5 Indicators of Cyber Security Market Failure

6 Minute Read. By Simon Moffatt.


Let us start with some brief definitions to get us all on the same page. Firstly – what is meant by the term “market failure”? A textbook description would be something that articulated the “inefficient distribution of goods and services in a free market”. But how do we decide whether the distribution is inefficient or not? Perhaps, let us look at how "efficient" is described first, then work backwards.  An efficient market would probably display a scenario where goods and services are distributed, priced and made, in a manner which can not be improved upon, with the amount of waste minimised.

This requires analysing two distinct parties – the consumer of the good and the maker of the good. The consumer wants to purchase at the lowest price, that maximises their “utility” or satisfaction. The maker on the other hand, wants to maximise profits whilst simultaneously minimising costs.

If we start looking at the "good", as the manufacturing and procurement of cyber security software, services and consulting, are we confident we are operating at maximum efficiency? I would argue we are not.  I am going to pick five high level topics in which to dig a little deeper.

1) Labour Shortages

The 2019 ISC2 Cyber Workforce Study, identified a staggering 4.07 million unfilled cyber security positions – up from 2.93 million in 2018. The report highlighted this as a global problem too – with APAC sitting on a 2.6 million backlog of unfilled roles. There are probably numerous other reports and Google search nuggets, to back up the claim, that cyber security is one of the toughest skill sets to recruit for within technology in 2020.

But what does this prove? Mismatches in labour demand and supply are common in numerous professions – medical doctors being an obvious one. An excess in demand over supply can obviously create wage inflation, amongst other inefficiencies, but what about triggers from the supply side?

The classic causes of labour market imperfection are many – but some seem to easily apply to cyber. The inelastic supply of suitable candidates is a good starting place.


In-elasticity of the supply of cyber security candidates

In this basic example, the supply of cyber candidates is described as being highly inelastic – for example a change in salary, does not result in a proportional change in the supply of candidates. Why is this? Clearly training has a part to play. Skilled cyber practitioners are likely to require strong computer science, network and infrastructure skills, before being able to embark on more specialised training. This can take many years to obtain, effectively acting like barriers to entry for new and willing candidates.

As with many labour markets, immobility and lack of vacancy information may also hinder skills investment, especially if the candidate is not aware of the potential benefits the long term training can bring. The more common practice of remote working however, is certainly helping to reduce geographical immobility issues which often hamper more traditional industries.

The cyber security industry is still very much in its infancy too, which can contribute to a lack of repeatable candidate development. Only in 2019, did the UK’s Chartered Institute of Information Security receive its royal warrant. Compare that to the likes of the Soap Makers Company (1638), Needlemakers Company (1656), Coachmakers Company (1677), Fanmakers (1709) and the Royal Medical Society (1773) and there is a palpable level of professional immaturity to understand. 

This could be amplified by a lack of consistency surrounding certifications, curriculum and job role descriptions. Only within the last 3 months has the industry seen CyBoK – the cyber book of knowledge - published. This may go a little way in attempting to formalise training and certification of candidates globally.

2) Regulation

An interesting bi product of perceived market failure, is government intervention. External intervention can take many forms and is often used to simulate competition (eg the likes of OfCom, OfWat or OfRail in the UK) where monopolistic or quasi-public sector run industries would not necessarily deliver optimum allocative efficiency if left to their own devices.

Whilst the cyber security sector is not a monopolistic supplier or employer, it has seen numerous pieces of governmental regulation. A few basic examples in Europe would include the General Data Protection Regulation (GDPR) and the Network and Information Systems Directive (NIS). In the United States, at a state level at least, the California Consumer Privacy Act (CCPA) came into fruition with further amendments towards the end of 2019.

I am blurring the line between security and privacy with some of those regulations, but an interesting aspect, is the consumer protection angle of the likes of the GDPR and CCPA. If the market where left to its own devices, the consumer of 3rd party on line goods and services, is not deemed to be protected to a satisfactory level. The regulatory intervention is not to rectify a negative externality affecting 3rd parties, more to protect the first party user. During the exchange of goods and services to the individual, it seems the requisite level of privacy and security that benefits the group of users as a whole is not utilitarian. A major aim the current cyber legislation is trying to achieve, is to overcome the information asymmetries that exist when a user signs up for a service or makes an online purchase or interaction.

With respect to consumer privacy, a concept of information asymmetry known as adverse selection may exist - where the buyer is not fully aware of the use and value of their personal data in relation to the supplier of a good or service, who may use their data in ways not fully understood or even disclosed to the user.

The likes of the NIS directive, seems more focused upon reducing the impact of an externality - basically a negative impact to a wider group of users. Perhaps, due to a data breach, service disruption or degradation, that may have occurred due to a lack of cyber security controls. A simple example could be the lack of power generation to an entire town if a nuclear power station is knocked offline due to a malware attack.

3) Product Hyper Augmentation

The cyber security market is broad, complex and ever evolving. The number of product categories grows daily. Gartner has at least 20 security related magic quadrants. CISO's and CIO's have to make incredibly complex decisions regarding product and service procurement.
Certainly, there is another set of information asymmetries at play here, but those are likely to exist in other complex software markets. With respect to cyber, there seems to an accelerated augmentation of features and messaging. When does a next generation web application firewall become a dedicated API security gateway? When does a security orchestration automation and response platform become an integrated event driven identity and access management workflow? Is there space for such niche upon niches, or are we entering a phase of largely merged and consolidated markets, where buyer procurement decision making is simply based on non-features such as brand affiliation and procurement ease?


Product direction via vertical and horizontal augmentation

Many mature markets often reach a position where suppliers augment products to a position of mediocrity and consumer apathy and confusion. Youngme Moon from Harvard Business School articulates this concept extremely well in her book Different - which focuses on competitive strategies. It seems the market for cyber security products especially (maybe less so for services and consultancy) is rapidly moving to a position, where core products are being blurred via augmentation, add on services and proprietary market descriptions. This is creating difficulties when it comes to calculating product purchase versus return on investment reporting.

