Security and comparative advantage

In 1799, a stockbroker named David Ricardo read Adam Smith’s economics classic, The Wealth of Nations. The book fueled Ricardo’s profound interest in economics, which was reinforced by his friends and fellow economists Thomas Malthus and James Mill. In 1817, Ricardo published his own classic, On the Principles of Political Economy and Taxation, in which he outlined one of the most significant insights in modern economics: the theory of comparative advantage.

The theory helps answer profound questions like, “Should Jeff Bezos mow his own lawn or use a lawn service?” The answer, of course, is that he should use a lawn service. As Ricardo explained, the answer is the same even if Bezos has an absolute advantage in lawn mowing; that is, he can mow his own lawn for less money and faster than the lawn service.

Comparative advantage looks at opportunity costs, not absolute costs. If Bezos mows his lawn, he will have less time to do more profitable things, such as run his company. He probably values his nonproductive personal time more than the cost of the lawn service. Bezos also has a distinct advantage because the cost of the lawn service is known. He can compare the cost of the lawn service with the imputed cost of his effort to do the same job. Thus, he can make an informed decision to use the service or do it himself. As Ricardo’s theory explains, the transaction between Bezos and the lawn service profits both parties because they each gain economic advantage from the transaction.

Comparative advantage looks at opportunity costs, not absolute costs. Specialization and division of labor increase efficiencies and decrease absolute costs.

Most organizations have no comparative advantage in cyber security. It’s simply not a core function of the organization. Therefore, there’s an opportunity cost to investing in these non-core capabilities. For many years, organizations have been doing the equivalent of “mowing their own lawns.” Now with managed security service providers (MSSPs), companies can take advantage of the comparative advantage of the third party specialists, just as they increasingly take advantage of cloud vendors and services.

There’s another important point: companies can now assign a value to the service. To continue the metaphor, where at one time organizations had to mow their own lawns, they can now use lawn service and know its precise cost. Therefore, companies can make informed, value-based decisions. Organizations may not choose to use an MSSP, but if their competitors do, the competition may reap an advantage.

There’s another principle that Ricardo outlined in his work: Specialization and division of labor increase efficiencies and decrease absolute costs. An MSSP, with the efficiencies of a multi-tenant environment, can usually provide a service at lower cost and/or better quality than a company can develop and operate in-house. Furthermore, the cost and quality advantage will likely increase over time since the specialist is likelier to innovate to maintain an advantage over competitors. As the noted economist Russ Roberts pointed out, “Trade creates wealth. Self-sufficiency is the road to poverty. … What is wise and productive in one time and place may not be wise and productive in another.”

What About Quality?

There are compelling advantages to using MSSPs: capital becomes available to spend on core capabilities, costs become predictable, the service improves over time, etc. So why isn’t everyone flocking to outsource more of their security functions? Companies trust internal security more than outsource providers.

Is this fear of losing control rational, or should the comparative economic advantage translate into a comparative advantage in security? Despite widespread reports of qualified information security staff shortages, organizations seem to think they have a comparative advantage in security. Like Garrison Keillor’s Lake Wobegon, where “all the women are strong, all the men are good looking, and all the children are above average,” nearly all organizations believe they can better secure their data than an outside organization.

MSSP outsourcing concerns are not necessarily irrational. The absolute number of companies offering managed security solutions is staggering. Many of these new companies might fail to survive. Struggling companies cut corners. Further, many organizations are not very happy with their MSSP’s service, or don’t really know how well they are doing. A company’s MSSP may not be generating a lot of false alarms, but are they missing true attacks? Until now, there was no way to quantitatively assess the performance of a security vendor.

Breach and Attack Simulation offers a way to test the ability of an MSSP to detect and block real-world attacks by injecting threat intelligence-informed attacks on the network. Simulations can be performed on an ongoing basis to periodically grade an MSSP’s performance and keep them on their toes. MSSP performance can also be benchmarked with peer organizations to allow informed decisions regarding whether to move to a new provider.

Does this sound useful? Bobcat Cyber has launched a service that enables companies to assess and benchmark the performance of their MSSPs. Drop us a line if you are interested in hearing more about it.