things for you. I think in terms of being able to get the trust of chief information security officers and the people who work for them, the report really encourages that kind of transparency. And one way that you can do that is we're starting to see an emergence of places that will do independent testing. And so the report talks about several organizations that are trying to assist vendors and buyers with being more transparent about what really works. And if this is successful, then actually vendors are going to benefit because you can learn from this testing what works, and then you can modify your products to make them more effective because guess what? Your competitors are going to do the same thing.

So, one program that I want to mention that you can look at is the Underwriters Laboratories have in 2016 launched a cybersecurity assurance program. So the UL cap, and there's one organization that's trying to actually do some independent testing on cybersecurity products. And I think of them as like trying to create consumer reports for SISOs. So you should go and check them out and see what they offer and how they might be useful. And by the way, I just want to mention this too. I talk about fire as being a really interesting way to understand cyber, right? The risk of a fire versus the risk of a cyber incident. And I think it's poetic that Underwriters Laboratories is undertaking this because guess what folks? They started in 1894 specifically because insurance companies that were writing fire insurance policies were really skeptical of electrical appliances and they wanted a way to know which electrical appliances were prone to starting fires and which ones weren't, and so they actually formed Underwriters Laboratories in order to test products for their efficacy.

Jake Bernstein: But I don't think it gets more poetic than that period.

Kip Boyle: My gosh.

Jake Bernstein: That's pretty, that's pretty great.

Kip Boyle: That's epic.

Jake Bernstein: It is epic. And look, this is not a short-term solution, this is a long-term strategy. For vendors it's tough. You're told to chase high growth and impressive numbers for investors but at the same time, gosh, we see a lot of companies just rise and fall rapidly. And I think the best way to short circuit that is it, yes, there's the first-mover disadvantage of economics to deal with. But I think if you can fight through that, there will be a long-term game.

Kip Boyle: Yeah. Yeah. I think there's a lot of smart people working on this problem. Sooner or later going to crack it, but in the meantime, we've got to cope. And so we hope that this report will, first of all, educate you listeners as to what's really going on. And then that will help you navigate your way if you're a buyer or a seller I think you should grab this report, look it over and see how it can inform how you do your work.

Jake Bernstein: Yep. Agreed. Okay.

Kip Boyle: All right. Well, that wraps up this episode of the Cyber Risk Management Podcast. And today we discussed a new study by Debate Security. This is a new group about market failures and cybersecurity technology and what needs to happen to correct them. Thanks for being here. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 3: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that Cyber Risk Management is a team sport, so include your senior decision-makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein

  Newman DuWors LLP

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.