CYBERUK Intervention is required to ensure the security market holds vendors to account for shipping insecure wares – imposing costs on those whose failures lead to cyberattacks and having to draft in cleanup crews. The security market must properly incentivize security vendors to do security better.

So, we have a non-functional market…

That is one of the prevailing messages dished out by the cyber arm of the British intelligence squad at GCHQ’s National Cyber Security Centre (NCSC) in recent years at its annual conference. The cyber agency’s CTO, Ollie Whitehouse, first pitched the idea during a keynote at last year’s event, and once again it was a primary talking point of this week’s CYBERUK, but not one that went down well with everyone.

Whitehouse said this week that “the market does not currently support and reward those companies that make that investment and build secure products.” The risks introduced here are then shouldered by customers – companies, governments – rather than the vendors themselves.

“So, we have a non-functional market,” he added.

“When we need to build an ecosystem that’s capable of meeting this modern threat, we have to find ways where we can incentivize those vendors to be rewarded for their hard work, for those that go the extra mile, for those that build the secure technologies which our foundations are going to rely on in the future.

“Those that build secure technology make prosperous companies. They make celebrated companies, and they make successful companies ultimately. Because without that, nothing changes, and we repeat the last 40 years.”

That’s the NCSC’s line – one that will most likely resonate with any organization popped by one of the myriad decades-old vulns vendors can’t seem to stamp out. 

But there is a disconnect between the agency’s message and the views of major players elsewhere in the industry. From first being pitched as a necessary play for a more cyber-secure ecosystem, now the agency’s steadfast stance on the matter has become a question of whether or not to intervene.

During a panel discussion on the matter, top brass from Vodafone, Mandiant, Sage and the NCSC’s counterparts in Canada, all contested the idea when asked about whether they agree that vendors maximize profits by ignoring security guidance. 

“It’s hard to say yes to that,” said Emma Smith, cybersecurity director at Vodafone.

“I’m with Emma,” said Mandiant Consulting’s EMEA managing director Stuart McKenzie. “I don’t agree either.”

“I will add to the list of no, I don’t agree,” added Bridget Walsh, associate head at the Canadian Center for Cybersecurity, while Sage’s EVP chief risk officer Ben Aung laid claim to the panel’s fence-sitter with a: “I wasn’t going to agree, but I don’t disagree.”

[At least] the NCSC is not under attack by its overseeing government like its Stateside counterpart

McKenzie’s take was that customers will ultimately drive vendor change. If they start prioritizing security, that’s what vendors will give them. A string of cockups will quickly out those who don’t provide value, and then it becomes a case of having to improve to survive.

He said: “I think there are only some products where I think maybe, you know, they’re a little bit smoke and mirrors, but I think that’s rare, and then it quickly becomes known in the market that they don’t work. So, I don’t agree. I think there’s absolutely a market, and there is a return on investment for security and resilience.”

Likewise, Walsh highlighted that cybersecurity failures are costly for organizations, alluding to the fact that victims of security snafus will certainly consider the ROI when deciding to renew, or not renew, certain vendor contracts.

Aung downplayed the idea of the need for improved incentives too, saying “there are certainly organizations out there who are cutting corners knowingly and putting their customers at risk knowingly. But, I think the vast majority are just grappling with [various external factors] and in an arms race at the same time. So I think it’s a complex picture.”

To reward or punish… or both

In Whitehouse’s keynote last year, he pointed to the circa 14 percent increase in known, registered software vulnerabilities (not including those being amassed by nation states) and the decades-old bug classes that keep cropping up in widely used software.

He said there are also extremely high levels of tech debt in organizations and that should be punished, and that vendors should not be able to escape through their T&Cs.

These are all valid points. Customers can vote with their feet as the panel said, but when these issues pervade large portions of the market, with major vendors – not just the few bad apples Aung referenced – routinely having to fix so-called “unforgiveable” bugs like directory traversals, how can we not argue that intervention is required?

Whitehouse put forth the idea of perhaps punishing vendors that fall short of expectations, not just incentivizing them to do better, during last year’s CYBERUK, and this was again put on the table this week, with his industry peers once more siding against the CTO’s stance.

If you look at someone like CrowdStrike or Microsoft Defender, they did really well in that endpoint marketplace because they provided the most features…

McKenzie said “he’s not a fan” of the idea. In his view, it goes back to customers eventually abandoning sub-par vendors and, when speaking to The Register, he pointed to historical events that illustrate how the market itself will drive change.

“What we need is we need purchasers of security to prioritize the features and functionalities they want and then incentivize those organizations.

“If you look at someone like CrowdStrike or Microsoft Defender, they did really well in that endpoint marketplace because they provided the most features. There are other things that weren’t as good. They don’t grow.”

With the shift from antivirus to EDR, vendors that offer the best will perform the best, he argued. 

“I just don’t think that the idea of forcing a market into incentives works because it moves so fast. The advice and guidance we can give can be terrible. I’m much keener on governments producing information on what the right logging sources are, what technologies work, what’s the basic security you should have.”

Offering a more sympathetic view, Walsh said it’s a complex situation, one on which it is tough to take a hard line. Vendors must have a clearly codified set of expectations – what exactly is unforgivable – and that guidance should be set externally. System operators also often bear the brunt of cyber failures, so providing them with the right information to enter the procurement process with confidence is also key.