4) Breach Increase

A continuation of the purchase/RoI analysis pattern, is to analyse what "success" looks like for numerous cyber investments. Whether those investments are people, process or technology related, most procurement decisions, end up being mapped to a success criteria. Value for money. Return on Investment. Call it what you will, but many organisations will look to describe what success looks like when it comes to security investments.

Is it a reduction in data breaches? Is it having fewer installed products with known CVE (common vulnerability & exposures) due to faster patch roll out? Is it having more end users signing up with second factor authentication? This can tie neatly into the controls -v- outcomes discussion where risk, security and privacy management for an organisation needs to identify tangible and SMART (specific measurable assignable realistic time-bound) metrics for implied cyber investment. The ultimate goal of cyber is to support the CIA (confidentiality integrity availability) triad, either singularly or collectively.

A major source of cyber investment success discussion, is associated with data breach trends. There are numerous pieces of data to support the claim, that breaches are increasing. Increasing in volume (from 157 in 2005 to 783 in 2014), breadth and complexity. Many of the articles could admittedly be FUD raised by vendors to accelerate product adoption, but there is no denying the popularity of sites like HaveIBeenPwned, where the number of breached credentials is substantial and increasing. If cyber investment was efficient, shouldn't these metrics be reducing?

This starts to generate two questions: either buyers are buying and using the wrong products or those products are not providing a decent return on investment.

5) Corporate Information Failure

But are products really to blame? The entire thread of this article, is to discuss market failure points. Information is a key component of effective free market development. Many information barriers seem to exist within the cyber security sector. Think of the following:
  • RoI on cyber product investment
  • Cost of personal data protection
  • The societal impact of critical infrastructure failures
  • Risk management success criteria
  • Cyber security certification benefit to corporations
There are likely several other angles to take on this, but full information with regards to the upholding of the confidentiality, availability and integrity of data is unlikely to occur. Many private sector organisations have undergone digital transformation over the last 10 years. These "corporation.next" operations, have created new challenges with respect to data protection. Data relating to customers, employees, intellectual property, products, suppliers, transactions and products.

But how do organisations a) know what to protect b) know how to protect it and c) innovate and manage investment strategies with respect to the protection?

There are many strategies used to manage cyber corporate investment. Some are driven by vendor FUD - aka breach threat - right through to modern risk management strategies, driven by mapping information protection to a higher level corporate strategy. 

If the corporate strategy is known and well communicated, it can become easier to overlay information protection decisions, that the business owners are willing to accept, monitor and iterate against. Risk transparency can help to provide a deeper understanding to what investments should be made and whether those investments are personnel, training or product related.

Summary

Cyber security is a growing, complex and multi faceted market. Many aspects are emerging, with new vendors, design patterns and attack vectors being created monthly. Other aspects, such as risk management and core protection of critical assets are relatively mature and well understood, in comparison to the computational age.

The investment and usage patterns associated with cyber security technology however, are seemingly plagued with numerous information failures, resulting in complex procurement, skills and personnel misalignment.

A value driven approach is needed, where explicit investment decisions (on both the skills provider, procurer and end user side) are weighed against short and long term returns.

5 Indicators of Cyber Security Market Failure

6 Minute Read. By Simon Moffatt.


Let us start with some brief definitions to get us all on the same page. Firstly – what is meant by the term “market failure”? A textbook description would be something that articulated the “inefficient distribution of goods and services in a free market”. But how do we decide whether the distribution is inefficient or not? Perhaps, let us look at how "efficient" is described first, then work backwards.  An efficient market would probably display a scenario where goods and services are distributed, priced and made, in a manner which can not be improved upon, with the amount of waste minimised.

This requires analysing two distinct parties – the consumer of the good and the maker of the good. The consumer wants to purchase at the lowest price, that maximises their “utility” or satisfaction. The maker on the other hand, wants to maximise profits whilst simultaneously minimising costs.

If we start looking at the "good", as the manufacturing and procurement of cyber security software, services and consulting, are we confident we are operating at maximum efficiency? I would argue we are not.  I am going to pick five high level topics in which to dig a little deeper.

1) Labour Shortages

The 2019 ISC2 Cyber Workforce Study, identified a staggering 4.07 million unfilled cyber security positions – up from 2.93 million in 2018. The report highlighted this as a global problem too – with APAC sitting on a 2.6 million backlog of unfilled roles. There are probably numerous other reports and Google search nuggets, to back up the claim, that cyber security is one of the toughest skill sets to recruit for within technology in 2020.

But what does this prove? Mismatches in labour demand and supply are common in numerous professions – medical doctors being an obvious one. An excess in demand over supply can obviously create wage inflation, amongst other inefficiencies, but what about triggers from the supply side?

The classic causes of labour market imperfection are many – but some seem to easily apply to cyber. The inelastic supply of suitable candidates is a good starting place.


In-elasticity of the supply of cyber security candidates

In this basic example, the supply of cyber candidates is described as being highly inelastic – for example a change in salary, does not result in a proportional change in the supply of candidates. Why is this? Clearly training has a part to play. Skilled cyber practitioners are likely to require strong computer science, network and infrastructure skills, before being able to embark on more specialised training. This can take many years to obtain, effectively acting like barriers to entry for new and willing candidates.

As with many labour markets, immobility and lack of vacancy information may also hinder skills investment, especially if the candidate is not aware of the potential benefits the long term training can bring. The more common practice of remote working however, is certainly helping to reduce geographical immobility issues which often hamper more traditional industries.

