The report has a little of something for everyone but my key takeaway was a standard way to define efficacy for products. One of the ways discussed in the podcast was, as a vendor, to have your products evaluated by a third party like MITRE's ATT&CK Evaluations. Further thoughts on the matter? Agree or disagree with anything in the report?
Efficacy - defined by four characteristics:
Capability - When properly installed and configured, how well does the solution deliver its stated security mission? Is it fit for purpose?
Practicality - How easy is it for organizations to implement, integrate, operate and maintain? Is it fit for use?
Quality - How well designed and built is the solution to avoid vulnerabilities and negative impact?
Provenance - How much security risk is there in the vendor and it’s supply chain, based on how they work and who they are?
> tmekelburg1 (Contributor II) posted a new topic in Industry News on 02-11-2021
> I was listening to the Cyber Risk Management Podcast and the topic of discussion > was cybersecurity product efficacy.
Which basically turns on our old friends, functional versus assurance requirements. (I think the earliest formal treatment of those was in the Common Criteria.)
> Is cybersecurity the new "market for lemons"?
Of course, in general that's just a restatement of our old friend "security snake oil." We've always been a huge market for, if not outright hucksters, at least those who keep creating new "marketing" terms for stuff that has long been used.