The challenge with proof-of-concepts (PoCs) for cybersecurity solutions is that they primarily tell chief information security officers (CISOs) and their teams that a product will be quick to integrate and has a strong user interface. These things are easy to measure. But whether the solutions actually work in terms of defeating attacks and mitigating risk? That is a much more difficult capability to assess. Unfortunately, when the PoC fails to prevent exposure, CISOs are too often caught in the middle after a crippling attack.
Why do PoCs fall short? It's because the cost of pursuing in-depth testing remains prohibitive for many organizations. Cybersecurity vendors take full advantage because they have no incentive to do much more than simply measure user interface and ease of integration. That's why it's past time to tear down and rebuild how we conduct solution evaluations.
Note the use of the word "we" here. We are doomed to continue spinning our wheels unless we unite as an industry.
While vendors have introduced some notable initiatives, such as NetSecOpen, the industry can't totally rely on vendors to provide a plan or framework for a more standardized approach for assessing and then testing new solutions. Enterprises must take the lead if we want to see real change. Now more than ever during our COVID-19 existence, we need an industry consortium to empower enterprises to better assess products, especially for organizations that do not have the margins to oversee effective PoCs on their own.
In some cases, a logical first step is to rely on the assessments already carried out by governments. On the other hand, while it's important to consider that there are significant differences between governments and commercial entities, it is not always clear that their security requirements are the same. In addition, each government has their own approach and opinion – a real challenge for global enterprises.
A Fragmented Market
The cybersecurity solutions and services market has grown increasingly fragmented, and the beleaguered CISO is under immense pressure to demonstrate ROI. Thus, a consortium – one that brings together multiple buyers of a tool to collaborate on its true value before purchase and implementation – proves critical. The consortium would readily resolve the cost issues, as companies would collectively pool their PoC budgeting to fund for more thorough white box and black box testing.
It is true that these businesses compete against each other in the marketplace. But they are also peers. It's vastly better to collaborate with peers/competitors to know what is unknown before spending countless dollars on a tool that could very well fail them in short time. Besides, it's not as if one consortium member would gain competitive edge over another in combining resources for testing; everyone is on an even playing field.
For this to work, the participating organizations must designate independent testers as an indispensable component. The testers would serve as unquestioned truth-seekers with no skin in the game. They are strictly the "home inspectors" here, not the buyers or sellers of the house.
As for methodology, independent testers must ensure the products protect against both existing threats and future, as-of-yet-unknown ones. They should require vendors to reveal complete details about their designs, implementation, and engineering practices - without allowing them to hide behind "commercial confidentiality" as means to avoid disclosure.
Intensive Assessments and Reviews
With this, testers will be able to conduct intensive assessments of detailed design and implementation documentation, along with source code reviews. They then can proceed with comprehensive white box testing against known attacks, as well as potential future ones on the assumption that attackers will eventually be armed with full knowledge of design and implementation. Of course, such a level of extensive testing will amount to an expensive proposition. But, again, consortium members would share the cost burden by pooling together their available funding.
What's more, should this optimal level of evaluation emerge as the norm, it will force vendors to make changes on their own. In the interest of pure survival, they will budget for even more rigorous internal vetting of what they intend to bring to the market.
Enterprises and their CISOs are dealing with a broad spectrum of cyber-risk mitigation activities and operational issues that make it difficult for them to pay attention to the available product assessment and testing options. Enterprises with like-minded goals can trust each other to determine the right testing they collectively require. Power in numbers and bigger dollar pools will enable the consortium plan to drive real change.
We cannot delay. The current state of PoC processes, product assessment, and testing won't tell us enough of what we need to know. But by committing to a consortium with independent testing to determine true value, vendors will have to ensure the products do what they say they do – or risk extinction.