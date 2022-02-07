Join today's leading executives online at the Data Summit on March 9th. Register here.

There are plenty of qualities that make the world of cybersecurity pretty unique: The massive stakes and complexity, the global scope, the fact that it literally keeps going 24/7/365. Just to name a few. And today, security touches basically everyone, and is there almost everywhere you turn — whether it’s the current geopolitical conflict or the account password you keep forgetting.

There’s another quality that is particular to cybersecurity, too, but it doesn’t get talked about as much, says security industry veteran Mike Murray. For many reasons, security products are very different from the products that other industries offer — even other tech sectors.

The key difference is that security products are extremely difficult—maybe even impossible—for outside parties to assess and validate, according to Murray, formerly chief security officer at Lookout and now cofounder and CEO of Scope Security.

While security products are no doubt essential to the battle against cybercriminals and nation-state hackers, the fuzziness around measuring these products can enable dishonesty among cyber vendors, he said.

And often, it does: The cybersecurity industry, in fact, “proliferates charlatans,” Murray said in a thread on Twitter last week.

“Security is one of the few markets where information asymmetry rewards vendors who lie to their buyers,” Murray tweeted.

Marketing over substance

Murray said he’s seen this first-hand, including during his time as CSO at mobile security vendor Lookout. In August 2016, Lookout and the Citizen Lab at the University of Toronto published their stunning report on NSO Group’s Pegasus malware, exposing the spyware publicly for the first time.

At that point, “we were the only ones who truly knew the [indicators of compromise] that worked,” Murray tweeted. “Yet, within 24 hours of our report, every single one of our competitors had told their customers and prospects that they would detect the attack.”

Of course, “if you were a customer, the only way to know this was to have a copy of Pegasus lying around,” he said.

Unverifiable claims

For a more generic example, consider tools for endpoint detection and response (EDR): If a vendor claims that its EDR product can detect all known forms of ransomware, the claim is “fundamentally unverifiable,” Murray said.

“Very few enterprise security teams are sitting on a cache of recent weaponized malware,” he said on Twitter. “In most cases, the only people who could truly validate the claim are the attacker and the vendor themselves.”

And if the security vendor knows that their product doesn’t work, they probably don’t have to worry about getting caught any time soon, according to Murray. The thing to keep in mind about security is that it’s “all about the detection of rare events,” he said in an email to VentureBeat.

“Which means that consequences can take a long time to manifest,” Murray said. “If an organization gets hit by ransomware once every five years, it means that a product that claims to detect ransomware — but doesn’t — can run for a long time before the customer knows that the vendor misled them.”

One responder on Twitter noted that if you’re using an EDR tool, by design it’s only going to tell you about the threats that it can find. “But I want to know about the ones it can’t,” the security professional tweeted.

Addressing this challenge

The bottom line is that it’s extremely challenging for buyers to know for certain if security products actually do what they say, both before—and even long after—they buy, Murray said.

Can anything be done about the problem? Yes and no. For one thing, buyers of security products certainly are better off if they’re aware of this dynamic, Murray said. And many are not.

“Most people don’t understand it because most products don’t have this problem,” Murray said in the email. “If you’re buying Microsoft Office, Salesforce, AWS or most other technology products, you as a buyer can evaluate whether the product works as advertised.”

And that makes many technology buyers “prone to think that security products will work the same way—and that when they say, ‘my product stops all zero-days’ (which is an impossible claim), that it’s as true as when Microsoft says, ‘you can export a Word document to PDF,'” Murray said. “They’re not at all the same thing, and more people need to know why.”

Evaluating trustworthiness

But is there a “solution” to the problem? Probably not — at least not a complete solution.

“I don’t know that we can ever evade this dynamic, but the good news is that in my experience, being shady (eventually) catches up to you. And the folks that stick around across multiple years know who we can trust and who we can’t,” Murray said on Twitter. “Most of us who survive for decades in the industry get an incredible intuitive understanding of economic signaling. That is, we learn to take indicators of trustworthiness and use them to extrapolate on the rest of the vendors’ claims.”

In his email to VentureBeat, Murray explained further about the “indicators of trustworthiness” he looks for in the security market.

“Folks who have been in the industry for a long time get really good at interpreting small inconsistencies in vendor marketing and sales pitches,” he said.

That is, if a security product seems too good to be true — or the vendor makes even a small mis-step in the way they present information or claims — that “can be an indicator that more investigation of the vendor is required,” Murray said.

Additionally, “security folks also are very good at doing back-channel references and talking about vendors behind the scenes,” he said. “Once a vendor gets known to not deliver on their claims, it can spread pretty quickly among the people who talk.”

Educated buyers wanted

Murray noted that while he himself is a vendor CEO, he’s also had stints on the buyer side. “I have lived this for my whole career,” he said.

Ultimately, “I believe that educated buyers make the best customers,” Murray said. “If we’re all smarter, the industry will improve and the vendors who do things the right way will be rewarded.”

Murray added that he’s “entirely happy if Scope’s customers hold us accountable for the claims we make.”

“I have been in their chair, and I believe in the Golden Rule: I try to ensure that Scope and our team acts toward our customers the way I would want to be treated by my vendors if I were the CISO of the same customer,” he said.

