Exploits, data breaches and ransomware campaigns are succeeding despite increased public awareness about these threats. New victims are found, old targets are rediscovered and people want to know how this keeps happening.

It isn’t because people don’t care. In the past three years, according to Google Trends, the subject of hacking has generated more queries than poverty, bankruptcy, corruption and even nuclear war. Plenty of individuals are trying to learn more, but what they find is confusing because of the way security vendors have historically positioned, justified and sold security. In their efforts to differentiate themselves and express the urgency of the problems they solve, vendors have unintentionally paralyzed buyers. For security to improve, these old habits have to change.

Security Vendors, Messaging and John Nash

Security companies are pretty consistent. When they uncover a new and successful attack that is creating an urgent need, they develop solutions to identify, block and recover from it. To raise interest in their new solutions, they develop campaigns and tools intended to show that a next generation of technology is the answer or that an entirely new approach is required. Existing solutions are cast as no longer appropriate because they have allowed this new attack to succeed.

Given the speed with which the threat landscape changes, this means that organizations are regularly told that they need to adopt entirely new tools and platforms because their existing solutions aren’t sufficient anymore. The message is that radical changes are needed to make them safe. This aggressive positioning leaves buyers knowing only one thing: They need to do more, and this time they aren’t going to make a move until they are sure it’s the right one. Certainty doesn’t come easily in the security market, so the major result of all of this turbulence is often indecision and delay.

In economics, this negative outcome was captured in a theory that won John Nash a Nobel prize in 1994. Nash discovered that a universal pursuit of unalloyed self-interest can create less-than-awesome outcomes for everyone involved. In this case of new protections, it is clearly happening. When security vendors commonly create distrust about competing solutions, organizations grow skeptical of the claims and benefits of the entire sector.

Proving a Negative

Demonstrating protection functionality objectively requires proving a negative — that the system cannot be violated. Proving a negative is generally pretty tough, but much more so in security, where there are innumerable threats with new twists evolving daily. The problem is exacerbated by a lack of consistency on the part of security reviewers and ratings providers. In the absence of a universally accepted testing framework, even relative rankings cannot help users distinguish among new offerings that claim to raise the level of protection.

The results of this are bad for everyone concerned. Organizations react by retrenching and deploying more of what they know, while delaying or rejecting the adoption of newer protection technology. When this happens, vendors lose time and new customers, while buyers lose the opportunity to acquire much-needed new defenses.

Supporting an Incremental Approach

The solution is for security providers to communicate clearly about the specific added protections that they provide. It may be defense against a new type of attack, a monitoring platform that can synthesize new messaging types or something completely different. Providing clarity offers the opportunity for a more beneficial security equilibrium because buyers can make decisions about their own needs for a mix of technologies without the disruption and second guessing associated with more confrontational messaging. This is in keeping with well-established security dogma, which has always maintained that there are no silver bullets and that no single solution will ever provide 100 percent security.

Overtaxed security administrators also benefit from this candor. Wholesale migration to a new platform requires the retraining of existing staff, new resources added during the course of the migration and the reimagining of existing processes to integrate a new set of capabilities. Once completed, this level of change will usually require rewrites of control and audit documentation to describe the new solution.

Efficient improvement of protection limits itself to just that, improving existing protections. In this model, additional protections, or areas of increasing investment, are integrated within existing processes and frameworks wherever possible, minimizing the disruption and retraining chaos that can accompany full replacement strategies.

A New Era of Openness

In the IBM Security App Exchange, additional collaborative security functionality can be added, ranging from endpoint protection to visualization and incident response. This type of incremental protection scheme allows a chronically understaffed security team to prioritize and improve protection at a pace consistent with the rest of its responsibilities.

This requires buyers to demand, and vendors to provide, a concise view of their incremental value and the value of their solutions in an integrated platform of the buyer’s choosing. In time, that will naturally consist of multiple approaches and should leverage analytics derived from information provided by disparate vendors. It will also require additional openness and clarity from vendors, but there is a unique opportunity to improve security and security adoption without unnecessarily calling into question years of previous security decisions and investments.

more from CISO

To Cybersecurity Incident Responders Holding the Digital Front Line, We Salute You

Over the course of two decades, I’ve seen Incident Response (IR) take on many forms. Cybercrime’s evolution has pulled the nature of IR along with it — shifts in cybercriminals’ tactics and motives have been constant. Even the cybercriminal psyche has completely rebirthed, with more collaboration amongst gangs and fully established ransomware enterprises running. When I was first starting off,…