The cyber security industry is still very much in its infancy too, which can contribute to a lack of repeatable candidate development. Only in 2019, did the UK’s Chartered Institute of Information Security receive its royal warrant. Compare that to the likes of the Soap Makers Company (1638), Needlemakers Company (1656), Coachmakers Company (1677), Fanmakers (1709) and the Royal Medical Society (1773) and there is a palpable level of professional immaturity to understand. 

This could be amplified by a lack of consistency surrounding certifications, curriculum and job role descriptions. Only within the last 3 months has the industry seen CyBoK – the cyber book of knowledge - published. This may go a little way in attempting to formalise training and certification of candidates globally.

2) Regulation

An interesting bi product of perceived market failure, is government intervention. External intervention can take many forms and is often used to simulate competition (eg the likes of OfCom, OfWat or OfRail in the UK) where monopolistic or quasi-public sector run industries would not necessarily deliver optimum allocative efficiency if left to their own devices.

Whilst the cyber security sector is not a monopolistic supplier or employer, it has seen numerous pieces of governmental regulation. A few basic examples in Europe would include the General Data Protection Regulation (GDPR) and the Network and Information Systems Directive (NIS). In the United States, at a state level at least, the California Consumer Privacy Act (CCPA) came into fruition with further amendments towards the end of 2019.

I am blurring the line between security and privacy with some of those regulations, but an interesting aspect, is the consumer protection angle of the likes of the GDPR and CCPA. If the market where left to its own devices, the consumer of 3rd party on line goods and services, is not deemed to be protected to a satisfactory level. The regulatory intervention is not to rectify a negative externality affecting 3rd parties, more to protect the first party user. During the exchange of goods and services to the individual, it seems the requisite level of privacy and security that benefits the group of users as a whole is not utilitarian. A major aim the current cyber legislation is trying to achieve, is to overcome the information asymmetries that exist when a user signs up for a service or makes an online purchase or interaction.

With respect to consumer privacy, a concept of information asymmetry known as adverse selection may exist - where the buyer is not fully aware of the use and value of their personal data in relation to the supplier of a good or service, who may use their data in ways not fully understood or even disclosed to the user.

The likes of the NIS directive, seems more focused upon reducing the impact of an externality - basically a negative impact to a wider group of users. Perhaps, due to a data breach, service disruption or degradation, that may have occurred due to a lack of cyber security controls. A simple example could be the lack of power generation to an entire town if a nuclear power station is knocked offline due to a malware attack.

3) Product Hyper Augmentation

The cyber security market is broad, complex and ever evolving. The number of product categories grows daily. Gartner has at least 20 security related magic quadrants. CISO's and CIO's have to make incredibly complex decisions regarding product and service procurement.
Certainly, there is another set of information asymmetries at play here, but those are likely to exist in other complex software markets. With respect to cyber, there seems to an accelerated augmentation of features and messaging. When does a next generation web application firewall become a dedicated API security gateway? When does a security orchestration automation and response platform become an integrated event driven identity and access management workflow? Is there space for such niche upon niches, or are we entering a phase of largely merged and consolidated markets, where buyer procurement decision making is simply based on non-features such as brand affiliation and procurement ease?


Product direction via vertical and horizontal augmentation

Many mature markets often reach a position where suppliers augment products to a position of mediocrity and consumer apathy and confusion. Youngme Moon from Harvard Business School articulates this concept extremely well in her book Different - which focuses on competitive strategies. It seems the market for cyber security products especially (maybe less so for services and consultancy) is rapidly moving to a position, where core products are being blurred via augmentation, add on services and proprietary market descriptions. This is creating difficulties when it comes to calculating product purchase versus return on investment reporting.

4) Breach Increase

A continuation of the purchase/RoI analysis pattern, is to analyse what "success" looks like for numerous cyber investments. Whether those investments are people, process or technology related, most procurement decisions, end up being mapped to a success criteria. Value for money. Return on Investment. Call it what you will, but many organisations will look to describe what success looks like when it comes to security investments.

Is it a reduction in data breaches? Is it having fewer installed products with known CVE (common vulnerability & exposures) due to faster patch roll out? Is it having more end users signing up with second factor authentication? This can tie neatly into the controls -v- outcomes discussion where risk, security and privacy management for an organisation needs to identify tangible and SMART (specific measurable assignable realistic time-bound) metrics for implied cyber investment. The ultimate goal of cyber is to support the CIA (confidentiality integrity availability) triad, either singularly or collectively.

A major source of cyber investment success discussion, is associated with data breach trends. There are numerous pieces of data to support the claim, that breaches are increasing. Increasing in volume (from 157 in 2005 to 783 in 2014), breadth and complexity. Many of the articles could admittedly be FUD raised by vendors to accelerate product adoption, but there is no denying the popularity of sites like HaveIBeenPwned, where the number of breached credentials is substantial and increasing. If cyber investment was efficient, shouldn't these metrics be reducing?

This starts to generate two questions: either buyers are buying and using the wrong products or those products are not providing a decent return on investment.

5) Corporate Information Failure

But are products really to blame? The entire thread of this article, is to discuss market failure points. Information is a key component of effective free market development. Many information barriers seem to exist within the cyber security sector. Think of the following:
  • RoI on cyber product investment
  • Cost of personal data protection
  • The societal impact of critical infrastructure failures
  • Risk management success criteria
  • Cyber security certification benefit to corporations
There are likely several other angles to take on this, but full information with regards to the upholding of the confidentiality, availability and integrity of data is unlikely to occur. Many private sector organisations have undergone digital transformation over the last 10 years. These "corporation.next" operations, have created new challenges with respect to data protection. Data relating to customers, employees, intellectual property, products, suppliers, transactions and products.

But how do organisations a) know what to protect b) know how to protect it and c) innovate and manage investment strategies with respect to the protection?

There are many strategies used to manage cyber corporate investment. Some are driven by vendor FUD - aka breach threat - right through to modern risk management strategies, driven by mapping information protection to a higher level corporate strategy. 

