The availability of new security products increases, the amount of budget spent on cybersecurity grows, and the number of security breaches seems to outpace both. This basic lack of correlation between increasing cybersecurity spend and any clear increase in cybersecurity effectiveness is the subject of a new analytical survey from Egress.
With 52 million data breaches in Q2 2022 alone (Statista), Egress questioned 800 cybersecurity and IT leaders on why vendor claims and reality aren’t aligned. The headline response in the survey is that 91% of decision makers have difficulty in selecting cybersecurity vendors due to unclear marketing about their specific offerings.
The financial investment cycle doesn’t help in this. For many investors, the strength of the management team is more important than the product. The argument is not whether this product is a cybersecurity silver bullet, but whether this management can take the company to a point where it can exit with serious profits.
If investment is achieved, much of it will go into marketing. That marketing must compete against existing, established vendors – so it tends to be louder, more aggressive, and replete with hyperbole. Marketing noise can lead to increased valuation, which can lead to a successful and profitable exit by the investors.
Of course, this is an oversimplification and doesn’t always happen. The point, however, is that it does happen and has no relevance to the real effectiveness of the product in question. Without any doubt, there are many products that have been over-hyped by marketing funds provided by profit-driven investors.
{ Read: Can You Trust Security Vendor Surveys? }
An example of hype in practice can be seen in the early ‘wars’ between what was labeled as next-gen AI-based anti-malware products vs traditional signature-based anti-virus products. In reality, next-gens still needed to use signatures, while traditional products had already been using AI for almost a decade.
However, the new aggressive marketing brought AI into the spotlight, and introduced a host of new problems: increased false positives, alert fatigue among staff and the need for more and very expensive threat analysts. But to what effect? More staffing, increased spending on the new products, greater complexity in the security stack – and no overall diminution of breaches.
Security awareness training is another example of marketing hype leading to unrealistic expectations of improved security. Ninety-six percent of the respondents believe training can make long-term, positive changes to employees’ behavior – but reality suggests otherwise.
All ‘official’ advice is that awareness training is an essential part of security. And most awareness training products can demonstrate that their services can bring a customer’s phishing failures down from, say, 50% to 10%. This sounds like a win until you remember that just a single fail can lead to disaster. And again, no amount of spend on awareness training has had any serious effect on the number of breaches that start from phishing.
There is another factor that should be considered – the effect of security regulations. Breaches and consequent regulatory fines occur. But GDPR fines, for example, are reduced if the breached company can demonstrate it took serious and realistic efforts to prevent theft of data. If this happens, security defenses do not protect companies from hackers, but do protect the company from the worst effects of non-compliance.
Cyberinsurance is beginning to have a similar effect, where companies are required to install certain defenses, but are driven to do so not because they choose to, but because they are required to do this for insurance purposes. This demand from the insurance industry is likely to increase in future years.
The implication is that increased use of the latest security products has a recognizable value that is not directly related to efficiency. It is this combination of not seeing through marketing hype, conformance to official recommendations and the need to tick regulatory and insurance boxes that leads to confusion in what is bought, why it is bought, what it can achieve, and how it fits into the overall security posture. The result is clearly delineated in the Egress survey.
Forty-nine percent of respondents (report PDF) feel their security stack is overly complex, while 48% consider it difficult to manage. Forty-nine percent say they suffer from vendor sprawl leading to an increased attack surface. Security products suffer from bugs and vulnerabilities just like any other software.
New technologies are difficult to understand and difficult to use efficiently. Seventy-seven percent of the IT leaders are using products that employ artificial intelligence; but only 66% claim to understand how this AI makes their security more effective.
Tony Pepper, CEO and co-founder of Egress, believes the security vendors sometimes take advantage of the market conditions to sell what amounts to snake oil. “The industry is a crowded hotbed of start-ups and established players innovating in the same spaces, and constantly trying to both align and differentiate themselves from each other. In all the noise of category creation, product launches, buzz words, and acronyms, cyber security buyers continue to invest in mechanisms to reduce risk – but the reality of these investments is often very different from initial expectations.”
Related: Bias in Artificial Intelligence: Can AI be Trusted?
Related: Fighting Cyber Security FUD and Hype