A majority of IT security professionals at large enterprises are disatisfied with their cyber security vendors because of various factors such as an inability to demonstrate the effectiveness of security solutions or their inability to deliver on their obligations on time.
A survey of 296 IT security professionals at large enterpises by Valimail has found that a majority of such professionals aren't too happy with their cyber security vendors due to various factors such as "vague product descriptions, ambiguous statistics, limited ability to measure product effectiveness, and a general lack of follow-through by the vendors".
The sense of distrust is particularly deep-rooted and seems to be something that cyber security vendors have not made efforts to understand or address. As many as 55 percent of IT security professionals at organisations feel that their vendors "rely on unclear, opaque, and ambiguous data" and 44 percent feel that "most or all vendors obfuscate their tech".
The survey also found that 49 percent of IT security professionals believe that cyber security vendors share little to no reliable information about product roadmaps, 47 percent believe that vendors rarely deliver on their obligations, and 42 percent of them believe it is difficult or impossible to prove that value of products and solutions offered by cyber security vendors.
"Through in-depth conversations with our customers, we sensed a growing and widespread frustration with the majority of cybersecurity vendors out there. That is why we decided to conduct this research — to highlight this problem and call on our peers and colleagues to help change the face of cyber security for the better," said David Appelbaum, chief marketing officer at Valimail.
He said that conversations between large enterprises and cyber security vendors should not involve the use of jargon and vendors need to state plainly what customers are buying, what results they can expect and should work with them to ensure that promised results are realised.
Cyber security vendors need to live up to high expectations
Earlier this year, a survey of hundreds of IT security professionals carried out by Tripwire found that a vast majority of them were either struggling to fulfill all their cyber security needs, were struggling to fill security teams, or were already plagued with understaffed security teams.
Because of the lack of cyber security talent, 94% of organisations were willing to invest in managed services for security, 71% were willing to obtain external help for carrying out security assessments, 53% for penetration testing, and 51% for vulnerability management. At the same time, IT security professionals at 93% of organisations believed they would benefit from security help outside of their organisations.
The high amount of reliance on external vendors to carry out cyber security tasks was due to organisations not having sufficient resources or manpower to attend to all cyber security needs. It would take a lot of investment in resources for a large organisations to identify threats in a timely manner, discover breaches, and respond to cyber security incidents and threats.
"Security teams are in search of new skillsets to deal with evolving attacks and more complex attack surfaces as they include a mix of physical, virtual, cloud, DevOps and operational technology environments. It's becoming more difficult to maintain critical security controls, and there are fewer people available to do it," said David Meltzer, chief technology officer at Tripwire.
"Because security teams are stretched thin, it’s going to be more important than ever to build strong partnerships. Organisations can collaborate with trusted vendors to take pressure off their in-house resources. Approaches could include more automation of security tasks and support through managed service to ensure that no critical security controls are dropped.
"Maintaining a strong foundation of security is non-negotiable, so it’s imperative that organisations partner across the info security community to continue meeting security goals effectively," said Lamar Bailey, senior director of security research at Tripwire.
While the demand for cyber security vendors for various tasks is encouraging for the industry, if vendors continue to disappoint IT security professionals at enterprises due to reasons such as not meeting obligations or obfuscating their tech or relying on vague or ambiguous statistics, enterprises will soon start searching for alternatives and it will be difficult for vendors to win back the trust that they have lost.