Cybersecurity confusion

"The cyber security industry is frequently guilty of selling ‘snake oil'," said Tony Pepper, CEO, and Co-founder of Egress. "The industry is a crowded hotbed of start-ups and established players innovating in the same spaces, and constantly trying to both align and differentiate themselves from each other. In all the noise of category creation, product launches, buzz words, and acronyms, cyber security buyers continue to invest in mechanisms to reduce risk - but the reality of these investments is often very different from initial expectations. Our report delivers findings that show buyers have difficulty navigating the market and lifts the lid on the effectiveness of three existing approaches to reducing risk. At Egress, we are taking these findings to heart and reaffirming our commitment to being upfront and transparent with our customers and partners."

Report/Survey: Key Findings

The report highlights a situation where buyers face a crowded and complex market that instead of articulating its technology resorts to marketing buzzwords, hype, and unsubstantiated claims.

Survey: 91% of decision-makers found it difficult to select cybersecurity vendors due to unclear marketing about their specific offerings.

The report focuses on the expectations and reality surrounding three existing approaches to reducing risk: defense-in-depth, artificial intelligence, and security awareness and training (SA&T).

Defense-in-depth is a security strategy that centers on the idea that more layers of technology will provide a better chance of detecting and preventing threats, as well as containing, remediating, and recovering from attacks.

Survey: 92% of organizations already implement a defense-in-depth strategy and manage between 10 and 30 different security products.

The report spotlights three drawbacks of increased layers of security. The first, an increased attack surface; the second, added complexity and overhead; and the third, commercial risks when onboarding multiple vendors.

Survey: 49% said their organization suffers from vendor sprawl, resulting in an increased attack surface.

Survey: 49% of IT leaders feel their security stack is overly complex.

Survey: 48% say their security stack is difficult to manage.

Also featured in the report are insights into if/how AI supports cybersecurity to discover new, unknown threats, and speeds up and improves the accuracy of incident investigation.

Survey: 77% of IT leaders told us they're already using a cybersecurity product with AI.

Survey: Only 66% claimed to fully understand how AI made their security product(s) more effective.

Key to the report is the issue of security awareness and training and its impact on making long-term, positive changes to employee behavior.

Survey: 96% believe training can make long-term, positive changes to employees' behavior, which conflicts with other data suggesting that these expectations may be divorced from reality.

However, box-ticking emerged as the primary driver for 80% of SA&T programs over creating a culture of security.

Survey: 41% say regulatory compliance is the primary driver for their SA&T program

Survey 39% say it's to meet cyber insurance requirements

Survey: Only 20% say the primary driver is to create a culture of security

Egress suggests three key considerations to bring real organizational change and create a security culture. The first is to measure outcomes rather than activity, the second is to tailor training to the individual, and the third is to combine SAT with nudges, interventions and real-time teachable moments, at the point of risk, when a user is about to perform a potentially dangerous action.

Survey: Contrary to Egress' advice, only 40% of respondents are offering fixed frequency SAT combined with real-time interventions, such as alerts just before a user makes a mistake, such as replying to a phishing email.