The funny thing about RSA is that it’s always marketed around collective defense but it’s actually about selling point solutions. Bringing the community together to do “better” is this year’s conference theme with the goal of “empowering the collective ‘we’ in the industry”. And yet, most of the focus of the conference is on the 700+ exhibitors offering thousands of solutions for companies to defend themselves.
Of course, the conference organizers can’t be blamed for this. Government strategy hammers on the need for cooperation and coordination but the vast majority of government spending on cybersecurity goes to defending the federal government. In the private sector, many “initiatives” to address problems that market forces cannot are PR ploys. Commitments can be vague, and organizations get stood up and promptly collapse.
Product companies often talk a good game about working within a community but are economically incentivized to perpetuate the problem. Blocking malware is good business but coordinating with law enforcement to arrest the malware writers isn’t in the business plan. When large companies announce a new effort, it’s typically with an eye toward pre-empting regulatory action. What that means is that instead of a vibrant ecosystem of non-profit organizations grown by grassroot practitioners dedicated to solving problems, the landscape is covered in astroturf.
That’s not to say that there isn’t an ecosystem of Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis Organizations (ISAOs), and other organizations that make a real, positive impact on problems that products alone won’t address. But many of these organizations are starved for resources. As a whole, they suffer from a free rider problem, where they are producing a public good that benefits everyone (collective cyber defense) with only a small pool of resources to produce that public good.
To fix this problem, we need to incentivize the product makers and the companies that buy those products to invest a portion of their resources into efforts that reduce risk for everyone. Companies that genuinely want to solve problems beyond their clients or their own network perimeters need to be rewarded in the marketplace for that. Companies that don’t want to do that need to be easily distinguishable from those that do.
In the environmental and sustainability community, this problem of internalizing externalities related to environmental degradation has been solved by the B Corp movement. B Corps make a pledge to meet a series of environmental and social commitments and then agree to be held accountable to those commitments through verified performance measurement. These are legal, binding commitments made under contract. Megan Stifel at Public Knowledge has suggested that B Corps should include cybersecurity as part of their definition of sustainability.
I like shopping at B Corps (on many days my kids are dressed in six layers of Patagonia). It lets me know that green and sustainable marketing is matched by green and sustainable actions. When I buy or recommend cybersecurity products, I’d also like to know that the rhetoric used in the “mission” statement of the company is matched by actual commitments to the collective reduction of threats.
Cyber B Corps (or whatever we might dub them) that sell security products should commit time and resources to doing the things that their products alone can’t do. From seed funding onward, they should, on a sliding scale, dedicate a portion of funding to communal efforts. Cyber B Corps that are large enterprises should take a percentage of their security budget and similarly dedicate it.
What type of worthy causes could the Cyber B Corps undertake? Sharing information on threats, making data available for researchers, supporting educational and workforce efforts, supporting basic research, cooperating in takedown efforts, and supporting global hygiene efforts are good starts. Cyber B Corps members should be able to choose which efforts they support but ensuring that they support the community is essential.
Gartner puts global cyber spending on products and services at $124 billion in 2019. That figure doesn’t include what companies spend on operations, likely many times that number. I doubt the combined budgets of every existing ISAC, ISAO, or CICO top $100 million. Cyber B Corps could change that.
In cybersecurity, we talk a lot about the values of community and cooperation and continued dedication to mission. but our actions don’t match our words. To quote Joe Biden, “Don't tell me what you value. Show me your budget, and I'll tell you what you value.” Companies that truly value collective action should proudly be displaying a Cyber B Corp logo and proving their commitments in the most measurable of all ways: with their dollars.