Security and Email Security

Is the cyber security industry selling snake oil?

by Tony Pepper
Published on 18th Oct 2022

The short answer: Yes, the cyber security industry is frequently guilty of selling snake oil.

The ongoing rapid growth of the cyber security industry (valued at $139.77bn in 2021, and projected to grow to $155.83bn in 2022 and to $376.32bn by 2029) has resulted in a hotbed of start-ups and established players that are continually innovating and bringing new products and features to market.

These vendors are constantly looking for new ways to describe their products, balancing the need to simultaneously align with each other and industry influencers, such as Gartner, while also standing out enough to compete and, ultimately, be the solution of choice for customers.

This crowded and noisy marketplace leaves cybersecurity buyers with a crowded and noisy marketplace to navigate, filled with category creation and consolidation, product and feature launches, and buzzwords and acronyms.

There’s nowhere quite like a cybersecurity trade show to see this brought to life. You can trace variations of messaging themes across different booths and probably play the most rewarding game of Buzzword Bingo ever! But for cybersecurity buyers, this leaves them with a problem: the reality of their cyber security investments is often very different from initial expectations.

For our report Cybersecurity hype: How to manage expectations vs reality, we asked 800 cyber security and IT leaders a series of questions on the cyber security industry and three trending topics: security awareness and training (SA&T), artificial intelligence (AI), and defense in depth.

Here are some of the key takeaways:

  • 91% of decision-makers found it difficult to select cybersecurity vendors due to unclear marketing about their specific offerings
  • 96% believe SA&T can make long-term, positive changes to employees' behavior
  • Only 20% say the primary driver for the SA&T program is to create a culture of cyber security; the remaining 80% carry out SA&T to tick regulatory and cyber insurance boxes
  • 77% of IT leaders told us they’re already using a cybersecurity product with AI
  • Only 66% claimed to fully understand how AI made their security product(s) more effective
  • 92% of organizations implement a defense-in-depth strategy and manage between 10 and 30 different security products
  • 49% said their organization suffers from vendor sprawl, resulting in an increased attack surface
  • 49% of IT leaders feel their security stack is overly complex
  • 48% say their security stack is difficult to manage

These results show the tension between the cyber security and IT leaders’ expectations and the reality they’re faced with.

Improvements to this situation won’t happen overnight. For vendors, we can all work to be as clear as possible with the messages we take to market, helping buyers to understand how our technology can work within their existing stack and the genuine, real-world value our products add.

Cyber security professionals must also be proactive in questioning vendors about their solutions, particularly those that use AI, to make sure they have a solid understanding of how the technology operates, how it will work within their environment, the security of the solution itself, and how to streamline their tech stack wherever possible. We would also recommend speaking with your peers and speaking with a vendor’s current customer to validate their marketing materials and understand the benefits the technology is bringing to another organization before you commit. Finally, while being realistic about the way the world operates, don’t treat any part of your cyber security program as a box-ticking exercise – as soon as you do that, your colleagues will follow your behaviors.

To learn more, read the full Cybersecurity Hype: How to Manage Expectations Versus Reality, including all its analysis and findings.