Exploits, data breaches and ransomware campaigns are succeeding despite increased public awareness about these threats. New victims are found, old targets are rediscovered and people want to know how this keeps happening.

It isn’t because people don’t care. In the past three years, according to Google Trends, the subject of hacking has generated more queries than poverty, bankruptcy, corruption and even nuclear war. Plenty of individuals are trying to learn more, but what they find is confusing because of the way security vendors have historically positioned, justified and sold security. In their efforts to differentiate themselves and express the urgency of the problems they solve, vendors have unintentionally paralyzed buyers. For security to improve, these old habits have to change.

Security Vendors, Messaging and John Nash

Security companies are pretty consistent. When they uncover a new and successful attack that is creating an urgent need, they develop solutions to identify, block and recover from it. To raise interest in their new solutions, they develop campaigns and tools intended to show that a next generation of technology is the answer or that an entirely new approach is required. Existing solutions are cast as no longer appropriate because they have allowed this new attack to succeed.

Given the speed with which the threat landscape changes, this means that organizations are regularly told that they need to adopt entirely new tools and platforms because their existing solutions aren’t sufficient anymore. The message is that radical changes are needed to make them safe. This aggressive positioning leaves buyers knowing only one thing: They need to do more, and this time they aren’t going to make a move until they are sure it’s the right one. Certainty doesn’t come easily in the security market, so the major result of all of this turbulence is often indecision and delay.

In economics, this negative outcome was captured in a theory that won John Nash a Nobel prize in 1994. Nash discovered that a universal pursuit of unalloyed self-interest can create less-than-awesome outcomes for everyone involved. In this case of new protections, it is clearly happening. When security vendors commonly create distrust about competing solutions, organizations grow skeptical of the claims and benefits of the entire sector.

Proving a Negative

Demonstrating protection functionality objectively requires proving a negative — that the system cannot be violated. Proving a negative is generally pretty tough, but much more so in security, where there are innumerable threats with new twists evolving daily. The problem is exacerbated by a lack of consistency on the part of security reviewers and ratings providers. In the absence of a universally accepted testing framework, even relative rankings cannot help users distinguish among new offerings that claim to raise the level of protection.

The results of this are bad for everyone concerned. Organizations react by retrenching and deploying more of what they know, while delaying or rejecting the adoption of newer protection technology. When this happens, vendors lose time and new customers, while buyers lose the opportunity to acquire much-needed new defenses.

Supporting an Incremental Approach

The solution is for security providers to communicate clearly about the specific added protections that they provide. It may be defense against a new type of attack, a monitoring platform that can synthesize new messaging types or something completely different. Providing clarity offers the opportunity for a more beneficial security equilibrium because buyers can make decisions about their own needs for a mix of technologies without the disruption and second guessing associated with more confrontational messaging. This is in keeping with well-established security dogma, which has always maintained that there are no silver bullets and that no single solution will ever provide 100 percent security.

Overtaxed security administrators also benefit from this candor. Wholesale migration to a new platform requires the retraining of existing staff, new resources added during the course of the migration and the reimagining of existing processes to integrate a new set of capabilities. Once completed, this level of change will usually require rewrites of control and audit documentation to describe the new solution.

Efficient improvement of protection limits itself to just that, improving existing protections. In this model, additional protections, or areas of increasing investment, are integrated within existing processes and frameworks wherever possible, minimizing the disruption and retraining chaos that can accompany full replacement strategies.

A New Era of Openness

In the IBM Security App Exchange, additional collaborative security functionality can be added, ranging from endpoint protection to visualization and incident response. This type of incremental protection scheme allows a chronically understaffed security team to prioritize and improve protection at a pace consistent with the rest of its responsibilities.

This requires buyers to demand, and vendors to provide, a concise view of their incremental value and the value of their solutions in an integrated platform of the buyer’s choosing. In time, that will naturally consist of multiple approaches and should leverage analytics derived from information provided by disparate vendors. It will also require additional openness and clarity from vendors, but there is a unique opportunity to improve security and security adoption without unnecessarily calling into question years of previous security decisions and investments.

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today