'Warranty included' -the future of cybersecurity?

CrowdStrike's announcement of a cyber warranty offering has some questioning if this is the start of an industry trend

Warranties are a mainstay in most industries, but when it comes to cybersecurity, the financial onus falls on the customer in the event their security product fails to protect them - even if the security breach occurs due to a fault in the product.

CrowdStrike recently announced that it was including a breach prevention warranty up to $1m with its Falcon Endpoint Protection Complete package, reigniting the debate on who the should carry the financial risk in the event of a security breach - the customer or the manufacturer.

Austin Murphy, vice president of managed services at CrowdStrike, told CRN that the company's warranty offering was a "vote of confidence" in the quality of its product. "We wanted to make sure that we underlined our claims of effectiveness by providing something that is a nice peace of mind [to the customer]," he said.

Though it is rare for cybersecurity vendors to offer cyber warranties, the past few years have seen both Comodo and SentinelOne make similar offerings. Murphy (pictured below) says that CrowdStrike differentiates its offering by being "more comprehensive."

He says that CrowdStrike's offering includes reasonable costs that would be incurred by companies that suffer a data breach, such as legal costs, incident response and forensic costs. "It is comprehensive of what we feel is important and needs to be considered when evaluating what happens when there's a data breach," Murphy claimed.

Adam Thornton, vendor alliance director at Bytes, a CrowdStrike partner, told CRN that he foresees the threat protection warranty being a "key part" of the reseller's security message and that the warranty opens new conversations with customers.

"I think we're starting to see a paradigm shift in the market that there's too much for IT teams to scale up to deliver back into the business. That skills gap is real but to be able to go to the table with the vendor - who is prepared to stand up and take ownership and put a warranty on that service - that's game changing and will define what happens in the next 12 to 24 months in the security market."

When asked if he thinks the financial burden of data breaches should shift from the customer to the vendor, with Murphy said CrowdStrike is a "puzzle piece" and that such incidents require a "team effort" from all parties involved.

Jumping through hoops
CrowdStrike's announcement was met with a mixed reaction by those in the cybersecurity sector. Stuart Reay, managing director of Alpha Generation Distribution, called it a "bold statement" to the cybersecurity community.

"I have wondered for a long time if the vendors can continue to justify charging such vast amounts for their solutions and then not take some of the blame if the customer is breached. Billions and billions of dollars are spent every year and yet we continue to have serious breaches," he said, adding that he believes a warranty against a data breach is common sense.

Patrick Bayle, EMEA channel sales engineer at Cylance, is more circumspect on cybersecurity warranties. He said that such offerings often have so many loopholes that they "negate" the benefit of having one in the first place.

"A lot of enterprises are using cyber warranties and insurance as risk mitigation or risk offload. They're saying ‘oh maybe we don't need to focus on that because we have a backup with a warranty type policy'."

Bayle thinks that CrowdStrike's warranty offering could signal a trend in the market, and that it is "good business" for those companies that solely offer cyber insurance. However, he does not see Cylance making such an offering. "Never say never, but we're not using our marketing on gimmicky stuff like that, but more that we can actually prevent, and prove that and we have the customers that attest to that."

Murphy acknowledged that previous warranty offerings from other cybersecurity vendors have been left wanting, but that CrowdStrike's warranty does not have such loopholes.

"In the past there have been warranties that have come out and upon further examination it was felt that they had not been as high quality as perhaps the marketing claims were. We certainly did not want to have that feedback come out. When we put together the warranty programme we worked closely with our partners to make sure that what we were providing felt as a tangible value and a real part of a customer's overall risk mitigation strategy. We don't have the loopholes that make this warranty impossible to invoke, but something that can be seen as real risk reduction."

Tristan Elder, senior director of EMEA alliances at CrowdStrike, echoes Murphy's sentiment. "This is something we've added to make sure customers are aware how seriously we take this and how much we back ourselves to deliver the outcome that we're putting our name to. Our brand is everything and for customers who might want to query it, or might want to dig into it, we'll be absolutely transparent with how to trigger the warranty."

As for whether the sector will spark a trend in cyber warranties being offered with products, Elder is hesitant to make such a prediction. "Our job is to make sure that we are identifying what we believe our customers and partners need, and how we can jointly go to market and not wait for a competitor to do something and react. It's for us to lead that chain. Our goal is to lead with confidence and if others should choose to follow, that's entirely up to them."

Thornton adds that customers want more turnkey solutions and that the market is going to have to adapt to a shifting IT landscape. "Whether the vendors are going to go and meet the demand or not will be the test of their business. I think it's more about the customer wanting these types of services and demanding them, quite rightly. They can't skill up to cover the ever-changing threat landscape. So they need partners who are prepared to underwrite their platform and stand by their technology."