CISOs are skeptical about claims made by cybersecurity vendors

There is a high level of skepticism about claims due to vague product descriptions, ambiguous statistics, limited ability to measure product effectiveness, and a general lack of follow-through by cybersecurity vendors, a Valimail survey reveals.

What do security pros think about claims made by cybersecurity vendors?

The report is based on a survey of 296 IT security professionals about their views on cybersecurity vendors.

“Trying to hold vendors accountable is difficult,” says Chris Cravens, founding CIO of Uber and Zynga, who now serves as a technology advisor to various companies and investors. “It is tied to the sensationalism of product development.”

The respondents represent large enterprises with big security budgets. The report finds that 55% of respondents spend more than $100,000 on each new cybersecurity tool or solution.

While spending is high, so is dissatisfaction with vendors who simply don’t guarantee specific results or fail to provide adequate, data-driven descriptions of the benefits their products offer. And it all starts with the sales pitch: 53% of respondents say most or all vendors rely on unclear, opaque, and ambiguous data.

Vendors often fail to articulate the value of their products and their claims are difficult to verify. They also fail to keep their promises nearly half the time and rarely make check-in calls after closing sales.

Key data points

• 42% of respondents say cybersecurity products deliver value “sometimes,” but it is difficult or impossible to prove that value.
• 44% of respondents say “most or all vendors obfuscate their tech”.
• 47% of respondents say that vendors deliver on their obligations only half of the time or less.
• 49% of respondents say vendors share little to no reliable information about product roadmaps. In other words, they don’t share how far into the future their products will still be relevant in a continuously evolving cybersecurity landscape.

Based on the research findings, the promise of DMARC enforcement is a critical one, as 72% of respondents said they are very or extremely concerned about email-based threats, which remains the leading attack vector for all breaches.

Additionally, 48% indicated they are very or extremely likely to buy a product that promises to combat business email compromise (BEC) attacks, a problem that DMARC at enforcement significantly reduces.