If the corporate strategy is known and well communicated, it can become easier to overlay information protection decisions, that the business owners are willing to accept, monitor and iterate against. Risk transparency can help to provide a deeper understanding to what investments should be made and whether those investments are personnel, training or product related.

Summary

Cyber security is a growing, complex and multi faceted market. Many aspects are emerging, with new vendors, design patterns and attack vectors being created monthly. Other aspects, such as risk management and core protection of critical assets are relatively mature and well understood, in comparison to the computational age.

The investment and usage patterns associated with cyber security technology however, are seemingly plagued with numerous information failures, resulting in complex procurement, skills and personnel misalignment.

A value driven approach is needed, where explicit investment decisions (on both the skills provider, procurer and end user side) are weighed against short and long term returns.

2H2019 Identity Management Funding Analysis

Back in July, I wrote an article taking a brief look at venture capitalist funding patterns within the identity and access management space, for the first half of 2019.  I am going to revisit that topic, but for the second half of the year.

Key Facts July to December 2017 / 2018 / 2019

Funding increased 309% year on year for the second half of 2019, compared to the same period in 2018.  Taking a 3 year look, it seems, that perhaps 2018, and not 2019, was the unusual year.


The number of organisations receiving funding, has reduced every year since 2017.  The drop between 2018 and 2019 was about 15%.  Between 2017 and 2018, a 34% decline.  As per first half numbers, you could infer, that the identity industry in general is maturing, stabilising and seeing the number of organisations needing funding start to slow.  Approximately 30% of the funding in the second half of 2019, was classified as seed, which may support that claim.

2H2019
  • ~$532 million overall funding
  • Seed funding accounted for 30.3%
  • Median announcement date Sep 26th
  • 33 companies funded

2H2018
  • ~$172 million overall funding
  • Seed funding accounted for 23.1%
  • Median announcement date Aug 29th
  • 39 companies funded

2H2017

  • ~$523 million overall funding
  • Seed funding accounted for 32.8%
  • Median announcement date Oct 3rd
  • 61 companies funded

2H2019 Company Analysis

A coarse grained analysis of the 2019 numbers, shows a pretty balanced geographic spread - between EMEA and North America at least.  Whilst, most funding originates within the US, the companies receiving funding seems quite balanced.  For the first half of 2019, a much larger focus was on organisations based out of North America however.



2H2019 Top 10 Companies By Funding Amounts

The following is a simple top down list, of the companies that received the highest funding and at what stage that funding was received:


1Password ($200m, Series A) - https://pulse2.com/1password-200-million-funding/

AU10TIX ($60m, PE) - https://www.biometricupdate.com/201907/au10tix-receives-60m-investment-to-pay-off-debt-and-fund-growth-initiatives

Truiloo ($52m, Series C) - https://www.geekwire.com/2019/vancouver-startup-truiloo-raises-52m-identity-verification-tech/

2H2019 Identity Management Funding Analysis

Back in July, I wrote an article taking a brief look at venture capitalist funding patterns within the identity and access management space, for the first half of 2019.  I am going to revisit that topic, but for the second half of the year.

Key Facts July to December 2017 / 2018 / 2019

Funding increased 309% year on year for the second half of 2019, compared to the same period in 2018.  Taking a 3 year look, it seems, that perhaps 2018, and not 2019, was the unusual year.


The number of organisations receiving funding, has reduced every year since 2017.  The drop between 2018 and 2019 was about 15%.  Between 2017 and 2018, a 34% decline.  As per first half numbers, you could infer, that the identity industry in general is maturing, stabilising and seeing the number of organisations needing funding start to slow.  Approximately 30% of the funding in the second half of 2019, was classified as seed, which may support that claim.

2H2019
  • ~$532 million overall funding
  • Seed funding accounted for 30.3%
  • Median announcement date Sep 26th
  • 33 companies funded

2H2018
  • ~$172 million overall funding
  • Seed funding accounted for 23.1%
  • Median announcement date Aug 29th
  • 39 companies funded

2H2017

  • ~$523 million overall funding
  • Seed funding accounted for 32.8%
  • Median announcement date Oct 3rd
  • 61 companies funded

2H2019 Company Analysis

A coarse grained analysis of the 2019 numbers, shows a pretty balanced geographic spread - between EMEA and North America at least.  Whilst, most funding originates within the US, the companies receiving funding seems quite balanced.  For the first half of 2019, a much larger focus was on organisations based out of North America however.



2H2019 Top 10 Companies By Funding Amounts

The following is a simple top down list, of the companies that received the highest funding and at what stage that funding was received:


1Password ($200m, Series A) - https://pulse2.com/1password-200-million-funding/

AU10TIX ($60m, PE) - https://www.biometricupdate.com/201907/au10tix-receives-60m-investment-to-pay-off-debt-and-fund-growth-initiatives

Truiloo ($52m, Series C) - https://www.geekwire.com/2019/vancouver-startup-truiloo-raises-52m-identity-verification-tech/

5 Minute Briefing: Designing for Security Outcomes

This is the first in a set of blogs focused on high level briefings - typically 5 minute reads, covering design patterns and meta trends relating to security architecture and design.

When it comes to cyber security design, there have been numerous ways of attempting to devise the investment profile and allocative efficiency metric.  Should we protect a $10 bike with a $6 lock, if the chance of loss is 10% - that sort of stuff.  I don’t want to tackle the measurement process per-se.

I want to focus upon taking the generic business concept of outcomes, alongside some of the uncertainty that is often associated with complex security and access control investments.

I guess, to start with, a few definitions to get us all on the same page.  Firstly, what are outcomes?  In a simple business context, an outcome is really just a forward looking statement – where do we want go get to?  What do we want to achieve?  In the objective, strategy and tactics model of analysis, it is likely the outcome could fall somewhere in the objective and possibly strategy blocks.

