Thought leadership

Egress report: 96% of cyber security decision makers admit to confusion caused by vendor marketing

by Egress
Published on 18th Oct 2022

LONDON, UK / October 18, 2022 - Egress, a provider of intelligent email security, has released Cybersecurity Hype: How to Manage Expectations Versus Reality. The report includes findings that decision-makers, who face a crowded and complex marketplace of vendors, struggle to cut through marketing ‘noise’ when trying to implement solutions to reduce risk. The report’s conclusions are supported by findings from a new, international survey from Egress.

“The cyber security industry is frequently guilty of selling ‘snake oil’,” said Tony Pepper, CEO, and Co-founder of Egress. “The industry is a crowded hotbed of start-ups and established players innovating in the same spaces, and constantly trying to both align and differentiate themselves from each other. In all the noise of category creation, product launches, buzzwords, and acronyms, cyber security buyers continue to invest in mechanisms to reduce risk – but the reality of these investments is often very different from initial expectations. Our report delivers findings that show buyers have difficulty navigating the market and lifts the lid on the effectiveness of three existing approaches to reducing risk. At Egress, we are taking these findings to heart and reaffirming our commitment to being upfront and transparent with our customers and partners.”

Report/Survey: Key Findings

The report highlights a situation where buyers face a crowded and complex market that instead of articulating its technology resorts to marketing buzzwords, hype, and unsubstantiated claims.

  • Survey: 91% of decision-makers found it difficult to select cybersecurity vendors due to unclear marketing about their specific offerings.

The report focuses on the expectations and reality surrounding three existing approaches to reducing risk: defense-in-depth, artificial intelligence, and security awareness and training (SA&T).

Defense-in-depth is a security strategy that centers on the idea that more layers of technology will provide a better chance of detecting and preventing threats, as well as containing, remediating, and recovering from attacks

  • Survey: 92% of organizations already implement a defense-in-depth strategy and manage between 10 and 30 different security products.

The report spotlights three drawbacks of increased layers of security. The first, an increased attack surface; the second, added complexity and overhead; and the third, commercial risks when onboarding multiple vendors.

  • Survey: 49% said their organization suffers from vendor sprawl, resulting in an increased attack surface.
  • Survey: 49% of IT leaders feel their security stack is overly complex.
  • Survey: 48% say their security stack is difficult to manage.

Also featured in the report are insights into if/how AI supports cybersecurity to discover new, unknown threats, and speed up and improve the accuracy of incident investigation.

  • Survey: 77% of IT leaders told us they’re already using a cybersecurity product with AI.
  • Survey: Only 66% claimed to fully understand how AI made their security product(s) more effective.

Key to the report is the issue of security awareness and training and its impact on making long-term, positive changes to employee behavior.

  • Survey: 96% believe training can make long-term, positive changes to employees' behavior, which conflicts with other data suggesting that these expectations may be divorced from reality.

However, box-ticking emerged as the primary driver for 80% of SA&T programs over creating a culture of security.

  • Survey: 41% say regulatory compliance is the primary driver for their SA&T program
  • Survey 39% say it’s to meet cyber insurance requirements
  • Survey: Only 20% say the primary driver is to create a culture of security

Egress suggests three key considerations to bring real organizational change and create a security culture. The first is to measure outcomes rather than activity, the second is to tailor training to the individual, and the third is to combine SAT with nudges, interventions, and real-time teachable moments, at the point of risk, when a user is about to perform a potentially dangerous action.

  • Survey: Contrary to Egress’ advice, only 40% of respondents are offering fixed frequency SAT combined with real-time interventions, such as alerts just before a user makes a mistake, such as replying to a phishing email.

Download to read Cybersecurity Hype: How to Manage Expectations Versus Reality, including all its analysis and findings.

Survey Methodology

Survey findings are based on a Pollfish survey of 800 respondents at American and British organizations who are either primary decision makers or part of a committee that evaluates decisions about company data security. The survey ran in September 2022.

About Egress

As advanced persistent threats continue to evolve, we recognize that people are the biggest risk to organizations’ security and are most vulnerable when using email.

Egress is the only cloud email security platform to continuously assess human risk and dynamically adapt policy controls, preparing customers to defend against advanced phishing attacks and outbound data breaches before they happen. Leveraging contextual machine learning and neural networks, with seamless integration using cloud-native API architecture, Egress provides enhanced email protection, deep visibility into human risk, and instant time to value.

Trusted by the world’s biggest brands, Egress has offices in London, Sheffield, Cheltenham, New York, Boston, and Toronto. In April 2024 KnowBe4, the provider of the largest security awareness training and simulated phishing platform, entered into a definitive agreement to acquire Egress.