6 Minute Read.Let us start with some brief definitions to get us all on the same page. Firstly – what is meant by the term “market failure”? A textbook description would be something that articulated the “inefficient distribution of goods and services in a free market”
. But how do we decide whether the distribution is inefficient or not? Perhaps, let us look at how “efficient” is described first, then work backwards. An efficient market would probably display a scenario where goods and services are distributed, priced and made, in a manner which can not be improved upon, with the amount of waste minimised.
This requires analysing two distinct parties – the consumer of the good and the maker of the good. The consumer wants to purchase at the lowest price, that maximises their “utility” or satisfaction. The maker on the other hand, wants to maximise profits whilst simultaneously minimising costs.
If we start looking at the “good”, as the manufacturing and procurement of cyber security software, services and consulting, are we confident we are operating at maximum efficiency? I would argue we are not. I am going to pick five high level topics in which to dig a little deeper.
1) Labour Shortages
The 2019 ISC2 Cyber Workforce Study
, identified a staggering 4.07 million unfilled cyber security positions – up from 2.93 million in 2018. The report highlighted this as a global problem too – with APAC sitting on a 2.6 million backlog of unfilled roles. There are probably numerous other reports and Google search nuggets, to back up the claim, that cyber security is one of the toughest skill sets
to recruit for within technology in 2020.
But what does this prove? Mismatches in labour demand and supply are common in numerous professions – medical doctors being an obvious one. An excess in demand over supply can obviously create wage inflation
, amongst other inefficiencies, but what about triggers from the supply side?
causes of labour market imperfection are many – but some seem to easily apply to cyber. The inelastic
supply of suitable candidates is a good starting place.
|In-elasticity of the supply of cyber security candidates
In this basic example, the supply of cyber candidates is described as being highly inelastic – for example a change in salary, does not result in a proportional change in the supply of candidates. Why is this? Clearly training has a part to play. Skilled cyber practitioners are likely to require strong computer science, network and infrastructure skills, before being able to embark on more specialised training. This can take many years to obtain, effectively acting like barriers to entry for new and willing candidates.
As with many labour markets, immobility and lack of vacancy information may also hinder skills investment, especially if the candidate is not aware of the potential benefits the long term training can bring. The more common practice of remote working however, is certainly helping to reduce geographical immobility issues which often hamper more traditional industries.
This could be amplified by a lack of consistency surrounding certifications, curriculum and job role descriptions. Only within the last 3 months has the industry seen CyBoK
– the cyber book of knowledge – published. This may go a little way in attempting to formalise training and certification of candidates globally.
An interesting bi product of perceived market failure, is government intervention. External intervention can take many forms and is often used to simulate competition (eg the likes of OfCom
in the UK) where monopolistic or quasi-public sector run industries would not necessarily deliver optimum allocative efficiency if left to their own devices.
I am blurring the line between security and privacy with some of those regulations, but an interesting aspect, is the consumer protection angle of the likes of the GDPR and CCPA. If the market where left to its own devices, the consumer of 3rd party on line goods and services, is not deemed to be protected to a satisfactory level. The regulatory intervention is not to rectify a negative externality
affecting 3rd parties, more to protect the first party user. During the exchange of goods and services to the individual, it seems the requisite level of privacy and security that benefits the group of users as a whole is not utilitarian. A major aim the current cyber legislation is trying to achieve, is to overcome the information asymmetries
that exist when a user signs up for a service or makes an online purchase or interaction.
With respect to consumer privacy, a concept of information asymmetry known as adverse selection
may exist – where the buyer is not fully aware of the use and value of their personal data in relation to the supplier of a good or service, who may use their data in ways not fully understood or even disclosed to the user.
The likes of the NIS directive, seems more focused upon reducing the impact of an externality – basically a negative impact to a wider group of users. Perhaps, due to a data breach, service disruption or degradation, that may have occurred due to a lack of cyber security controls. A simple example could be the lack of power generation to an entire town if a nuclear power station is knocked offline due to a malware attack.
3) Product Hyper Augmentation
The cyber security market is broad, complex and ever evolving. The number of product categories grows daily. Gartner has at least 20 security related magic quadrants
. CISO’s and CIO’s have to make incredibly complex decisions regarding product and service procurement.