A really basic example of an OST breakdown could be the following:

    • Objective: fit in to my wedding dress by July 1st
    • Strategy: eat less and exercise more
    • Tactic: don’t eat snacks between meals and walk to work



So how does this fit into security?  Well cyber is typically seen as a business cost – with risk management another parallel cost centre, used to manage the implementation of cyber security investment and the subsequent returns - or associated loss reduction.

The end result of traditional information security management, is something resembling a control – essentially a pretty fine grained and repeatable step that can be measured.  Maybe something like “run anti-virus version x or above on all managed desktops”.  

But how does something so linear and pretty abstract in some cases, flow back to the business objectives?  I think in general, it doesn’t (or even can’t) which results in the inertia associated with security investment – the overall security posture is compromised and business investment in those controls is questioned.

The security control could be seen as a tactic – but is often not associated with any strategy or IT objective – and certainly very rarely associated with a business objective.  The business wants to sell widgets, not worry about security controls and quite rightly so.

Improve Security Design


So how are outcomes better than simple controls?  I think there are two aspects to this.  First is about security design and second is about security communications.

If we take the AV control previously described – what is that trying to achieve?  Maybe a more broad brush outcome, is that malware isn’t great and should be avoided.  Why should malware be avoided?  Perhaps metrics can attribute firewall performance reductions of 18% due to malware call home activity, which in turn reduces the ability for the business to uphold a 5 minute response SLA for customer support calls?

Or that 2 recent data breaches, were attributable to a bot net miner browser plug-in, that resulted in 20,000 identity records being leaked at a cost of $120 per record in fines?  

Does a security outcome such as “a 25% reduction in malware activity” result in a more productive, accountable and business understandable work effort?  

It would certainly require multiple different strategies and tactics to make it successful, covering lots of different aspects of people, process and technology.  Perhaps one of the tactics involved is indeed running up to date AV.   I guess the outcome can act as both a modular umbrella and also a future proofed and autonomous way of identifying the most value driven technical control.

Perhaps outcomes really are more about reporting and accountability?


Improve Security Communications


Accountability and communications are often a major weakness of security design and risk management.  IT often doesn’t understand the nuance of certain security requirements – anyone heard of devsecops (secdevops)?

Business understanding is vitally important when it comes to security design and that really is what “security communications” is all about.  I’m not talking about TLS (nerd joke alert), but more about making sure both the business and IT functions not only use a common language, but also work towards common goals. 

Security controls tend to be less effective when seen as checkbox exercises, powered by internal and external audit processes (audit functions tend to exist in areas of market failure, where the equilibrium state of the market results in externalities….but I won’t go there here).

Controls are often abstracted away from business objectives via a risk management layer and can lose their overall effectiveness – and in turn business confidence.  Controls also tend to be implicitly out of date by the time they are designed and certainly when they implemented.

If controls are emphasised less, and security outcomes more – and making sure outcomes are tied more closely with business objectives, an alignment on accountability and in turn investment profiles can be made.

Summary


So what are trying to say?  At a high level, try to move away from controls and encourage more goals and outcomes based design when it comes to security.  By leveraging an outcomes based model, procurement and investment decisions can be crystallised and made more accountable.  

The business objectives can be contributed towards and security essentially can become more effective – resulting in fewer data breaches, better returns on investment and greater clarity on where investment should be made.

5 Minute Briefing: Designing for Security Outcomes

This is the first in a set of blogs focused on high level briefings - typically 5 minute reads, covering design patterns and meta trends relating to security architecture and design.

When it comes to cyber security design, there have been numerous ways of attempting to devise the investment profile and allocative efficiency metric.  Should we protect a $10 bike with a $6 lock, if the chance of loss is 10% - that sort of stuff.  I don’t want to tackle the measurement process per-se.

I want to focus upon taking the generic business concept of outcomes, alongside some of the uncertainty that is often associated with complex security and access control investments.

I guess, to start with, a few definitions to get us all on the same page.  Firstly, what are outcomes?  In a simple business context, an outcome is really just a forward looking statement – where do we want go get to?  What do we want to achieve?  In the objective, strategy and tactics model of analysis, it is likely the outcome could fall somewhere in the objective and possibly strategy blocks.

A really basic example of an OST breakdown could be the following:

    • Objective: fit in to my wedding dress by July 1st
    • Strategy: eat less and exercise more
    • Tactic: don’t eat snacks between meals and walk to work



So how does this fit into security?  Well cyber is typically seen as a business cost – with risk management another parallel cost centre, used to manage the implementation of cyber security investment and the subsequent returns - or associated loss reduction.

The end result of traditional information security management, is something resembling a control – essentially a pretty fine grained and repeatable step that can be measured.  Maybe something like “run anti-virus version x or above on all managed desktops”.  

But how does something so linear and pretty abstract in some cases, flow back to the business objectives?  I think in general, it doesn’t (or even can’t) which results in the inertia associated with security investment – the overall security posture is compromised and business investment in those controls is questioned.

The security control could be seen as a tactic – but is often not associated with any strategy or IT objective – and certainly very rarely associated with a business objective.  The business wants to sell widgets, not worry about security controls and quite rightly so.

Improve Security Design


So how are outcomes better than simple controls?  I think there are two aspects to this.  First is about security design and second is about security communications.

If we take the AV control previously described – what is that trying to achieve?  Maybe a more broad brush outcome, is that malware isn’t great and should be avoided.  Why should malware be avoided?  Perhaps metrics can attribute firewall performance reductions of 18% due to malware call home activity, which in turn reduces the ability for the business to uphold a 5 minute response SLA for customer support calls?

Or that 2 recent data breaches, were attributable to a bot net miner browser plug-in, that resulted in 20,000 identity records being leaked at a cost of $120 per record in fines?  

