The pitfalls of cybersecurity shopping: hype and shoddy products

In a crowded market with many new products, it can be hard to make sure you're getting what you need

There's a growing threat on the cybersecurity scene that could drain millions from unsuspecting businesses and leave them vulnerable to hacking threats.

It isn’t a new strain of ransomware. It’s the cybersecurity industry itself.

It's ironic, but the products vendors sell, and the marketing they use, sometimes leave buyers misinformed and less secure, according to several business directors who actually buy the tech.   

“There’s definitely a lot of vaporware,” said Damian Finol, an IT security manager at a major internet company. “There are definitely products that have really exaggerated claims about what they actually do.”

For some vendors, it's more about the sale than about security, IT executives say. To close a deal, bad vendors tend to overpromise features that they claim will be added down the line but never materialize. That makes a buyer's job harder.

“It takes more and more time and investment to find the right products,” said Martin Fisher, a chief information security officer at a hospital in Atlanta. “It’s frightening how many don’t do a good job of this.”

Buyer beware

Navigating the cybersecurity marketplace has never been tougher, security administrators say. Go to a security show like RSA or Black Hat and you will find hundreds of vendors offering antivirus software, network firewalls and other products to protect your business against hackers.

Clearly, a lot of products are being bought. According to research firm Gartner, an estimated $81.6 billion was spent worldwide last year, with sales only expected to go up.

But figuring out which products are worthwhile is no easy matter, especially when vendors are hyping up their technology.

“A lot of people have really great ideas,” said Quentyn Taylor, director of information security at Canon EMEA. “But then you sit there and wonder: ‘Does this work outside the PowerPoint presentation? How does this actually install?’”

“It may be the best security tool,” he added. “But can IT operations deploy it or maintain it easily?”

The managers say that’s a key problem with some of today’s security products: once installed, they can be difficult to use or won't work well in the real world.  

“If they will fail, most products will fail at scale,” said Jonathan Chow, a CISO at an entertainment company. “That’s the real difficulty: Is the product going to work when installed in 1,000 computers? Or 10,000?”

Others, such as Finol, are troubled by security vendors who only check in with their customers to renew the service contract -- not to help them use the product.

“It’s a wasted opportunity,” he said. “The buyers are going to be like, ‘We barely used this. We didn’t take full advantage of this product.’”

Aggressive sales

Poorly performing products also amount to wasted money. At the enterprise level, licensing security products can easily cost $1 million or more, Chow said. But vendors seem to think he has an unlimited budget.

“A lot of them do assume that my CFO is a leprechaun, and that there’s a big pot of gold in my office,” Chow said. “Every product is super expensive.”

Some vendors even resort to scare tactics. When Chow rejects a product pitch, salespeople often tell him he doesn’t care about his company’s security.

“It’s a shame-and-guilt game,” Chow said.

One CISO said that on two occasions, vendors have threatened to report his organization to the U.S. Dept. of Health and Human Services, claiming he was violating compliance regulations by not buying their security product.  

The aggressive sales tactics aren't surprising. Competition among vendors has ramped up in recent years as a wave of security startups has shaken up the sector with new products promising better protection. That’s brought a flood of venture capital into an increasingly crowded market.

On the plus side, the growth of the market means more choice, and possibly more innovation -- but that’s open to debate.

“The innovation is more in marketing and less in product,” Fisher said.

Hype over technology

For example, vendors like to talk about cutting-edge technologies, such as machine learning, and include them in their marketing. Or they’ll talk about how to stop nation-state hackers because it sounds sexy.

But often, the technology they're promoting isn’t that impressive, let alone game-changing, customers say. And average businesses, which tend to face more mundane threats such as email phishing scams, may not even need them.  

“The vendors tend to overhype on the black swan (the rare and unforeseen event), and not the common threat that is happening every day,” Taylor said.

“I’ve yet to see anything (in machine learning) that would make me sit up and go, ‘Wow,’ in the security space,” he said.

Taylor does looks forward to what the industry will cook up next. But it’s easy for less-experienced business executives to get caught up in all the marketing amid fears they’ll be hacked next.

“That’s the natural reaction to hearing a new buzzword, like insider threats or APT (advanced persistent threat),” Finol said. “The customers will jump the gun without doing the due diligence.”

Of course, good vendors exist. But there’s no magic bullet or one-size-fits-all approach to cybersecurity. IT managers say there are a few questions businesses should ask when they're looking at an enterprise security product:

  • What do my peers think about this product? Have any of them tried it?
  • Will my security staff even find this product useful?
  • Can the product scale and integrate with my IT infrastructure?
  • Do I own an existing product (or a free tool) that already does the same thing?

“People have to do their homework,” Chow said. “They can’t rely on what they are being told.”

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Michael Kan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?