Security Vendor Hype Fuels Lackluster Technology Investments, Survey Finds

Security vendors that hype up security threats to generate interest in their security platforms may end up doing long-lasting damage to their reputation, according to a new study that found the aggrandizing could lead to disappointing technology investments.

Vendors frequently raise concern about the seriousness of threats to increase the perception that organizations face a higher risk if they don't buy new security protection, according to the Ponemon Institute survey of 4,881 IT and IT security practitioners in 15 countries. Fifty-eight percent said providers of security solutions hype the threats and risks companies face. The hype may help free up budgeting dollars to invest in a new technology, but almost half (47 percent) of respondents said their company very frequently or frequently have purchased a security solution that was a disappointment.

Organizations are better off taking a systematic approach to evaluating vendor technologies, according to the study. Buying on fear causes organizations to conduct poorly executed risk assessments and miscalculate the need for additional personnel to manage new systems. Potential risks posed by emerging threats may be greatly reduced without buying new protection.

[Related: Advanced Threat Scare Tactics Don't Sell, Say Solution Providers]

"Assess security solution capabilities and deployments against a comprehensive kill chain model to eliminate gaps and minimize excessive overlap," according to the study. "Expand beyond defenses overly dependent upon identifying an attack at only the ’malware delivery stage."

Survey respondents feared advanced persistent threats and attacks designed to steal data the most, according to the survey. A website hack, a distributed denial of service attack designed to bring down critical business systems or an accidental data breach were also top concerns.

The two-part study, "Exposing the Cybersecurity Cracks: A Global Perspective," was commissioned by security vendor Websense. The Ponemon study found many long-standing hurdles getting in the way of security technology buying decisions. IT security professionals said they rarely speak to executive management, they fear disrupting users with lengthy downtime or are resigned to thinking they won't get funding for a new project until a serious security incident takes place.

What would get an organization to rip out and replace a security vendor product? Downtime and difficult deployment or user interface triggered a change in security vendors the most, according to the survey. Budget changes also sometimes free up cash for new security platforms, and organizations are compelled to invest in system hardening and other security measures following a data breach, survey respondents said.

The study also found uncertainty about the effectiveness of security systems in place at their organization. Forty-four percent of survey respondents said their company's security solutions do not provide adequate intelligence to inform them about an attempted cyberattack and the potential consequences. Similarly, the technology designed to detect a malware infection often fails to uncover the root cause of an attack, the survey found.

NEXT: Survey Findings Not Surprising, Solution Providers Say

Solution providers told CRN that the survey findings should not come as a surprise. They said advanced threat scare tactics rarely move a small or midsize business owner enough to spend on new security technology.

Selling security by hyping up threats is always the wrong answer and does nothing to establish a trusted relationship with a client, said Andrew Sherman, the security practice lead at Eden Technologies, a New York-based security consultancy and solution provider.

There's always a problem of not having complete control and assurance that there are adequate preventative measures in place, Sherman said. If organizations invested in ways to control user access, monitor critical processes and address configuration issues and software vulnerabilities, many of the risks posed by advanced threats would be greatly reduced, he said.

"We are creating more and more complex security environments to deal with the fact that people write vulnerable software," Sherman said. "What is depressing in some ways is that attackers manage to recycle relatively mature threats and they still get a lot of success out of it."

Compliance mandates are often a major force driving security investment decisions, said Mike Cotton, vice president of research and development at San Antonio-based Digital Defense, a vendor that specializes in conducting audits on risk assessments of corporate networks. Many organizations have gotten past the checkbox mentality of the past as guidelines, such as the Payment Card Industry Data Security Standards (PCI-DSS), and have matured to address disruptive technologies like cloud adoption, mobile and virtualization.

"Cost is always a major factor, but we've seen concern about the deployment risks as well because there's a fear of disrupting traffic even for a short period of time," Cotton said in a recent interview.

PUBLISHED JULY 21, 2014