Does a security outcome such as “a 25% reduction in malware activity” result in a more productive, accountable and business understandable work effort?  

It would certainly require multiple different strategies and tactics to make it successful, covering lots of different aspects of people, process and technology.  Perhaps one of the tactics involved is indeed running up to date AV.   I guess the outcome can act as both a modular umbrella and also a future proofed and autonomous way of identifying the most value driven technical control.

Perhaps outcomes really are more about reporting and accountability?


Improve Security Communications


Accountability and communications are often a major weakness of security design and risk management.  IT often doesn’t understand the nuance of certain security requirements – anyone heard of devsecops (secdevops)?

Business understanding is vitally important when it comes to security design and that really is what “security communications” is all about.  I’m not talking about TLS (nerd joke alert), but more about making sure both the business and IT functions not only use a common language, but also work towards common goals. 

Security controls tend to be less effective when seen as checkbox exercises, powered by internal and external audit processes (audit functions tend to exist in areas of market failure, where the equilibrium state of the market results in externalities….but I won’t go there here).

Controls are often abstracted away from business objectives via a risk management layer and can lose their overall effectiveness – and in turn business confidence.  Controls also tend to be implicitly out of date by the time they are designed and certainly when they implemented.

If controls are emphasised less, and security outcomes more – and making sure outcomes are tied more closely with business objectives, an alignment on accountability and in turn investment profiles can be made.

Summary


So what are trying to say?  At a high level, try to move away from controls and encourage more goals and outcomes based design when it comes to security.  By leveraging an outcomes based model, procurement and investment decisions can be crystallised and made more accountable.  

The business objectives can be contributed towards and security essentially can become more effective – resulting in fewer data breaches, better returns on investment and greater clarity on where investment should be made.

Principles of Usable Security

I want to talk about the age old trade off between the simplicity of a website or app, versus the level of friction, restriction and inhibition associated with applying security controls. There was always a tendency to split security at the other end of the cool and usable spectrum. If it was secure, it was ugly. If it was easy to use and cool, it was likely full of exploitable vulnerability. Is that still true?

In recent years, there have been significant attempts – certainly by vendors – but also by designers and architects, to meet somewhere in the middle – and deliver usable yet highly secure and robust systems. But how to do it? I want to try and capture some of those points here.

Most Advanced Yet Acceptable


I first want to introduce the concept of MAYA: Most Advanced Yet Acceptable. MAYA was a concept created by the famous industrial design genius, Raymond Loewy [1] in the 1950’s. The premise, was that to create successful innovative products, you had to reach a point of inflexion, between novelty and familiarity. If something was unusual in its nature or use, it would only appeal to a small audience. An element of familiarity had to anchor the viewer or user in order to allow incremental changes to take the product in new directions.

Observation


When it comes to designing – or redesigning a product or piece of software – it is often the case that observation is the best ingredient. Attempting to design in isolation can often lead to solutions looking for problems, or in the case of MAYA, something so novel that it is not fit for purpose. A key focus of Loewy’s modus operandi, was to observe users of the product he was aiming to improve. Be it a car, a locomotive engine or copying machine. He wanted to see how it was being broken. The good things, the bad, the obstacles, the areas which required no explanation and the areas not being used at all. The same applies when improving software flow.

Take the classic sign-up and sign-in flows seen on nearly every website and mobile application. To the end user, these flows are the application. If they fail, create unnecessary friction, or are difficult to understand, the end user will become so frustrated they are likely to attribute the entire experience to the service or product they are trying to access.  And go to the nearest competitor.

In order to improve, there needs to be a mechanism to view, track and observe how the typical end user will use and interact with the flow. Capture clicks, drop outs, the time it takes to perform certain operations. All these steps, provide invaluable input in how to create a more optimal set of interactions. These observations of course, need comparing to a baseline or some sort of acceptable SLA.


Define Usable?


But why are we observing and how to define usable in the first place? Security can be a relatively simple metric. Define some controls. Compare process or software to said controls. Apply metrics. Rinse and repeat. Simple right? But how much usability is required? And where does that usability get counted?

Usable for the End User

The most obvious stand point is usability for the end user. If we continue the sign-up and sign-in flows, they would need to be simply labelled and responsive – altering their expression dynamically depending on the device type and maybe location the end user is accessing from.

End user choice is also critical, empowering the end user without overloading them with options and overly complex decisions. Assumptions are powerful, but only if enough information is available to the back-end system, that allows for the creation of a personalised experience.

Usable for the Engineer

But the end user is only one part of the end to end delivery cycle for a product. The engineering team needs usability too. Complexity in code design, is the enemy of security. Modularity, clean interfaces and nice levels of cohesion, allow for agile and rapid feature development, that reduces the impact on unrelated areas. Simplicity in code design, makes testing simpler and helps reduce attack vectors.

Usable for the Support Team

The other main area to think about, is that of the post sales teams. How do teams support, repair and patch existing systems that are in use? Does that process inhibit either the end user happiness or underlying security posture of the system? Does it allow for enhancements or just fixes?

Reduction


A classic theme of Loewy’s designs, if you look at them over time, is that of reduction. Reduction in components, features, lines and angles involved in the overall product. By reducing the number of fields, buttons, screens and steps, the end user user then has fewer decisions to make. Fewer decisions result in fewer mistakes. Fewer mistakes result in less friction. Less friction, seems a good design choice when it comes to usability.

Fewer components, should also reduce the attack surface and the support complexity.


Incremental Change


But change needs to be incremental. An end user does not like shocks. A premise of MAYA, is to think to the future, but observe and provide value today. Making radical changes will reduce usability as features and concepts will be too alien and too novel.

Develop constructs that benefit the end user immediately, instil familiarity, that allows trust in the incremental changes that will follow.  All whist keeping those security controls in mind.


