The Cybersecurity Marketplace: A Market for Lemons and How CyberAB Addresses It

Introduction: The Cybersecurity Challenge

Cybersecurity is a critical concern for businesses today, but for most, it’s not a central part of their operations. Often viewed as a cost that reduces margins without generating revenue, cybersecurity is treated as a necessary expense rather than a driver of growth. Many companies choose to outsource their cybersecurity needs to IT and service providers to manage this burden.

Choosing a provider, however, is not straightforward. How can a company assess the effectiveness of a provider’s solutions or their expertise in a constantly evolving field? This uncertainty positions the cybersecurity marketplace as an example of an asymmetric information market, similar to George Akerlof’s “market for lemons” metaphor. In this blog, we’ll examine why the cybersecurity market fits this model, the challenges it creates, and how the Department of Defense’s CyberAB initiative works to improve transparency and trust.

A Market for Lemons: Asymmetric Information in Cybersecurity

In his 1970 paper, The Market for Lemons, economist George Akerlof described a market where buyers and sellers have unequal information, leading to inefficiencies. Using used cars as an example, he noted that buyers struggle to distinguish reliable cars (“peaches”) from defective ones (“lemons”) because sellers know more about the car’s condition. This lack of trust drives down prices, pushing high-quality sellers out and leaving mostly lemons.

The cybersecurity marketplace operates similarly. Companies seeking cybersecurity solutions—software, managed services, or consulting—often lack the expertise to evaluate providers’ offerings. Providers, meanwhile, have detailed knowledge of their services, but their claims about “advanced technology” or “complete protection” are difficult to verify. This asymmetry makes it hard for businesses to identify competent providers, creating a market where quality is uncertain.

The consequences in cybersecurity are significant. A poor choice can lead to data breaches or financial losses, far worse than a faulty car. Yet, because cybersecurity is often seen as a cost rather than a priority, many companies hesitate to invest the effort needed to thoroughly vet providers, relying instead on marketing, certifications, or recommendations, which may not reflect true effectiveness.

Outsourcing Cybersecurity: A Complex Decision

Building an in-house cybersecurity team is costly and resource-intensive, diverting focus from core business goals. As a result, many organizations partner with IT and cybersecurity providers for expertise and scalability. These providers offer tools and services that internal teams may not be able to replicate.

This reliance, however, heightens the asymmetric information problem. The cybersecurity market is filled with vendors offering solutions like firewalls, intrusion detection, or endpoint protection, each claiming superiority. Without technical knowledge, companies struggle to evaluate these options. Even certifications, which might seem like a quality indicator, vary in credibility, leaving businesses at risk of partnering with providers who may not deliver adequate protection.

The CyberAB: A Step Toward Clarity

To address these issues for its Defense Industrial Base (DIB) contractors, the Department of Defense established the CyberAB, the accreditation body for the Cybersecurity Maturity Model Certification (CMMC) program. The CyberAB seeks to create a more transparent market by setting standards and accrediting professionals and organizations.

The CMMC framework defines cybersecurity requirements for organizations handling DoD information. The CyberAB supports this by training and certifying two key roles:

• Registered Practitioner Organizations (RPOs): These firms help companies assess and improve their cybersecurity to meet CMMC standards, offering guidance on compliance preparation.

  
  

• Certified Third-Party Assessor Organizations (C3PAOs): These groups conduct formal assessments to confirm compliance with CMMC requirements, ensuring impartial evaluations.

Through its training and certification processes, the CyberAB provides a way for companies to identify qualified providers. The CyberAB Marketplace lists accredited RPOs and C3PAOs, offering details about their credentials and services to help businesses make informed decisions.

How CyberAB Tackles the Market for Lemons

The CyberAB’s approach addresses the dynamics of a lemon market in several ways:

Standardized Criteria: The CMMC provides clear, measurable standards for cybersecurity, giving providers a consistent benchmark to meet and reducing reliance on vague claims.

Accreditation and Oversight: RPOs and C3PAOs undergo vetting, including training and, for C3PAOs, assessments by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), to ensure competence.

Marketplace Transparency: The CyberAB Marketplace makes it easier for companies to find accredited providers, listing their qualifications to simplify the selection process.

Focus on Competence: Training ensures that accredited providers have the skills to deliver effective cybersecurity solutions, raising the market’s overall quality.

While focused on DoD contractors, the CyberAB’s model could inform broader efforts to improve the cybersecurity market by emphasizing accountability and clear standards.

Conclusion: Choosing Providers with Confidence

The cybersecurity marketplace, marked by asymmetric information, resembles a market for lemons. Companies often see cybersecurity as a cost and rely on external providers, but assessing their quality remains a challenge, increasing the risk of inadequate protection.

The CyberAB addresses this by offering a transparent, standards-based system to identify qualified providers. Organizations seeking assessments would do well to select only those listed in the CyberAB Marketplace, where accredited RPOs and C3PAOs have demonstrated their competence, reducing uncertainty and supporting stronger cybersecurity outcomes.