Because the people with purchasing authority know nothing about security, they are unable to distinguish real, good security practices and products from defective, over-hyped, and/or pointless "security" products constantly shilled at them.
A lemon market will be produced by the following:
1. Asymmetry of information, in which no buyers can accurately assess the value of a product through examination before sale is made and all sellers can more accurately assess the value of a product prior to sale
2. An incentive exists for the seller to pass off a low-quality product as a higher-quality one
3. Sellers have no credible disclosure technology (sellers with a great car have no way to disclose this credibly to buyers)
4. Either a continuum of seller qualities exists or the average seller type is sufficiently low (buyers are sufficiently pessimistic about the seller's quality)
5. Deficiency of effective public quality assurances (by reputation or regulation and/or of effective guarantees/warranties)
I think it's a bit more complicated than not knowing anything about security. It's more that security spans most other disciplines and security companies tend to focus on a subsection. In order to understand if a technology fits your use case and is effective often leads to long PoCs or trusting analyst, costing you time and/or money. Fun fact, most analyst firms like Gartner rarely touch a product and rely on the vendors to answer questions and send demos. It's very much a market for lemons because it's hard to actually test vendors' claims without a significant investment.
No, they do not know anything about security. Find me a CISO or VP of engineering that will dare to openly claim they can protect against a hacker/red team with $10M and would accept a challenge proving that. Frankly, I doubt you could even find one at $1M, let alone $10M as most Fortune 500 CISOs my colleagues and I have talked with usually peg the number at closer to $100K. Attackers with literal chump change like $10M are viewed as impossible threats, it is ridiculous. The entire commercial IT industry is systemically incompetent by multiple orders of magnitude with respect to actual software security.
Why would anyone who knows security make that claim? There's so much more than just software security. Even if you secured every bit of code your company wrote that wouldn't make you secure. How much does solving for every OWASP top 10 vuln help when only 10% of your product is software your devs wrote? What about the open source libraries or non software parts of the business? You can't run a company without using some amount of 3rd party software or having at least a few employees that need to communicate using chat or email. While I'd agree there a lot of incompetence out there, I think the problem is much harder because there's a lot of variables out of your control. Now we're back at the original problem of how do I try to control for people and vendors I have to work with and there's a huge imbalance of information.
If your dependencys are out of your control then you are incompetent at security, full stop. Wrangling your dependencys and inputs is security and engineering 101. You will not get meaningful security without doing so. Being unable to do a critical part of the job because it is hard is textbook incompetence.
Everybody everywhere in software being totally slipshod on these elementary practices is a big part of why there is no meaningful security anywhere.
My startup idea is cybersecurity software that does literally nothing. My competitive advantage would be speed, ease of use, low attack surface area, and perfect false positive rate.
I'm sorry to tell you, but it would fail. Being too fast would preclude creating attachment through the sunk costs required to run it. The ease of use would let users quickly determine that the software can't do what they want. The low attack surface would avoid necessitating widespread organizational buy in. And the zero false positive rate would mean that it wouldn't move the needle on any metrics.
A long time ago at a previous job, I had to report monthly on metrics relating to firewall deny events. I got an angry phone call to my desk phone from an executive, demanding to know why firewall deny events were down 10% in the previous month. Their tone changed when I mentioned the month in question was February, which conveniently is about 10% shorter than January.
That's not far off from a pew pew map[0]. Maybe you could start the first pure-play, best-in-breed security visualization company with AI-enabled[1] executive dashboards[2]
It's all checkbox driven development. I'm a PM in the space and it's all snake oil. At least we have amazing ACVs compared to other B2B sectors and a captive market.
F** Gartner and Forrester for forcing us to concentrate on this instead of actually solving problems
Sure, but there are SOME that aren't selling snake oil. I'm invested in one of them. But yeah, most are. I guess the interesting question for me is how long does it take for the real wheat to stand out from the chaff.
