Top cyber security experts highlight the difficulty in assessing the quality and capabilities of cybersecurity products has led to a broken market. In this market, customers have low confidence in their ability to properly analyze, assess and manage products on the market, as well as their own organizations overall cyber security posture.
S&P Global CISO Laura Deaner noted that only when cyber security technology is actually implemented is it clear whether or not it will do what it promises, in contrast to other technology implementations. Ciaran Martin, the former head of the UK’s National Cybersecurity Center, noted that too many C-Suites lack proper understanding of cybersecurity and use the excuse that it is too technical or niche to fully understand. A representative from the investment community said this lack of technical understanding of cyber has led C-Suites and Boards to improperly delegate responsibility for this critical matter to risk committees or outside consultancies.
The experts point to the need for external analysis by independent organizations to assess cybersecurity vendor offerings.
The cybersecurity market is indeed broken. A core part of the solution for companies (not cyber product vendors) is a combination of better metrics, more transparency and better technology governance.
The problem of how to lower the complexity and assess the quality of cyber security offerings is a serious one. Consider for a moment the implications of a water or electricity utility that has poorly configured its technology stack, resulting in myriad vulnerabilities, any one of which could result in a damaging ransomware attack that halts essential services for millions of people. This scenario is not far-fetched.
As we have discussed before, the consequence of overly complex IT and cyber security systems is very frequently that these systems capabilities are misconfigured and underutilized. And the conclusion of these experts of the need for independent, external analysis and ratings for cyber security systems is absolutely correct. Independent assessments of technology effectiveness exists through a company like Mandiant Security Validation.
But assessments are needed for more than just the security products themselves. C-Suites, boards, regulators, shareholders, creditors and others—need independent and reliable assessments of enterprise-level cyber security posture and governance. To achieve this, governments and the private sector have roles to play.
It’s strange that governments regulate everything from airworthiness standards for airplanes to motor vehicle and food safety. But the management of the world’s most valuable asset—digital technology—is unregulated. From a public policy perspective, smart policy and/or regulatory intervention is needed, starting with standard company disclosure of a set of cyber and related financial risk metrics that can shed light for investors on how well or poorly this asset is being managed.
From the private sector, market-based incentives to reward companies with strong cyber governance and punish those with poor cyber governance can help encourage better security as well. Cyberhedge’s cyber governance ratings do just that. They show that the equity prices of the highest rated 4 and 5-Star companies have materially outperformed the lowest rated 1 and 2-Star companies since the indices launch in December 2016, and even more strongly since the COVID‑19 lockdowns started. This has held true within every sector and across every major market.
The Cyberhedge ratings are compiled using externally available information, and the Cyberhedge Cyber Governance indices provide the first and most robust market-based proof that cyber governance impacts shareholder value.