Cyber Security Professionals – A Market for Lemons?

Cyber Security Professionals – A Market for Lemons?

Blog by Lawrie Abercrombie, Arcanum Co-founder and Technical Director

In 1970, George Akerlof, a US Nobel Prize winning economist wrote a paper on the used car market in the USA titled ‘The Market for Lemons’.  It describes a phenomenon where buyers of second-hand cars are unable to tell the difference between a high-quality car, known as a ‘peach’ and a poor-quality car, known as a ‘lemon’ so they are only willing to pay a price that averages the value of the two together.  Since the sellers actually do know how good, or bad their car is, owners of ‘Peaches’ will not sell for the lower, average price while sellers of ‘Lemons’ will be happy to do so.

The outcome of a ‘Lemon Market’ is that higher priced sellers of quality products and services leave the market because they cannot achieve their desired price.  Eventually, as enough sellers of ‘Peaches’ leave the market, the average willingness-to-pay of buyers will decrease since the average quality of cars on the market decreases, leading to even more sellers of high-quality cars to leave the market through a positive feedback loop.

According to Akerlof, a lemon market will be produced:

  1. If an incentive exists for the seller to pass off a low-quality product as a higher-quality one;
  2. Where there is an asymmetry of information, in which buyers cannot accurately assess the value of a product through examination before sale is made while sellers can more accurately assess the value of a product prior to sale;
  3. When sellers have no credible disclosure technology (sellers with a great car have no way to disclose this credibly to buyers);
  4. Where there is a deficiency of effective public quality assurances (by reputation or regulation and / or of effective guarantees / warranties)

So why is a Cyber Security professional writing about economic theory and used cars in America?  Because the UK Cyber Security Market has all four of those characteristics.

Taking the four bullets in turn, according to DCMS’ UK Cyber Security Sectoral Analysis 2021, the UK cyber market is worth some £3.6 billion.  That’s a lot of incentive, even more so if a low-quality product can be sold at a high price.

As for the asymmetry of information, those of us who have external certifications and professional training will pretty much know their worth.  But there are a myriad of these courses and certifications and no real international standard of which ones are value for money and which ones ‘not so much’.  For example, not all Cyber Security Master’s degrees are created equal, an indicator of which is of the 246 cyber MSc courses currently on offer at UK universities, the National Cyber Security Centre (NCSC) has only fully certified 33 of them, five of which are from one university.  So how does a buyer of cyber security services know how competent the supplier is before they sign on the dotted line?  Unfortunately, frequently the answer is they don’t.

Credible disclosure is becoming easier because the NCSC has also accredited some twenty something private sector companies as being good enough to do cyber security risk management for central Government, the wider public sector and Critical National Infrastructure (CNI).  These companies are all named on the NCSC website.  But most private companies have never heard of the scheme and so don’t use it.

The last one of the four is a good indicator of the Lemon Market.  There is another NCSC scheme which certifies individuals, it’s called the Certified Cyber Professional Scheme, and currently there are probably less than 1,000 people with a certification.  It’s difficult to tell precisely because there’s no public register of who they are. That’s down from about 1,400 at its maximum size, at least partly because it costs quite a lot to get certified and people couldn’t see much of a return on their investment.  Interestingly, according to DCMS’ Sectoral Analysis, there were 23,414 people in cyber professional services roles in the UK earlier this year.   That’s a difference of about 22,200 against the 1,000 certified by the NCSC.  As I said, interesting.

A widespread solution to the ‘Lemon Market’ for second-hand cars is for sellers to offer warranties or guarantees on the cars they sell.  However, since the problem is essentially one of information disparity between buyers and sellers, the primary solution is for trusted information to be provided to the sellers by an independent authority.  The new UK Cyber Security Council is starting to do this with the emergence of the new Chartered status for cyber security professionals.  Unfortunately, unlike professions like Solicitors or Architects which have protected titles, the Council is working on membership being purely voluntary and there’s nothing to stop Joe, or Josephine, Bloggs from declaring themselves to be a Cyber Security Professional and advertising their services on-line at £350 a day….Or perhaps worse, at £1,250 per day ….

Confession time, Arcanum, my company operates at the upper end of the capability spectrum for cyber consultancy, we are one of the twenty something consultancies certified by the NCSC and all of our consultants are Certified Cyber Professionals.  A couple of recent experiences suggest that the lemon Market theory may be true.  In one we were asked to clear up the mess after a small company had used an individual they’d found on-line and a little bit of OSINT showed that the individual had been a salesman for a large retailer until he’s done a one-day GDPR course and set himself up as ‘Cyber Professional’.  Still on the Private Sector but on a larger scale, earlier this year we were approached by a first-in-post CISO for a large business with a turnover of tens of £ millions with a request to provide expert support to his business.  We quoted him a price for the services he required but he was unable to gain Board-Level financial approval because the Board had identified an individual on the internet who offered the same service for a third of the price we quoted.  The CISO informed us that the individual identified by the Board had no relevant qualification or certification, but he was unable to persuade the board to pay for our ‘peach’ as opposed to the ‘lemon’ they had selected.

Perhaps the really worrying area is the Public Sector who, given they have NCSC to call on for advice, really should know better.  Over the last couple of years we’ve tendered for several MoD contracts, either independently or as specialist suppliers to a large Prime Contractor where there is a substantial cyber security requirement.  The standard HMG marking for tenders is normally 60% for technical proficiency and 40% on price so a bidder can win by being cheap and not particularly good.  We recently we saw a multi-million contract that was 40% on technical proficiency and 60% on price.  That’s MoD saying we pretty much don’t care how poor they are technically, as long as they’re cheap.    But we now have one specifically for providing cyber security skills to support a major government initiative for a central Government Department which is 50% on price, 15% on cultural fit, 10% on Social Value and only 25% on technical competence.  And that 25% has no requirement for any recognised cyber security certifications.

If that’s not an indicator of a drive to the bottom, I’m not sure what is.