Certainly, there is another set of information asymmetries at play here, but those are likely to exist in other complex software markets. With respect to cyber, there seems to an accelerated augmentation of features and messaging. When does a next generation web application firewall become a dedicated API security gateway? When does a security orchestration automation and response platform become an integrated event driven identity and access management workflow? Is there space for such niche upon niches, or are we entering a phase of largely merged and consolidated markets, where buyer procurement decision making is simply based on non-features such as brand affiliation and procurement ease?
|Product direction via vertical and horizontal augmentation
Many mature markets often reach a position where suppliers augment products to a position of mediocrity and consumer apathy and confusion. Youngme Moon from Harvard Business School articulates this concept extremely well in her book Different – which focuses on competitive strategies. It seems the market for cyber security products especially (maybe less so for services and consultancy) is rapidly moving to a position, where core products are being blurred via augmentation, add on services and proprietary market descriptions. This is creating difficulties when it comes to calculating product purchase versus return on investment reporting.
4) Breach Increase
A continuation of the purchase/RoI analysis pattern, is to analyse what “success” looks like for numerous cyber investments. Whether those investments are people, process or technology related, most procurement decisions, end up being mapped to a success criteria. Value for money. Return on Investment. Call it what you will, but many organisations will look to describe what success looks like when it comes to security investments.
Is it a reduction in data breaches? Is it having fewer installed products with known CVE (common vulnerability & exposures) due to faster patch roll out? Is it having more end users signing up with second factor authentication? This can tie neatly into the controls -v- outcomes discussion where risk, security and privacy management for an organisation needs to identify tangible and SMART (specific measurable assignable realistic time-bound) metrics for implied cyber investment. The ultimate goal of cyber is to support the CIA (confidentiality integrity availability) triad, either singularly or collectively.
A major source of cyber investment success discussion, is associated with data breach trends. There are numerous pieces of data to support the claim, that breaches are increasing. Increasing in volume (from 157 in 2005 to 783 in 2014), breadth and complexity. Many of the articles could admittedly be FUD raised by vendors to accelerate product adoption, but there is no denying the popularity of sites like HaveIBeenPwned, where the number of breached credentials is substantial and increasing. If cyber investment was efficient, shouldn’t these metrics be reducing?
This starts to generate two questions: either buyers are buying and using the wrong products or those products are not providing a decent return on investment.
5) Corporate Information Failure
But are products really to blame? The entire thread of this article, is to discuss market failure points. Information is a key component of effective free market development. Many information barriers seem to exist within the cyber security sector. Think of the following:
- RoI on cyber product investment
- Cost of personal data protection
- The societal impact of critical infrastructure failures
- Risk management success criteria
- Cyber security certification benefit to corporations
There are likely several other angles to take on this, but full information with regards to the upholding of the confidentiality, availability and integrity of data is unlikely to occur. Many private sector organisations have undergone digital transformation over the last 10 years. These “corporation.next” operations, have created new challenges with respect to data protection. Data relating to customers, employees, intellectual property, products, suppliers, transactions and products.
But how do organisations a) know what to protect b) know how to protect it and c) innovate and manage investment strategies with respect to the protection?
There are many strategies used to manage cyber corporate investment. Some are driven by vendor FUD – aka breach threat – right through to modern risk management strategies
, driven by mapping information protection to a higher level corporate strategy.
If the corporate strategy is known and well communicated, it can become easier to overlay information protection decisions, that the business owners are willing to accept, monitor and iterate against. Risk transparency can help to provide a deeper understanding to what investments should be made and whether those investments are personnel, training or product related.
Cyber security is a growing, complex and multi faceted market. Many aspects are emerging, with new vendors, design patterns and attack vectors being created monthly. Other aspects, such as risk management and core protection of critical assets are relatively mature and well understood, in comparison to the computational age.
The investment and usage patterns associated with cyber security technology however, are seemingly plagued with numerous information failures, resulting in complex procurement, skills and personnel misalignment.
A value driven approach is needed, where explicit investment decisions (on both the skills provider, procurer and end user side) are weighed against short and long term returns.