You might have an amazing product that solves a relevant security issue but Enterprise sales cycles and checkbox driven procurement force you to incorporate half baked features in order to capture the next fad.
Look at the XDR hype train 3 years ago, ZTNA 2 years ago, and the whole CNAPP/CASB/CSPM buzzword BS
Tbf, I am being a bit dramatic about it, but I feel the split persona sales cycles we're forced to deal with incentivizes checkbox driven development.
Such is as it's always been. A few years ago, I worked for a B2B enterprise data security firm. We didn't sell snake oil at all -- but our customers were so used to hearing snake oil salesmen talk that they had very odd demands that didn't improve their security. And in some cases, reduced it.
Dealing with those expectations was always an issue.
Agreed! I was a bit dramatic with the whole "snake oil" statement, but managing buyer expectations and competitive pressures is definetly a grating experience.
So how much would it cost to hire a hacker to breach a system deploying their solution?
I bet you if you asked their VP of engineering: “If I had one skilled hacker and a year, are there any non-trivial customer deployments that could stop me?” The answer would either be a resounding no or they would not be able to point to a single shred of evidence supporting their assertion like a red team exercise with those parameters.
I work at one vendor currently and have worked at a few prior. The difference is astounding - my previous gigs, including one of the biggest vendors ever was exactly as you said. My current gig is exactly the opposite - strong focus on real security insights and value, none of the box-ticking bs, and a great roadmap. It is rare, but when everyone at the org, and especially the product side really know how attacks play out - you can make a real impact on the world.
Okay, but how much would it cost to hire a hacker or red team to breach your systems? Is it more or less than $10M? If I had one competent hacker and a year do you think you could stop me? How about three people and a year?
Between tax software and security software, I really need to shift careers into something so boring and bureaucratic that all I do every day is stamp my seal on random requirements documents that meet some qualification. Imagine working at Avatax and just getting money hand over foot because the US can't make a decent tax code system
The proliferation of security vendors is similar to the proliferation of weight loss clinics and gyms. There are plenty of fads, with new businesses popping up to either chase or create the interest. The people buying these services desperately want something which can plug into their existing habits without significant changes.
Similarly, the solutions for cybersecurity are simple but not easy. It involves operational and administrative discipline. Businesses which lack this discipline collide with security problems and spend a great deal of money downstream of this problem. Vendors sell what businesses want to buy, not necessarily what is most effective.
Take a step back, and look at history. It should be unsurprising that the problem was encountered, studied[0] and solved, decades ago.
During the Viet Nam conflict, the Air Force needed to plan missions with multiple levels of classified data. This couldn't be done with the systems of that era. This resulted in research and development of multi-level security, the Bell-LaPadula model[2], and capability based security[1].
Conceptually, it's elegant, and requires almost no changes in user behavior while solving entire classes of problems with minimal code changes. It's a matter of changing the default from all access to no access, all the way down to the kernel.
Life without it, is like trying to run a modern electrical grid without any circuit breakers, anywhere, ever.
Getting rid of virus scanners alone should be worth the platform switching costs, at least in terms of performance for most users.
The difference between theory and practice, is that in theory there is no difference, but in practice - there is.
So far, every "provably secure design" I've seen ended up being insecure in practice due to the things people abstract away.
I'm not saying it's impossible, but I have not seen it done perfectly thus far.
We've seen more success by having many many iterations and widespread usage of common designs and patterns. These are not perfectly secure by any means, but they are secure enough against common threats to make it functionally equivalent until we figure it out.
I just feel that our proven insecure system, with default authority, is a really bad foundation to have settled upon. We couldn't have picked a worse default.
Okay, name the "provably secure designs" that were actually proven and validated by a competent security standard such as the Orange Book Level A or Common Criteria EAL 6/7 that turned out to be insecure in practice.
Most people who say that point to designs that were never proven and never validated against anything meaningful, but I am open to seeing a actual example.
