Current Market Forces Disincentivizing Cybersecurity, Says NCSC CTO

Written by

The technology market needs to be better incentivized to build cyber secure products, argues the CTO of the National Cyber Security Centre (NCSC), Ollie Whitehouse.

Speaking in a keynote address on the second day of the CyberUK 2024 conference in Birmingham, Whitehouse said that companies globally know how to build resilient, secure technology, but the market does not incentivize them to do so.

“Value and cost are still the primary drivers in the market and that is the enemy of cybersecurity,” he said.

Whitehouse said there are three main questions for the security technology market to consider. First, what do we want to achieve with cyber resilient technology in the next 10 years. Second, how do we get there in an evidence-based way. Finally, how do we drive market incentives to achieve that aim?

As well as his critique of the market, he also called out known vulnerabilities in security products as a major problem and said that there are various adversaries who are amassing vulnerabilities.

He also said that the claims security efficacy of solutions is not always realized in practice, either as a solution in isolation or in operations.

“We have claims not meeting reality,” he said.

“The challenges ahead of us are the horse-sized ducks of states with strategic intentions, and the duck-sized horses of criminal actors out for financial gain. And the reality is that we don’t get to choose which one we’d rather counter, because we have to be able to face both with confidence,” Whitehouse added.

Since being appointed to the role of CTO in in October 2023, he said his priorities include Active Cyber Defense 2.0, services that are designed to disrupt, degrade and dissuade adversaries.

“That will buy us some time against certain classes of actors whilst we go after the big parts,” he said.

The next aim is to get the evidence of the security of the technology, the efficacy of the defensive practices in reality and understanding that humans only have a certain amount of security budget that they will spend on cyber.

He noted that regarding the limited budgets that are available, “we need to spend that very wisely.” 

What’s hot on Infosecurity Magazine?