[1] - https://en.wikipedia.org/wiki/Raymond_Loewy

Principles of Usable Security

I want to talk about the age old trade off between the simplicity of a website or app, versus the level of friction, restriction and inhibition associated with applying security controls. There was always a tendency to split security at the other end of the cool and usable spectrum. If it was secure, it was ugly. If it was easy to use and cool, it was likely full of exploitable vulnerability. Is that still true?

In recent years, there have been significant attempts – certainly by vendors – but also by designers and architects, to meet somewhere in the middle – and deliver usable yet highly secure and robust systems. But how to do it? I want to try and capture some of those points here.

Most Advanced Yet Acceptable


I first want to introduce the concept of MAYA: Most Advanced Yet Acceptable. MAYA was a concept created by the famous industrial design genius, Raymond Loewy [1] in the 1950’s. The premise, was that to create successful innovative products, you had to reach a point of inflexion, between novelty and familiarity. If something was unusual in its nature or use, it would only appeal to a small audience. An element of familiarity had to anchor the viewer or user in order to allow incremental changes to take the product in new directions.

Observation


When it comes to designing – or redesigning a product or piece of software – it is often the case that observation is the best ingredient. Attempting to design in isolation can often lead to solutions looking for problems, or in the case of MAYA, something so novel that it is not fit for purpose. A key focus of Loewy’s modus operandi, was to observe users of the product he was aiming to improve. Be it a car, a locomotive engine or copying machine. He wanted to see how it was being broken. The good things, the bad, the obstacles, the areas which required no explanation and the areas not being used at all. The same applies when improving software flow.

Take the classic sign-up and sign-in flows seen on nearly every website and mobile application. To the end user, these flows are the application. If they fail, create unnecessary friction, or are difficult to understand, the end user will become so frustrated they are likely to attribute the entire experience to the service or product they are trying to access.  And go to the nearest competitor.

In order to improve, there needs to be a mechanism to view, track and observe how the typical end user will use and interact with the flow. Capture clicks, drop outs, the time it takes to perform certain operations. All these steps, provide invaluable input in how to create a more optimal set of interactions. These observations of course, need comparing to a baseline or some sort of acceptable SLA.


Define Usable?


But why are we observing and how to define usable in the first place? Security can be a relatively simple metric. Define some controls. Compare process or software to said controls. Apply metrics. Rinse and repeat. Simple right? But how much usability is required? And where does that usability get counted?

Usable for the End User

The most obvious stand point is usability for the end user. If we continue the sign-up and sign-in flows, they would need to be simply labelled and responsive – altering their expression dynamically depending on the device type and maybe location the end user is accessing from.

End user choice is also critical, empowering the end user without overloading them with options and overly complex decisions. Assumptions are powerful, but only if enough information is available to the back-end system, that allows for the creation of a personalised experience.

Usable for the Engineer

But the end user is only one part of the end to end delivery cycle for a product. The engineering team needs usability too. Complexity in code design, is the enemy of security. Modularity, clean interfaces and nice levels of cohesion, allow for agile and rapid feature development, that reduces the impact on unrelated areas. Simplicity in code design, makes testing simpler and helps reduce attack vectors.

Usable for the Support Team

The other main area to think about, is that of the post sales teams. How do teams support, repair and patch existing systems that are in use? Does that process inhibit either the end user happiness or underlying security posture of the system? Does it allow for enhancements or just fixes?

Reduction


A classic theme of Loewy’s designs, if you look at them over time, is that of reduction. Reduction in components, features, lines and angles involved in the overall product. By reducing the number of fields, buttons, screens and steps, the end user user then has fewer decisions to make. Fewer decisions result in fewer mistakes. Fewer mistakes result in less friction. Less friction, seems a good design choice when it comes to usability.

Fewer components, should also reduce the attack surface and the support complexity.


Incremental Change


But change needs to be incremental. An end user does not like shocks. A premise of MAYA, is to think to the future, but observe and provide value today. Making radical changes will reduce usability as features and concepts will be too alien and too novel.

Develop constructs that benefit the end user immediately, instil familiarity, that allows trust in the incremental changes that will follow.  All whist keeping those security controls in mind.


[1] - https://en.wikipedia.org/wiki/Raymond_Loewy

1H2019 Identity Management Funding Analysis

As the first half of 2019 has been and gone, I've taken a quick look at the funding rounds that have taken place so far this year, within the identity and access management space and attempted some coarse grained analysis.  The focus is global and the sector definition is quite broad and based on the categories Crunchbase use.

Key Facts January to June 2017 / 2018 / 2019

Funding increased 261% year on year for the first half of 2019, compared to the same period in 2018.  There were some pretty large, latter stage investments, which looks like that has skewed the number some what.  

The number of organisations actually receiving funding, dropped, as did the % of organisations receiving seed funding.  This is pretty typical as the market matures and stabilises in some sub categories.



1H2019
  • ~$604million overall funding
  • Seed funding accounted for 20%
  • Median announcement date March 27th
  • 35 companies funded

1H2018
  • ~$231million overall funding
  • Seed funding accounted for 45.3%
  • Median announcement date March 30th
  • 53 companies funded

1H2017

  • ~$237million overall funding
  • Seed funding accounted for 32.1%
  • Median announcement date April 7th
  • 56 companies funded


1H2019 Company Analysis

A coarse grained analysis of the 2019 numbers, shows a pretty typical geographic spread - with North America, as ever the major centre, not just for funded companies, but the funding entities too.



The types of companies funded, is also interesting.  The categories are based on what Crunchbase curates, and maps against company descriptions, so there might be some overlap or ambiguity when performing detailed analysis on that.



It's certainly interesting to see a range covering B2C fraud, payments and analytics - typically as the return on investment on such products is very tangible.

The stage of funding, provides a broad and distributed range.  Seed is the clear leader, but the long tail is indicating a maturity of market, with many investors expecting strong returns.


