Also read: Latest MITRE Endpoint Security Results Show Some Familiar Names on Top<\/a><\/p>\n\n\n\n Those dynamics create an “information asymmetry,” where vendors know their product and its strengths and weaknesses, but buyers don’t have the time or information to understand all their options.<\/p>\n\n\n\n “This information asymmetry is the classic market for lemons, as described by George Akerlof in 1970,” said Hubback. “A vendor knows a lot more about the quality of the product than the buyer so the vendor is not incentivized to bring high-quality products to market because buyers can’t properly evaluate what they’re buying.”<\/p>\n\n\n\n Panelist Greg Rattway, a former JP Morgan Chase managing director and co-founder of cyber risk management firm Next Peak, took issue with the term “lemons.”<\/p>\n\n\n\n “Vendors are not trying to develop lemons,” Rattway said, “but the challenge is trying to develop a tool that will do the things that marketing says you have to market aggressively, and therefore the claims for the tools and the technologies are so dramatic, but the complexity of the environment almost makes it impossible for development of a single technology or tool that will actually solve problems in a complex environment.”<\/p>\n\n\n\n Grace Cassy, co-founder of the CyLon cybersecurity startup accelerator, and a number of others agreed that the complexity of IT environments makes the challenge for product development teams – and buyers – even greater.<\/p>\n\n\n\n “It’s hard to generalize from a test environment,” Cassy said. “What works in a test environment might not in another environment.”<\/p>\n\n\n\n One audience member said a network of peers can be helpful forbuyers – but his network discusses use cases a product is effective for rather than generalizing product opinions.<\/p>\n\n\n\n And with marketing and sales budgets far outweighing product development budgets, some said vendors might even welcome pressure from buyers to be less focused on financial results and more focused on product development.<\/p>\n\n\n\n Also read: Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR<\/a><\/p>\n\n\n\n Two-thirds of the security pros interviewed by Hubback said cybersecurity buyers need to do better too. Part of that is organizing and placing demands on vendors.<\/p>\n\n\n\n To that effect, Hubback, Cassy, Rattway, and University of Oxford government professor Ciaran Martin – the founding head of the UK National Cyber Security Centre – discussed efforts to develop the Buyer’s Charter for SAFER cybersecurity, dubbed “a vital next step to address the market failings.”<\/p>\n\n\n\n SAFER stands for:<\/p>\n\n\n\n Hubback said the group is essentially proposing something similar to GSMA’s role in setting telecom standards, “a demonstration of ability.” He invited RSA attendees to join the group’s efforts.<\/p>\n\n\n\n See the Top Cybersecurity Companies for 2022<\/a><\/p>\n\n\n\n Hubback said cybersecurity product efficacy depends on four things: capability, practicality, quality and provenance.<\/p>\n\n\n\n “Now clearly there are some efficacy measures like, is it in the Magic Quadrant, or do all the other CISOs who I text say that this works?” Hubback said.<\/p>\n\n\n\n But he noted: “As an industry, it’s quite interesting that we don’t really have a structured way of doing it today, so this is one of the things we’re sharing from this research is a proposed view of how to define the efficacy of security technologies.”<\/p>\n\n\n\n Read next: Top Endpoint Detection & Response (EDR) Solutions<\/a><\/p>\n\n\nA ‘Market for Lemons’<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/06\/cybersecurity-information-asymmetry-1024x458.jpg\")
Buyers Need to Improve Too<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/06\/SAFER-cybersecurity-charter-1024x477.jpg\")
<\/figure>\n\n\n\nDefining Cybersecurity Product Efficacy<\/h2>\n\n\n\n
![\"\"](\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/06\/cybersecurity-efficacy-1024x377.jpg\")
<\/figure>\n\n\n\n