Cybersecurity confusion

Egress has released Cybersecurity Hype: How to Manage Expectations Versus Reality. The report includes findings that decision makers, who face a crowded and complex marketplace of vendors, struggle to cut through marketing ‘noise' when trying to implement solutions to reduce risk. The report's conclusions are supported by findings from a new, international survey from Egress.

  • 2 years ago Posted in

"The cyber security industry is frequently guilty of selling ‘snake oil'," said Tony Pepper, CEO, and Co-founder of Egress. "The industry is a crowded hotbed of start-ups and established players innovating in the same spaces, and constantly trying to both align and differentiate themselves from each other. In all the noise of category creation, product launches, buzz words, and acronyms, cyber security buyers continue to invest in mechanisms to reduce risk - but the reality of these investments is often very different from initial expectations. Our report delivers findings that show buyers have difficulty navigating the market and lifts the lid on the effectiveness of three existing approaches to reducing risk. At Egress, we are taking these findings to heart and reaffirming our commitment to being upfront and transparent with our customers and partners."

Report/Survey: Key Findings

The report highlights a situation where buyers face a crowded and complex market that instead of articulating its technology resorts to marketing buzzwords, hype, and unsubstantiated claims.

Survey: 91% of decision-makers found it difficult to select cybersecurity vendors due to unclear marketing about their specific offerings.

The report focuses on the expectations and reality surrounding three existing approaches to reducing risk: defense-in-depth, artificial intelligence, and security awareness and training (SA&T).

Defense-in-depth is a security strategy that centers on the idea that more layers of technology will provide a better chance of detecting and preventing threats, as well as containing, remediating, and recovering from attacks.

Survey: 92% of organizations already implement a defense-in-depth strategy and manage between 10 and 30 different security products.

The report spotlights three drawbacks of increased layers of security. The first, an increased attack surface; the second, added complexity and overhead; and the third, commercial risks when onboarding multiple vendors.

Survey: 49% said their organization suffers from vendor sprawl, resulting in an increased attack surface.

Survey: 49% of IT leaders feel their security stack is overly complex.

Survey: 48% say their security stack is difficult to manage.

Also featured in the report are insights into if/how AI supports cybersecurity to discover new, unknown threats, and speeds up and improves the accuracy of incident investigation.

Survey: 77% of IT leaders told us they're already using a cybersecurity product with AI.

Survey: Only 66% claimed to fully understand how AI made their security product(s) more effective.

Key to the report is the issue of security awareness and training and its impact on making long-term, positive changes to employee behavior.

Survey: 96% believe training can make long-term, positive changes to employees' behavior, which conflicts with other data suggesting that these expectations may be divorced from reality.

However, box-ticking emerged as the primary driver for 80% of SA&T programs over creating a culture of security.

Survey: 41% say regulatory compliance is the primary driver for their SA&T program

Survey 39% say it's to meet cyber insurance requirements

Survey: Only 20% say the primary driver is to create a culture of security

Egress suggests three key considerations to bring real organizational change and create a security culture. The first is to measure outcomes rather than activity, the second is to tailor training to the individual, and the third is to combine SAT with nudges, interventions and real-time teachable moments, at the point of risk, when a user is about to perform a potentially dangerous action.

Survey: Contrary to Egress' advice, only 40% of respondents are offering fixed frequency SAT combined with real-time interventions, such as alerts just before a user makes a mistake, such as replying to a phishing email.

Trustwave and Cybereason have announced a definitive merger agreement offering a comprehensive and...
FortiDLP’s unified approach to data protection enables enterprise organizations to anticipate and...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
Falcon platform will deliver complete protection against identity-based attacks across hybrid cloud...
95% of UK businesses said they were negatively impacted by supply chain cyber breaches within the...
Acquisition of leading DSPM company will bolster Proofpoint’s human-centric security platform...
NTT DATA’s new Managed Detection & Response service powered by Palo Alto Networks Cortex XSIAM...
SPG is enhancing its cybersecurity capabilities in a new partnership with Saviynt, a leading...