It’s Time for Cybersecurity Vendors to Be Held Accountable

Cybersecurity: Battling the Virus of Cybercrime 

Bad actors—like an invasive virus—make their way into an organization, propagate within, and parasitize assets that the organization needs to survive. In the process, these attackers, such as those ruthlesslyexploiting the current COVID-19 pandemic with misleading phish “from” the CDC, are exquisitely designed to damage and even destroy the host.

Every security vendor wants to offer the “silver bullet”—a defense that can shield the organization from all types of cyberattacks. But like viruses, attacks are constantly mutating, changing their methods, and probing for weak spots.

For years now, security vendors have been rationalizing their failures and offloading consequences onto the customer. Then, they actually propose deeper (and more expensive) commitments to a failed solution as a remedy, offering ways for companies to “tune” and refine their products. This approach still places the burden of defense on the phished customer. Vendors make no effort to be accountable for the cost of their failed solutions; losses are traditionally absorbed by the victim.

The need for accountable security is urgent as attacks proliferate and worsen. The World Economic Forum’s Global Risk Landscape recently called cyberattacks and accompanying data fraud and theft two of the top six threats to the stability of civilization itself—catastrophic acts of man comparable to the plagues, famines, and floods we’ve feared and fought for millennia.

Investing in Defense 

An insufficient or penetrable defense not only delivers little value but instills false confidence. Even trained employees are regularly, successfully phished, bringing about the very losses that training purports to avoid.

Fortunately, cyber breaches result mostly in financial rather than human losses, but that harm has been vast. Threat actors’ vampire-like siphoning of money and data from organizations still weakens and compromises the victim. The phrase resonates: “a single phish can take down a company.”

Worse, attackers are ingenious at developing innovative ways to frustrate security solutions, as in Business Email Compromise, where an attacker poses as a CXO, supplier, or partner. Depending exclusively on SEGs, spam filters, and other legacy security solutions no longer works; a partial defense is ineffectual. Given the nature of phishing campaigns—persistent and ingenious—the failure of traditional solutions to stop cybercrime leads to billions in financial losses. [$3.5B last year alone, according to the FBI.]

What is Value-Priced Cybersecurity?

Microeconomics teaches two basic pricing models: 1) costplus, and 2) value-based. The cost-plus model sets the price according to the outlay of production, to which profit is added. Value-based pricing reflects the amount customers are willing to pay for their belief in its worth.

If you’re working with a SEG vendor like Proofpoint, which has invested deeply in developing and marketing a major security offering, cost-plus pricing can be substantial. Naturally, that price reflects the need to earn back their investment, and then some.

Customers, however, don’t care about a vendor’s cost of production or annual revenue goals. Customers care about how the product helps them.

The brain easily grasps the logic of value-based pricing; it’s cost-plus pricing which seems counterintuitive. Yet, until now, the security industry has been able to get away with that model, despite well-publicized failures.

With today’s organizations essentially flooded by phishing attacks, customers continue to pay premium prices and sign multi-year contracts to remunerate security vendors for the cost of developing solutions that don’t solve the problem.

Value-based pricing for cybersecurity is a tough taskmaster. Measuring the efficacy of a solution against its results leaves little room to claim that it delivered value when the proof that it didn’t is sitting boldly in the inbox.

Why would enterprises continue with a failed strategy rather than demand value from their vendors for their investment?

Moving to an Accountable,
Performance-Driven Security Model 

Leading cloud service providers such as Amazon Web Services (AWS), Microsoft, and Google all work now on an as-needed, pay-as-you-go basis. Delivering service on this consumption pricing model works great. But what if, instead of simply consumption, pricing were based entirely on performance?

Area 1 Security embodies that logic with its revolutionary Pay-per-Phish model. We think it’s wrong for organizations to pay for cybersecurity that doesn’t work. With phishing the root cause of nearly all damage from cyberattacks, blocking phish effectively is fundamental to stopping cybercrime. Consistent with our philosophy of accountability, our pay-for-performance approach means that customers only pay when we intercept attacks.

Area 1 is the first company willing to be held accountable for performance because we’re confident in the effectiveness of our technology.

Are your other vendors also measuring themselves against that uncompromising standard?

Mark Lange is Area 1’s chief evangelist. To learn more about our approach to accountable email security, click here.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!


How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.