It's a gross industry designed to milk big dollars out of clueless customers. Listening to these 'security experts' talk makes me roll my eyes roll so hard that I'm afraid they'll get stuck in the back of my head.
Most times, you would get ten times the value by taking the money you would spend on these tools, hiring a security engineering department, and letting them build you tools backed by open source software.
Those aren't cheap, but rolling your own usually isn't any cheaper. Even huge enterprises usually buy instead of build because it's cheaper in both the short and long run.
Think about most managed cloud services - you could deploy your own SQL servers on EC2, configure replication, fail-over, backups, security patching, log collection, observability, etc. - but you'll end up paying a lot for engineers to build, maintain and monitor that solution compared to just spinning up one of the ready made offerings by AWS.
It might be cheaper to do if you have a ton of RDS, but it really has to be a huge huge volume, and even then, AWS will probably find a way to discount your bills to make it still better...
Perhaps I was too cavalier in my original comment, but when I said building tools built on open source software, I meant leveraging things like Matano (matano.dev). So you’re not writing everything from scratch but you are responsible for wiring everything up to fit your environment.
And you’re right, it’s not going to be a universal truth - there will probably be some tool you end up buying. But I’d like to have a security engineering team that is forging something that will fit my organization like a glove instead of us trying to bend over backwards to make some big off the shelf tool fit with all of its features.
There is also another issue with cybersecurity vendors that this article doesn't touch on, and that's in the area of cloud security where many of them started targeting a specific use case or set of use cases, and have slowly expanded to overlap with other vendors who were not previously competitors. It's not good enough for a tool to just be used for Cloud Security Posture Management (CSPM) - it also has to do CI/CD security stuff and workload protection. And it happens from the other direction, too - previous image scanning and DevOps-y tools are now adding detection and alerting capabilities for your cloud provider's control plane.
There is going to be a lot of tool consolidation at most organizations coming in the next few years.
> There is going to be a lot of tool consolidation at most organizations coming in the next few years.
Already happening where I work - multiple security tools being phased out because of tools that do everything now.
For enterprises, it's hard to have a ton of different tools.
I worked at a very large software company, and our security tech stack was so big and convoluted, that just maintaining a compliant CI/CD pipeline was a 5 person job, because there are ~20 different tools to integrate and debug, and each of those changes every year or two, so you're constantly re-learning, re-integrating, debugging,etc.
Having a single (or just a couple) vendor(s) sounds like a dream!
I'm curious on what keeps the prices for these products so high. You'd think with the kind of competition this industry has (all providing the same type of functionality, kinda), you'd see more of a race to the bottom. But when you go to quote, you start seeing a really bizarre pattern where it's almost the same price per feature across the board. I'm not saying it's price fixing, but something's not right here.
My sense is "you get what you pay for" logic applies here and naturally the vendors will exploit this. I also imagine the internal negotiation between whoever wants to purchase the software and the bean counters inevitably includes "sure it's a lot, but how much would a data breach cost us?"
GitHub Advanced Security is so expensive. I can’t see the benefit considering we have a SonarCloud instance which is 1/3 of the cost. All our credentials are stored in vaults or IaC, so one of their main selling features we don’t need.
When ever there’s a sales team in front of a service it seems like the service isn’t worth the cost.
Because the innovators still cannot deign a “computer” that can't be compromised by opening a malicious email attachment or clicking on a malicious URL.
I thought that some of these tools had a lot of open source components (look at https://github.com/aquasecurity for example) but they can still charge lots of money because it's yet another service that a company doesn't want to host/configure/maintain themselves.
All these tools seem to have terrible quality as well. I am not even qualified to speak on their security features, but they all seem to feature poor, opaque performance. Maybe it's just a symptom of all enterprise software?
In other words, "cybersecurity" is a "Market for Lemons": https://en.wikipedia.org/wiki/Market_for_lemons