“There certainly is an incentivization to not do it wrong if you get a bad reputation but there are times when it’s a little more subtle,” she said. “So, I’ll say it’s a it’s a pretty complex issue but to me the most important first step is making sure that we identify exactly what are those pieces that are so basic and if we communicate about those it is more difficult for people to get those wrong.”

Like emissions safety officers for the auto market…

It’s not like these expectations haven’t been set, though. The NCSC’s Cyber Essentials certification scheme is one example of an external authority setting out the expectations of both vendors and customers. A trustmark of sorts is there, but perhaps these standards must go further, raising the bar so vendors can either compete or fall by the wayside. 

Parallels can be drawn with the automotive industry. The European NCAP program was introduced in the late 1990s, providing customers an easy way to understand how different manufacturers were performing on safety.

Before that, we had the likes of Volvo scooping up swathes of market share off the back of its reputation for producing safe cars, or German and Japanese brands for their reliability.

Perhaps the same principles could apply to security vendors, all vying for stellar, market-shifting trustworthiness. And then it goes back to purchasers dictating which security vendors end up doing well.

How those principles are enacted or enforced is a question that remains open, however. The secure by design movement, for example, looked to be gathering a head of steam when CISA introduced its pledge last year. 

The agency, like many of its global equivalents, pushed for its adoption, but as Aung noted, “it’s a shame that looks like it’s in some flux at the moment.”

He said: “For me, that’s a great direction because real clarity and specificity on the controls and standards they’re expected, a really strong policy narrative that the burden of security should be borne by vendors like Sage on behalf of organizations that may not have the capabilities and skills and resources to manage those risks. 

“So, [we] really bought into that message. And then a pledge that you could sign, I’m sure eventually we would have ways that we could validate or evidence that we were meeting the control standards that underpin secure by design.”

Step up, insurers

Often given a bad rep primarily for the role they play in facilitating ransom payments, like it or not, cyber insurance firms hold a significant stake in the security space, and their unique insights into the root causes of attacks can help set the standards for vendors.

Despite these companies’ mere existence giving criminals an incentive to target those who have cyber insurance policies, Vodafone’s Emma Smith says the questions put to policyholders each year are often influenced by their threat intelligence gleaned from recent, successful, real-world incidents.

“We’ve got to think about what are the disruptive incentives and effects we can have on attackers as well as the way to make it easier for defenders and for organizations like all of ours. 

“I think insurers drive a baseline based on the questions that they ask of us all and the assurance that they put in place around our organization, so by default they’re driving a baseline of security for organizations that think cyber insurance is important, which I think is probably most organizations these days.”

Concurring, Walsh says the insurance industry has been around for decades and has a wealth of expertise in calculating costs and assessing risk. With that, it can potentially play a significant role in informing defenders where they should be assigning budget to protect against the most damaging attacks facing organizations today.

It’s a matter that was met with agreement between industry and the NCSC – a panel first – with Whitehouse linking it to taking out professional indemnity insurance, which many organizations are used to doing. What’s stopping cyber insurers from offering similar policies against those who ship insecure software?

“And there’s a real question here: Is that a mark of goodness, if someone is willing to take insurance, will the insurers kind of ferret out the bad apples, as it were, in the supply base?” he asked. “So, there’s potential opportunity.”

You heard it here first

Whitehouse committed to taking on the challenge put to him and the NCSC to standardize the expectations of vendors on an international level.

Work is already underway here: the NCSC is working with international partners to define standards and ensure they’re adopted by the relevant bodies, yet the feeling is that it will take time.

One of the agency’s main launches from the event was its Software Security Code of Practice, a voluntary initiative which it pitched as an answer to Whitehouse’s concerns from CYBERUK 2024 about a lack of market incentives.

The NCSC’s mission here is to follow in the footsteps of its AI Cyber Security Code of Practice, launched in January, which sets standards for secure AI development and deployment. These standards are now ratified by ETSI, thus meaning compliance with them should, in theory, weed out the companies that aren’t taking security in this space seriously.

We can hope that, like a certain other voluntary scheme, CISA’s aforementioned secure by design pledge, this doesn’t run the risk of entering a flux period, as Aung put it. However, given that the NCSC is not under attack by its overseeing government like its Stateside counterpart, plus its recent success with its AI code, the chance of a repeat is lower.

The NCSC’s secure software code aims to provide vendors with the tangible evidence needed to demonstrate their commitment to security, by adhering to the code’s minimum standards, which it aims to ratify with international bodies. From there, customers around the world can make more informed security choices, knowing that vendors have been formally assessed on their compliance.

Once standards are adopted by international bodies such as NIST, ENISA, and others, then they can be written into procurement contracts by the likes of governments and other organizations. 

The aim here is that these standards do exactly what the panel asked for – provide clarity on what’s expected of vendors, the NCAP of secure software – so the Volvos of the tech industry start to face stiffer competition, raising cyber resilience across the world, and making life tougher for attackers.

Whitehouse said: “Some of you would have heard me say that… we know more that’s in our sausages than our software, and that’s probably not right for 2025, so the food labelling standards are coming to software soon. You heard it here first.” ®