1H2019 Top 10 Companies By Funding Amounts

The following is a simple top down list, of the companies that received the highest funding and at what stage that funding was received:
  1. Dashlane ($110m, Series D) - http://www.dashlane.com/ (https://techcrunch.com/2019/05/30/dashlane-series-d/)
  1. Auth0 ($103m, Series E) - https://auth0.com/ (s://auth0.com/blog/auth0-closes-103m-in-funding-passes-1b-valuation/)
  1. OneLogin ($100m, Series D) - http://onelogin.com/ (https://venturebeat.com/2019/01/10/onelogin-raises-100-million-to-help-enterprises-manage-access-and-identity/)

  2. Onfido ($50m, Series C) - http://www.onfido.com/ (https://venturebeat.com/2019/04/03/onfido-raises-50-million-for-ai-powered-identity-verification/)

  3. Socure ($30m, Series C) - http://www.socure.com/ (https://www.socure.com/about/news/socure-raises-30-million-in-additional-financing-to-identify-the-human-race)
  1. Dashlane ($30m, Debt Financing) - http://www.dashlane.com/
  2. Payfone ($24m, Series G) - http://www.payfone.com/ (https://www.alleywatch.com/2019/05/nyc-startup-funding-top-largest-april-2019-vc/7/)
  1. Evident ($20m, Series B) - https://www.evidentid.com/ (http://www.finsmes.com/2019/05/evident-raises-20m-in-series-b-funding.html)
  1. Bamboocloud ($15m, Series B) - http://www.bamboocloud.cn/ (https://www.volanews.com/portal/article/index/id/1806.html)
  1. Proxy ($13.6m, Series A) - https://proxy.com/ (https://www.globenewswire.com/news-release/2019/03/27/1774258/0/en/Proxy-Raises-13-6M-in-Series-A-Funding-Led-by-Kleiner-Perkins-Emerges-from-Stealth-to-Launch-Its-Universal-Identity-Signal-for-Frictionless-Access-to-Everything-in-the-Physical-Wor.html)

NB - all data and reporting done via Crunchbase.

1H2019 Identity Management Funding Analysis

As the first half of 2019 has been and gone, I've taken a quick look at the funding rounds that have taken place so far this year, within the identity and access management space and attempted some coarse grained analysis.  The focus is global and the sector definition is quite broad and based on the categories Crunchbase use.

Key Facts January to June 2017 / 2018 / 2019

Funding increased 261% year on year for the first half of 2019, compared to the same period in 2018.  There were some pretty large, latter stage investments, which looks like that has skewed the number some what.  

The number of organisations actually receiving funding, dropped, as did the % of organisations receiving seed funding.  This is pretty typical as the market matures and stabilises in some sub categories.



1H2019
  • ~$604million overall funding
  • Seed funding accounted for 20%
  • Median announcement date March 27th
  • 35 companies funded

1H2018
  • ~$231million overall funding
  • Seed funding accounted for 45.3%
  • Median announcement date March 30th
  • 53 companies funded

1H2017

  • ~$237million overall funding
  • Seed funding accounted for 32.1%
  • Median announcement date April 7th
  • 56 companies funded


1H2019 Company Analysis

A coarse grained analysis of the 2019 numbers, shows a pretty typical geographic spread - with North America, as ever the major centre, not just for funded companies, but the funding entities too.



The types of companies funded, is also interesting.  The categories are based on what Crunchbase curates, and maps against company descriptions, so there might be some overlap or ambiguity when performing detailed analysis on that.



It's certainly interesting to see a range covering B2C fraud, payments and analytics - typically as the return on investment on such products is very tangible.

The stage of funding, provides a broad and distributed range.  Seed is the clear leader, but the long tail is indicating a maturity of market, with many investors expecting strong returns.


1H2019 Top 10 Companies By Funding Amounts

The following is a simple top down list, of the companies that received the highest funding and at what stage that funding was received:
  1. Dashlane ($110m, Series D) - http://www.dashlane.com/ (https://techcrunch.com/2019/05/30/dashlane-series-d/)
  1. Auth0 ($103m, Series E) - https://auth0.com/ (s://auth0.com/blog/auth0-closes-103m-in-funding-passes-1b-valuation/)
  1. OneLogin ($100m, Series D) - http://onelogin.com/ (https://venturebeat.com/2019/01/10/onelogin-raises-100-million-to-help-enterprises-manage-access-and-identity/)

  2. Onfido ($50m, Series C) - http://www.onfido.com/ (https://venturebeat.com/2019/04/03/onfido-raises-50-million-for-ai-powered-identity-verification/)

  3. Socure ($30m, Series C) - http://www.socure.com/ (https://www.socure.com/about/news/socure-raises-30-million-in-additional-financing-to-identify-the-human-race)
  1. Dashlane ($30m, Debt Financing) - http://www.dashlane.com/
  2. Payfone ($24m, Series G) - http://www.payfone.com/ (https://www.alleywatch.com/2019/05/nyc-startup-funding-top-largest-april-2019-vc/7/)
  1. Evident ($20m, Series B) - https://www.evidentid.com/ (http://www.finsmes.com/2019/05/evident-raises-20m-in-series-b-funding.html)
  1. Bamboocloud ($15m, Series B) - http://www.bamboocloud.cn/ (https://www.volanews.com/portal/article/index/id/1806.html)
  1. Proxy ($13.6m, Series A) - https://proxy.com/ (https://www.globenewswire.com/news-release/2019/03/27/1774258/0/en/Proxy-Raises-13-6M-in-Series-A-Funding-Led-by-Kleiner-Perkins-Emerges-from-Stealth-to-Launch-Its-Universal-Identity-Signal-for-Frictionless-Access-to-Everything-in-the-Physical-Wor.html)

NB - all data and reporting done via Crunchbase.