Man working on multiple screens showing cybersecurity hype complicates security stack

Study Shows Cybersecurity Hype Complicates the Security Stack, Expands the Attack Surface

A report by Egress lifted the lid on the struggles that security leaders face while selecting their organizations’ security stack because of cybersecurity vendors’ “snake oil” marketing tactics.

The Cybersecurity Hype: How to Manage Expectations Versus Reality report found that security leaders struggle to cut through the noise and implement appropriate solutions for their companies.

Tony Pepper, CEO and Co-founder of Egress, said the cybersecurity industry was guilty of selling “snake oil,” with outcomes frequently differing from initial expectations.

“The industry is a crowded hotbed of start-ups and established players innovating in the same spaces, and constantly trying to both align and differentiate themselves from each other. In all the noise of category creation, product launches, buzz words, and acronyms, cyber security buyers continue to invest in mechanisms to reduce risk.”

Cybersecurity hype clouds security leaders’ judgment and expands the attack surface

According to the cybersecurity hype report, confusing marketing strategies by vendors confused most security leaders. Subsequently, 91% of decision-makers found it difficult to select cybersecurity vendors due to unclear marketing about their specific offerings.

Additionally, 49% of security leaders said their organization suffers from vendor sprawl, resulting in an increased attack surface.

Consequently, 92% of organizations implement a defense-in-depth strategy and have to manage between 10 and 30 different security products. Defense-in-depth aims to create more technological layers to detect, prevent, contain, remediate, and recover from attacks.

In a noisy marketplace filled with unsubstantiated claims, users cannot accurately predict the effectiveness of the hyped solutions, nor do they have the time to do so. Thus, they prefer multiple security layers hoping to stop attacks wherever possible and later determine what failed.

“Buyers are faced with a crowded and complex market, needing to continually layer new security products into their environment to achieve defense-in-depth, assess new and emerging AI technologies, and continually re-invest in SA&T.”

Unsurprisingly, vendors were capitalizing on this strategy by convincing IT and security leaders that their products would contribute immensely to defense-in-depth.

Egress warned that increasing cybersecurity products was not necessarily beneficial considering the risk vs. cost, business and user friction, and IT/security resources and time.

Cybersecurity hype complicates the security stack

The security company found that cybersecurity hype complicated organizations’ security stack and increased the management overhead. Nearly half (49%) of IT and security leaders feel their security stack is overly complex, while 48% think it is difficult to manage.

Similarly, the complex security stack introduced potential commercial risks when onboarding multiple vendors, especially startups prone to financial failure. This situation is unlikely to change with startups dominating the cybersecurity industry, valued at $139.77 billion in 2021 and projected to reach 155.83 billion in 2022 and $376.32 billion by 2029.

Unclear results and marketing of AI-based security products

Egress report featured insights into if/how AI supports cybersecurity to discover new unknown threats and speeds up and improves the accuracy of incident investigation.

According to the researchers, 77% of IT leaders already used a security product with inbuilt AI features to enhance detection. However, only 66% fully understood how AI made their security product(s) more effective, while only 52% think vendors are “very clear” in marketing AI capabilities.

Cybersecurity is secondary in security awareness and training

The cybersecurity hype report found that 96% of the respondents believe security awareness and training (SA&T) can make long-term, positive changes to employees’ behavior. However, Egress warned that such high expectations might be unachievable based on available data.

“Despite these beliefs, other data we’ve discovered suggests that these expectations may be divorced from reality – and inflated expectations of SA&T can be exacerbated by vendors.”

Egress also discovered that most organizations prioritized SA&T for purposes other than security. For example, 67% of the respondents cited regulatory compliance as the key driver for SA&T, while 62% adopted SA&T to meet cyber insurance requirements. Only 32% of the respondents cited “creating a security culture” as the primary objective in security awareness and training.

No wonder SAT frequently failed, with 84% of the respondents reporting successful phishing attacks despite 98% of organizations implementing SAT programs.

Overcoming cybersecurity hype and navigating the complex security stack

To overcome the cybersecurity hype and conquer the complex security stack, Egress recommended the following:

  • Assessing outcomes instead of activity;
  • Tailored individual training; and
  • Combine SA&T with nudges, interventions, and real-time teachable moments, at the point of risk, when a user is about to perform a potentially dangerous action.

Meanwhile, Egress found that 40% of organizations were already combining SA&T with real-time interventions, such as alerts just before a user made a mistake, like responding to a phishing email.