Buyers must navigate cybersecurity market confusion

When complexity went into overdrive

As for how the security market got here, analysts credit or blame different sequences of events.

Doug Cahill

According to Doug Cahill, cybersecurity vice president and group director at Enterprise Strategy Group (ESG), a division of TechTarget, the seminal event that led to cascading security market changes was Operation Aurora, a 2009 zero-day attack that originated in China. Designed to steal source code from multiple U.S. technology companies, including Google and Adobe, Cahill said the attack was a catalyst for industry innovation, sparking fragmentation and an influx of venture capital to the market.

That event coincided with a growing number of cybercriminals, increased monetization of cybercrime and less need for threat actors to have deep technical expertise because products can be sourced off the dark web.

These new challenges brought in a slew of new products and product categories, Cahill said, as the cybersecurity skills shortage simultaneously made it even harder for enterprises to keep up with more complex IT environments, especially as enterprise cloud growth began to exponentially expand the attack surface.

Johna Till Johnson

While she agreed about cybersecurity market confusion, in a slightly different spin, Nemertes Research CEO and founder Johna Till Johnson attributed a lot of misunderstanding around products and vendors to security convergence.

Most network security was firewall-based throughout the 1990s, with infosec -- which involved encryption with a side of antimalware -- managed separately. In the early 2000s, the concept of identity and access management (IAM) gained steam. But, in many companies, these security threads were separate, Johnson said. Companies had infrastructure for data and network security, and infosec covered policy-based IAM. Separately, endpoint security was managed by the team that protected desktops.

Around 2010, talk of the end of the enterprise perimeter brought the firewall-based, network-centric security methodology into question, Johnson said. Network, information, endpoint and identity security threads were being woven together, and many companies were unsure how to adapt.

"The fundamental market confusion is where the policy lives," Johnson said. "Is policy enforced at the network or application? And, if it's cloud-based, where in the cloud? At what level?" Further, deciding which system to use introduced another slew of acronyms and new terminology for enterprise decision-makers to consider, including Secure Access Service Edge (SASE), software-defined perimeter (SDP), cloud access security broker (CASB) and zero trust.

Steve Turner

In yet another viewpoint, Forrester analyst Steve Turner blamed the confusion on the security market itself. Whether vendors are eager to ride the latest marketing buzzword wave or unsure of the definitions themselves, many companies adopt language that isn't representative of their products, he said.

"We see every new security technology get completely co-opted and the messaging completely flipped on its head. We've gotten so far away from what these technologies are actually here to accomplish," Turner said.

A perfect example is the term zero trust. More than 10 years after Forrester coined the term, clients still ask Turner if zero trust is a marketing buzzword, a real strategy or a model they should be thinking about.

Biggest areas of market confusion

According to ESG's Cahill, the three biggest causes of current cybersecurity market confusion are the meaning of zero trust, the shared responsibility model between enterprises and cloud service providers (CSPs), and emerging technologies, such as machine learning and AI.

Zero trust -- a platform, not a product

Zero trust is an approach that assumes an entity trying to gain access is malicious until proven legitimate. Cahill emphasized zero trust is a strategy, a framework and an approach, not a product.

But a transition to a zero-trust approach doesn't mean perimeter-based firewalls are dead. "Most organizations are still operating in a hybrid multi-cloud environment. They still have their physical infrastructure," he added.

We ultimately arrived at this idea that you can get to zero trust from the network, from the applications and from protecting the data.

Legacy firewalls will exist for a while because of the "if it ain't broke, don't fix it" mindset, Cahill said. That means physical perimeters are still out there, at least for now.

"If you look at Palo Alto Networks['], Cisco['s] and Fortinet's revenue breakdowns, they do a lot of firewall refresh business. So, you have physical firewalls, virtual firewalls and firewall as a service," he added.

A few basic flavors of firewalls were available in the '90s: network, application and proxy, Nemertes' Johnson said. Then, they combined to become next-generation firewalls, and firewalls started moving to the cloud.

In about 2010, people started to get serious about perimeterless security, and that led to the term zero trust, Johnson said. The gotcha is the different categories of products that can create it. "We ultimately arrived at the idea that you can get to zero trust from the network, from the applications and from protecting the data."

Johnson believes SDP is as close to zero trust in a box as you can get. "The SDP provider figures out what you get access to based on who you are, which, in my definition, is zero trust," she said. With network-centric SDP, the network a user sees depends on the policy of the company deploying SDP, she added. "You can't even send packets on a network that we decided you're not allowed to access."

Cloud shared responsibility confusion

Organizations using public cloud services need to be fluent in who's responsible for what security-wise, Cahill said. Many enterprises think, if they've outsourced their data centers to a third party, they're all set. But they're not.

Many customers wonder if the CSP's compliance with regulations is transferable and whether that makes them compliant. "It doesn't," Cahill said, adding that confusion abounds about where the demarcation line is for the division of labor between the CSP and the subscriber of the service.

While the CSP needs to be compliant for its part of the infrastructure, organizations are responsible for what they put into the cloud, which always includes data security and IAM, Cahill said.

A shared responsibility model in the cloud varies not only by the type of cloud service, but also by the CSP. "Our research shows there's ongoing confusion about that," he said.

A place for machine learning

A few years ago, at RSA, many security vendors were bullish that machine learning and AI were the only technologies needed to detect and prevent threats, Cahill said. Machine learning has helped organizations process the massive influx of information about security events, but there's still confusion about what it is and which vendors have the best products.

"Machine learning is an incredibly important technology, but it doesn't replace other detection techniques," Cahill said. "It's one of the tools in the toolkit."

During the machine learning push -- and even today -- buyers wondered how to evaluate the relevance of machine learning, its use cases and which vendors had it. Customers don't care about what technology is under the hood as much as they want better efficacy and accuracy, Cahill said.

"At the end of the day, customers can understand use cases because they are actionable," he said, adding that ESG advises its vendor clients to talk about the use cases, rather than the how of machine learning.

How can enterprises tackle confusion?

If industry events are designed to educate, can in-person or virtual events, such as this year's RSAC, help security buyers navigate this complex, crowded market?

Cahill feels for the buyers. "For me, the litmus test is that I want to be able to look at the signage and grasp in seconds what the vendor does," he said. "If the messaging isn't relevant, potential buyers are going to walk on by."

On the other hand, as the largest cybersecurity conference, RSAC offers an opportunity for cybersecurity leaders to compare notes with other leaders across the spectrum of new types of threats, preventative steps and skills development, Cahill said.

The diversity of sessions at RSAC also gives cybersecurity leaders a way to sharpen their tools at a program or technical level, he added, which includes hearing about new tactics, techniques and procedures employed by cyber adversaries and getting a glimpse into how the vendor community is innovating to keep pace.

And, since vendors send their executive teams to the conference, many CISOs take the opportunity to conduct roadmap reviews with their more strategic cybersecurity vendors, Cahill said.

Enterprises also find it easier to understand definitive functional product categories rather than notional ones that can apply to dissimilar products, Johnson said.

"If a new product category has a functional description, like secure web gateway or antimalware, you can be pretty sure what it is and what it does," she said. "And, if a product category name comes from an industry consortium or other technical source, such as SDP from the Cloud Security Alliance, it's likely more precise."