Today’s columnist, Ciaran Martin of Oxford University, says the Colonial Pipeline attack showed the vulnerability of critical infrastructure. Martin argues that security people know we have to fix a broken system struggling with expansive vendor promises and corporate managers who can’t talk to tech people. Start by asking the right questions. peripathetic CreativeCommons CC BY-NC-SA 2.0

The cybersecurity industry loves to talk up the risks of new technology. But events of the last six months reminded us with thunderous force of the problems we already have. The SolarWinds and Microsoft Exchange intrusions pointed out the huge strategic problems of supply chains. The curious case of the Oldsmar, Fla., drinking water plant underscored the vulnerability of critical infrastructure, as did the most recent attack on Colonial Pipeline. And the epidemic of ransomware threatens the ability of countless organizations to function, including healthcare providers dealing with the brutal reality of the pandemic. There have been so many wake-up calls only the truly somnolent could have missed them.

We know “awareness” isn’t the problem, and that word starts to feel like the broken record of cybersecurity. It’s no longer an excuse to say the company wasn’t aware of the threat or the risks. We all are, and should know the risks. So, as the dust settles, more and more conscientious business leaders who care about their organization’s cybersecurity ask themselves: What do we do?

In a properly functioning market, it’s straightforward. There’s a set of risks that the organization knows about. There’s a set of products and services the security team could check out. It could weigh up various factors – the vendor’s track record, their usability, the cost – and work out which one was best for the company. The security team could then make an informed decision and be accountable for it.

That normal, boring, but useful economic process happens sometimes in cybersecurity. But all too often we’re dealing with a broken market – the new so-called “Market for Lemons.” As highlighted in the 2020 Debate Security Report, there’s a huge imbalance in knowledge between vendors and buyers which has caused a breakdown in the success of the cybersecurity market. Good, reliable vendors struggle to differentiate themselves from snake oil and from the froth of an asset bubble. Corporate leaders don’t know how to talk to technologists about what works and what doesn’t.

Fixing this has become the most important question in modern cybersecurity. So, what can break this cycle? Ultimately, buyers need to ask some seemingly simple questions: What does this product do, how does it work, what benefits does it have and why is it better than something else in the market. To start getting those answers in terms that are understood by both the technical and business communities, we must establish a common a definition and metrics of cybersecurity efficacy.

Ask the right questions to establish efficacy

Establishing clear assessments of cybersecurity efficacy will require the industry to find common ground in four important areas:

Capability: How well does a product or service when properly installed do what it’s intended to do? And does that meet the needs of the organization?

Practicality: Can an organization implement, integrate, operate and maintain the technology with relative ease? Is it feasible for the organization, based on its IT architecture, personnel or other factors? 

Quality: Is the product well-designed and built? Will it avoid vulnerabilities? Are there potential negative impacts to its implementation?

Provenance: How secure is the supply chain? Are there potential vulnerabilities based on the provider status in the market and how they work?

These are reasonable questions for organizations investing in cybersecurity to ask, and at the moment, the answers are lacking. A common set of objective assessments would go a long way toward allowing companies to invest in the best cybersecurity products for their needs and a more secure cybersecurity landscape overall.

A new model for assessing cyber technology

Many organizations are now aware that cybersecurity for most organizations has just become another complex business risk and should be treated as such.  

To make this a reality, the cybersecurity industry needs change. But who should lead the charge? There are essentially three ways it can happen: The cybersecurity industry could set its own criteria; separate sectors—such as telecom or energy, for instance—could establish criteria for their own needs; or government could get involved in mandating or recommending baseline metrics.

It’s likely that the most practical framework will involve some combination of the three but the more industry leadership, the better. Governments can help, especially with newer technologies. A 2019 agreement between Singapore and the U.K. on making Internet of Things (IoT) devices “secure by design,” for example, happened because government agencies cooperated and outlined clear best practices for manufacturers to follow. 

However this plays out, the industry clearly needs a new model for defining and measuring the effectiveness of cybersecurity products and services to improve decision-making regarding cybersecurity risks and how to manage them. Buyers should begin by asking the right questions of cybersecurity providers, and for  providers to give clear answers.

What we have doesn’t work, and causes harm. If we don’t create a system where the well-intentioned, security conscious, but non-technical executive doesn’t have a meaningful set of choices to make informed business decisions, then we fail.

Ciaran Martin, professor of practice at Oxford’s Blavatnik School of Government