The pitfalls of cybersecurity shopping: hype and shoddy products
There’s a growing threat on the cybersecurity scene that could drain millions from unsuspecting businesses and leave them vulnerable to hacking threats.
It isn’t a new strain of ransomware. It’s the cybersecurity industry itself.
It’s ironic, but the products vendors sell, and the marketing they use, sometimes leave buyers misinformed and less secure, according to several business directors who actually buy the tech.
“There’s definitely a lot of vaporware,” said Damian Finol, an IT security manager at a major internet company. “There are definitely products that have really exaggerated claims about what they actually do.”
For some vendors, it’s more about the sale than about security, IT executives say. To close a deal, bad vendors tend to overpromise features that they claim will be added down the line but never materialize. That makes a buyer’s job harder.
“It takes more and more time and investment to find the right products,” said Martin Fisher, a chief information security officer at a hospital in Atlanta. “It’s frightening how many don’t do a good job of this.”
Buyer beware
Navigating the cybersecurity marketplace has never been tougher, security administrators say. Go to a security show like RSA or Black Hat and you will find hundreds of vendors offering antivirus software, network firewalls and other products to protect your business against hackers.
Clearly, a lot of products are being bought. According to research firm Gartner, an estimated $81.6 billion was spent worldwide last year, with sales only expected to go up.
But figuring out which products are worthwhile is no easy matter, especially when vendors are hyping up their technology.
“A lot of people have really great ideas,” said Quentyn Taylor, director of information security at Canon EMEA. “But then you sit there and wonder: ‘Does this work outside the PowerPoint presentation? How does this actually install?’”
“It may be the best security tool,” he added. “But can IT operations deploy it or maintain it easily?”
The managers say that’s a key problem with some of today’s security products: once installed, they can be difficult to use or won’t work well in the real world.
“If they will fail, most products will fail at scale,” said Jonathan Chow, a CISO at an entertainment company. “That’s the real difficulty: Is the product going to work when installed in 1,000 computers? Or 10,000?”
Others, such as Finol, are troubled by security vendors who only check in with their customers to renew the service contract — not to help them use the product.
“It’s a wasted opportunity,” he said. “The buyers are going to be like, ‘We barely used this. We didn’t take full advantage of this product.’”
Aggressive sales
Poorly performing products also amount to wasted money. At the enterprise level, licensing security products can easily cost $1 million or more, Chow said. But vendors seem to think he has an unlimited budget.
“A lot of them do assume that my CFO is a leprechaun, and that there’s a big pot of gold in my office,” Chow said. “Every product is super expensive.”
Some vendors even resort to scare tactics. When Chow rejects a product pitch, salespeople often tell him he doesn’t care about his company’s security.
“It’s a shame-and-guilt game,” Chow said.
One CISO said that on two occasions, vendors have threatened to report his organization to the U.S. Dept. of Health and Human Services, claiming he was violating compliance regulations by not buying their security product.
The aggressive sales tactics aren’t surprising. Competition among vendors has ramped up in recent years as a wave of security startups has shaken up the sector with new products promising better protection. That’s brought a flood of venture capital into an increasingly crowded market.
On the plus side, the growth of the market means more choice, and possibly more innovation — but that’s open to debate.
“The innovation is more in marketing and less in product,” Fisher said.
Hype over technology
For example, vendors like to talk about cutting-edge technologies, such as machine learning, and include them in their marketing. Or they’ll talk about how to stop nation-state hackers because it sounds sexy.
But often, the technology they’re promoting isn’t that impressive, let alone game-changing, customers say. And average businesses, which tend to face more mundane threats such as email phishing scams, may not even need them.
“The vendors tend to overhype on the black swan (the rare and unforeseen event), and not the common threat that is happening every day,” Taylor said.
“I’ve yet to see anything (in machine learning) that would make me sit up and go, ‘Wow,’ in the security space,” he said.
Taylor does looks forward to what the industry will cook up next. But it’s easy for less-experienced business executives to get caught up in all the marketing amid fears they’ll be hacked next.
“That’s the natural reaction to hearing a new buzzword, like insider threats or APT (advanced persistent threat),” Finol said. “The customers will jump the gun without doing the due diligence.”
Of course, good vendors exist. But there’s no magic bullet or one-size-fits-all approach to cybersecurity. IT managers say there are a few questions businesses should ask when they’re looking at an enterprise security product:
What do my peers think about this product? Have any of them tried it?Will my security staff even find this product useful?Can the product scale and integrate with my IT infrastructure?Do I own an existing product (or a free tool) that already does the same thing?
“People have to do their homework,” Chow said. “They can’t rely on what they are being told.”