Security chiefs warn bloated cyber market must learn to work together

This article was licensed through Dow Jones Direct. The article was originally published on The Wall Street Journal.

An overheated market for cybersecurity products means vendors must ensure their products work better with each other if they want new business, cyber executives say.

Research from the Information Systems Security Association published Tuesday with TechTarget Inc.'s analyst unit, Enterprise Strategy Group, found that more than three-quarters of 280 security professionals surveyed want to see vendors build open standards into their products to enable interoperability.

The cybersecurity industry has grown sharply in recent years, fueled in part by an increase in cyberattacks, rapid digitization due to stay-at-home orders during the coronavirus pandemic and ample funding for new companies. Global cybersecurity market revenue is expected to reach $158.9 billion this year, up from $83.4 billion in 2015, according to research firm Statista Inc.

Despite dozens and sometimes hundreds of vendors offering products covering aspects of cybersecurity including threat detection, virtual private networks and endpoint protection, chief information security officers say transferring information between products can be tricky.

"One of the most significant challenges from a practitioner's perspective is trying to drink from that fire hose of data," said Candy Alexander, president of the ISSA, a trade association for cybersecurity professionals. "Everything's coming at us; it's just overwhelming."

For example, said Ms. Alexander, who is chief information security officer at Boston-based business consulting firm NeuEon Inc., sharing information between systems often requires manual, time-intensive processes that are specific to each piece of software. That is work the vendors should be doing, executives say, but it frequently falls to a customer's own staff.

"The glue that gets all those products to exchange information, to integrate seamlessly, a lot of times we have to take that on ourselves with our teams, and that takes a lot of doing," said Devon Bryan, global CISO at cruise line Carnival Corp.

Open-application programming interfaces that allow data to be exchanged are necessary, said Jimmy Sanders, head of information security at streaming giant Netflix Inc.'s DVD unit. Such interfaces exist but many cyber companies don't build them into their products, Mr. Sanders said.

CISOs are beginning to shy away from implementing one product to fix one problem, instead looking for technology that can handle several areas of cyber defense, ISSA and ESG found.

That spreading sentiment among corporate security chiefs could eat into sales for cyber companies offering single-purpose products as a market downturn in technology is beginning to crimp investments, said Jon Oltsik, senior principal analyst at ESG and author of the report.

In addition, the large number of competing vendors offering similar products frustrates security chiefs, he said.

"A lot of security professionals are just confused. They feel like there's too much hype in the industry, not enough market education, not enough really working with customers," Mr. Oltsik said.

In the survey, 73% of respondents said many vendors rely too much on marketing rather than the quality of their products.

Vendors that fail to adapt to customer demands may struggle to win new business, Mr. Oltsik said.

This becomes even more acute as security chiefs such as Netflix's Mr. Sanders rely more on peer networks to inform buying decisions, meaning reputation and willingness to work with clients as well as technical prowess in product demonstrations play a more significant role.

"I think that's going to weed out a lot of vendors," Mr. Oltsik said.