Over the course of the last year, beginning around the fall time (when it was nice and warm, and we had long summer evenings) I wrote in a few blogs how many companies, even including those in the Cybersecurity Industry, have the mindset that simply deploying Security tools and technologies in large numbers means that they will be greater levels of Security afforded.

It is just human nature to think this way, after all, ever since we are born, for the most part, we have been indoctrinated in the belief that there is “security in numbers”.  It just does not have to involve Cyber by any means, it can be applied to all facets of life. 

For example, take the job seeker.  One could simply think that by simply sending out hundreds of resumes in a given day will yield a job.  Or, if a patient is suffering from some kind of medical ailment, his or her physician may prescribe more medication or simply up the current levels of dosage in order to combat it. 

This same example even holds true in the word of sales and lead generation.  It is quite common to think that the more leads you have, the greater are the statistical odds that you will have a successful meeting and close a high stakes deal.

This is just one part of the equation.  The other side of it is that you have to look at the quality of the items you are sending out or receiving.  Back to the job seeker example.  That individual may send out those hundreds of resumes, but what if nothing comes of it? 

Maybe the quality of the job prospects in those ads were not good, or it could very well be the case that the quality of the resume simply did not attract the hiring managers.

In the example of sales, even after sending out Emails to hundreds of leads, there may not even be one meeting that has precipitated from all of the activity.  What happened here?  Again, the quality of the leads could have been very poor, and because of that, nobody cared in responding back to the rep.

But now, in the Cybersecurity Industry, the C-Suite (especially that of the CIO and/or the CISO) are now paying very careful attention to this issue of quantity versus quality, especially when it comes to procuring new types of equipment to fortify their lines of defenses. 

For example, in the past, questions were never asked of the Vendor about the quality aspects of their security products, if it came from a reputable vendor, and if there was enough money in the budget, tools were purchased in a haphazard fashion, and in bulk.

In these instances, the CIO or the CISO never questioned the security settings that were already configured, the orders to their IT Security staff were simply to take the stuff out of the box, deploy them, and get them running ASAP. 

But as we are all starting to realize, simply using the default settings set forth by the Vendor do not work.  They have to be established to the thresholds per the Security requirements of the organization.

Now, the CIO and/or the CISO is going even one layer deeper and starting to have a sense of mistrust of the Security vendors, about the claims that they are making of their products and are starting to ask some serious questions. 

This is substantiated by a recent market research project conducted by a Cybersecurity firm known as “Valimail”.  This can be downloaded at the following link:


Overall, here is what the study found:

*53% of the respondents spend more than $100,000 per year on new Security devices, and the dissatisfaction amongst the Vendors from which they get from only grows, especially in the following areas:

Vague product descriptions;

Unreliable QA and testing stats;

No follow up from the Vendors to see how their products are working in the field;

Phony sales pitches and marketing materials during the onboarding process (in other words, they do not clearly communicate the value proposition of their products, and if they do, they are very difficult to quantify).

42% of the respondents do not believe the value proposition claims made by the Vendor that they are looking at;

*47% of the entities that took place in this study claim that the Vendor follows up in a good and complete fashion less than 50% of the time;

*49% of the respondents claim that their selected Vendor never follows up through with them on future upgrades or replacements to the products that they have purchased from them.

My Thoughts On This

Quite frankly, in some ways I am surprised and not by these above findings.  For example, I am sort of shocked as to why the Vendor will not follow up with the customers who have purchased their respective products. 

By doing so, wouldn’t this be a great way to show customers that you care for their well-being, and that this would also be a way to come back as repeat customers?  To me, this I just Marketing 101 and really don’t quite get why the Vendors won’t do this.

But even more importantly, shouldn’t you (this is meant towards the Vendors) keep your customers updated on the latest stuff that is coming out, so that they can stay ahead of the ever-changing Cybersecurity Landscape? 

Based upon the numbers, it just seems like to me that the Vendor is just interested in making a one-time sale and that’s it.

But, by showing your customers that you actually care about them for the long term will take you even one step further in retaining them as customers for the long term, and not just for the time being.  As far as the CIO and/or the CISO starting to show dissatisfaction to their Vendors, well its about time that this is happening. 

You just simply cannot buy a product and expect it to work out of the box to the way you want it to.

It takes work to this, and the Vendors whom you are considering should be asked the serious questions that need to be asked.  After all, if you are not (this is aimed at the CIO/CISO), who else is going to do it?    You have the right to look at different Vendors and even conduct a trial period in a sandboxed environment until you make the final purchase decision.

After all, in the end, budgets are limited, especially when it comes to IT.  This is the first to get shrunk or even thrown out entirely in the face of a business downturn.  Also, keep in mind that by simply deploying Security products in large numbers actually increases the attack surface in order for the threat vectors to be leveraged into. 

Given the rash of recent Security breaches, the CIO and/or the CISO is now starting to realize this, and because of that, are now conducting thorough audits in order to determine where these new Security technologies should be placed.

For example, a far better strategy (as well as cost effective) would be to perhaps deploy two Firewalls where they are needed the most than simply deploying ten of them and guessing where they should be placed at. 

In the end, this debate of quantity versus quality in the Cybersecurity Industry will continue to rage on into 2020.  But as the mindset of the CIO and/or the CISO has started to shift to a more strategic approach, it will be quality that trumps in the end.