Exploits, data breaches and ransomware campaigns are succeeding despite increased public awareness about these threats. New victims are found, old targets are rediscovered and people want to know how this keeps happening.

It isn’t because people don’t care. In the past three years, according to Google Trends, the subject of hacking has generated more queries than poverty, bankruptcy, corruption and even nuclear war. Plenty of individuals are trying to learn more, but what they find is confusing because of the way security vendors have historically positioned, justified and sold security. In their efforts to differentiate themselves and express the urgency of the problems they solve, vendors have unintentionally paralyzed buyers. For security to improve, these old habits have to change.

Security Vendors, Messaging and John Nash

Security companies are pretty consistent. When they uncover a new and successful attack that is creating an urgent need, they develop solutions to identify, block and recover from it. To raise interest in their new solutions, they develop campaigns and tools intended to show that a next generation of technology is the answer or that an entirely new approach is required. Existing solutions are cast as no longer appropriate because they have allowed this new attack to succeed.

Given the speed with which the threat landscape changes, this means that organizations are regularly told that they need to adopt entirely new tools and platforms because their existing solutions aren’t sufficient anymore. The message is that radical changes are needed to make them safe. This aggressive positioning leaves buyers knowing only one thing: They need to do more, and this time they aren’t going to make a move until they are sure it’s the right one. Certainty doesn’t come easily in the security market, so the major result of all of this turbulence is often indecision and delay.

In economics, this negative outcome was captured in a theory that won John Nash a Nobel prize in 1994. Nash discovered that a universal pursuit of unalloyed self-interest can create less-than-awesome outcomes for everyone involved. In this case of new protections, it is clearly happening. When security vendors commonly create distrust about competing solutions, organizations grow skeptical of the claims and benefits of the entire sector.

Proving a Negative

Demonstrating protection functionality objectively requires proving a negative — that the system cannot be violated. Proving a negative is generally pretty tough, but much more so in security, where there are innumerable threats with new twists evolving daily. The problem is exacerbated by a lack of consistency on the part of security reviewers and ratings providers. In the absence of a universally accepted testing framework, even relative rankings cannot help users distinguish among new offerings that claim to raise the level of protection.

The results of this are bad for everyone concerned. Organizations react by retrenching and deploying more of what they know, while delaying or rejecting the adoption of newer protection technology. When this happens, vendors lose time and new customers, while buyers lose the opportunity to acquire much-needed new defenses.

Supporting an Incremental Approach

The solution is for security providers to communicate clearly about the specific added protections that they provide. It may be defense against a new type of attack, a monitoring platform that can synthesize new messaging types or something completely different. Providing clarity offers the opportunity for a more beneficial security equilibrium because buyers can make decisions about their own needs for a mix of technologies without the disruption and second guessing associated with more confrontational messaging. This is in keeping with well-established security dogma, which has always maintained that there are no silver bullets and that no single solution will ever provide 100 percent security.

Overtaxed security administrators also benefit from this candor. Wholesale migration to a new platform requires the retraining of existing staff, new resources added during the course of the migration and the reimagining of existing processes to integrate a new set of capabilities. Once completed, this level of change will usually require rewrites of control and audit documentation to describe the new solution.

Efficient improvement of protection limits itself to just that, improving existing protections. In this model, additional protections, or areas of increasing investment, are integrated within existing processes and frameworks wherever possible, minimizing the disruption and retraining chaos that can accompany full replacement strategies.

A New Era of Openness

In the IBM Security App Exchange, additional collaborative security functionality can be added, ranging from endpoint protection to visualization and incident response. This type of incremental protection scheme allows a chronically understaffed security team to prioritize and improve protection at a pace consistent with the rest of its responsibilities.

This requires buyers to demand, and vendors to provide, a concise view of their incremental value and the value of their solutions in an integrated platform of the buyer’s choosing. In time, that will naturally consist of multiple approaches and should leverage analytics derived from information provided by disparate vendors. It will also require additional openness and clarity from vendors, but there is a unique opportunity to improve security and security adoption without unnecessarily calling into question years of previous security decisions and investments.

More from Risk Management

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today