The vast majority of cybersecurity decision makers – 91 percent, in fact – find it difficult to select security products due to unclear marketing, according to the results of a survey of 800 cybersecurity and IT decision makers released today by email security company Egress.
“IT Security buyers don’t have as much time as they’d like to research and choose security solutions – a situation exacerbated by vendors that exaggerate their capabilities and sell products that don’t meet expectations,” the Egress report said.
Those findings echo comments made earlier this year at the RSA Conference by Joe Hubback, managing director EMEA at cyber risk management startup ISTARI. Cybersecurity buyers, Hubback said at the time, are “basically just buying and hoping that the solutions they’re buying are really going to work.”
The market is increasingly crowded with startups bringing new technologies to market aimed at solving complex security challenges, the Egress report notes, but many of those startups struggle to articulate exactly how their products work, falling back instead on marketing buzzwords and hype.
Defense-in-depth or Vendor Sprawl?
The survey found that 92 percent of organizations currently implement a defense-in-depth strategy, layering products to improve security: 6 percent leverage more than 30 different security products, 17 percent use 21 to 30, and 46 percent use 11 to 20 products.
Still, the report notes, more isn’t always better. Forty-nine percent of respondents said their organization suffers from vendor sprawl; 48 percent said their security team finds it difficult to manage their existing range of technologies, and 49 percent said their security stack is overly complex.
“If a vendor is using defense-in-depth as a key argument for why a new product(s) will benefit your organization, it’s important to dig deeper and understand how they’ll specifically improve your existing strategy,” the report advises.
Rather than adding more and more new solutions to your stack, the report suggests that consolidating instead around one or a few vendor suites and focusing on better integration between existing technologies can be a better way to improve return on investment (ROI) and reduce attack surfaces.
Assessing AI and Security Training
The survey also found that while 77 percent of IT leaders use a cybersecurity product that leverages AI, a third of those IT leaders don’t fully understand how AI makes their security products more effective, and only 52 percent think vendors are very clear in how they market AI capabilities.
“Many vendors present AI as a black box solution, so how do you qualify risks and benefits? Cutting through the hype and marketing surrounding AI is difficult because most IT teams do not employ data scientists who know which questions to ask vendors selling solutions that claim to use AI,” the report states.
The survey also found almost unanimous faith in the benefits of security awareness training: Fully 96 percent of respondents believe training can bring about long-term, positive changes to their employees’ cybersecurity behavior.
Still, just 32 percent said creating a culture of security is the key driver for their security awareness training (SA&T) program, compared to 67 percent who are more focused on regulatory compliance and 62 percent who conduct training simply to meet cyber insurance requirements.
A separate Egress survey [PDF] of 500 IT leaders at medium-to-large businesses recently found that while 98 percent deliver anti-phishing training, 84 percent had been victims of successful phishing attacks in the past 12 months.
“SA&T as a box-ticking exercise won’t bring real security culture change,” the report states. “Organizations need to combine SA&T with real-time teachable moments, tailor programs to individual needs based on user risk, and measure real-world outcomes rather than participation statistics.”
What Should Security Buyers Do?
Hubback reported at the RSA Conference that 90% of security buyers aren’t getting the results that vendors claim they can deliver.
He and his colleagues have launched the Buyer’s Charter for SAFER Cybersecurity and have said the industry needs something similar to GSMA’s role in setting telecom standards.
But unless and until there are formal standards, buyers who are already pressed for time must do their best to assess products through the few available means such as independent test results and their own peer network, and conduct proof of concept demonstrations when possible. Focusing on ideal use cases is a good idea — no product is going to be good at everything.
The Egress report had some broad recommendations for cybersecurity buyers, cautioning against adding new products for defense-in-depth reasons alone. “Vendor sprawl, added complexity, and alert fatigue bring their own risks,” the report said. “Consider consolidating and streamlining around a select few trusted vendors and only then, fill the gaps.”
For AI products in particular, Egress said, “make sure you arm yourself with the right questions to ask vendors. They should be able to simply explain their value proposition and how they’ll support your specific use cases.”