Most security tools are too theoretical
That's why they churn customers, are easily replaceable, and fail
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
Maybe it’s FY25 planning, or maybe I have been attending more security events. I’ve been thinking more about security tooling and what it gets us. We, as a community, complain about security tools, but we keep using them. In fact, we are spending more money on them year after year despite many security tools that seem to have short shelf lives or are just shelfware. Also, it feels that when we switch tools, they don’t actually solve problems for us. So, we end up in this endless cycle of going through tools, which has a substantial administrative overhead, e.g. procurement, sales calls, etc.
Why do security products churn so much? Sure, there are probably many reasons for this. One main reason that I see is that most products are incremental, and it’s not clear the original product solved a key problem in the first place. Appsec is a good example of this. It’s very easy to compare the vulnerabilities that Snyk catches versus those of its competitors like Semgrep, Socket, etc. On top of that, because these SaaS products are easy to onboard, they are also easy to offboard, making switching costs low. These companies are always in a constant battle royale to ensure that they find more vulnerabilities. That is the crux of the problem. Does that metric matter in determining whether this product is effective? By “effective,” I mean does it help the application security team get buy-in from the executive team and leadership to have resources to solve this problem? It also doesn’t help that compliance is a major driver for vulnerability management, which is a hard reason to get behind, especially if the goal is to get more investment — companies want to invest the least amount of money possible to check a box for compliance.
I’ve talked about the changing reality of appsec, and why I believe the industry is stagnant.
This leads to the next problem tools face. Too many tools promise to solve an organizational problem, and security leaders are using tools to solve that problem. The issue is that you can’t solve organizational problems with security tools. They might help identify those problems or assist in solving them, but buying a tool alone won’t solve the problem itself. For example, going back to application security. Having a tool that finds more vulnerabilities or gives better won’t make it so that engineers are more likely to fix it. Fixing vulnerabilities is a cultural issue that requires buy-in from multiple stakeholders and convincing them that doing so benefits the business. This is commonly lost on security where the focus is too much on risk reduction.
I talk a lot about how to shift away from risk to trust and why trust is more important than risk. However, I never explicitly mention the problem with thinking about security as a way to reduce risk. Of course, that’s a good part of security, but thinking of security as just that makes security’s goals feel too theoretical.
That’s why I believe so many security programs struggle to get buy-in, but so many security teams think like this that tools have to follow suit, i.e. the tools have to solve theoretical issues.
The theory of security
Using our running example of application security, it’s hard to understand why we should be fixing vulnerabilities at all. It seems that most vulnerabilities are hard to exploit. Maybe, fixing the critical and high vulnerabilities seems worthwhile as a way to improve code quality, but why fix the medium ones? Some might argue that the medium ones might become high, or a few of them together might become a critical vulnerability.
This seems too theoretical in a world where there are real, concrete threats to the business — if we don’t build a certain product feature, we will lose revenue and profit. Concrete business problems will always take precedence over theoretical security concerns. Tools can’t solve the problem. In some ways, the appsec tools with context add fuel to the fire. They have a tough job because they are judged on how many vulnerabilities they can catch. At the same time, the context provided by the tools adds more theory because they don’t take into account a company’s specific environment and potential mitigations!
Similarly, this happens with other security tools like CSPM, which was good at detecting posture issues but didn’t convince infrastructure teams to fix the cloud issues. Wiz recognizes this and realizes that having a detection and response capability makes the tool have more tangible value.
How do tools become less theoretical and more concrete
Sadly, security has too many tools. It’s a big market because security teams have large budgets. However, in my opinion, that is likely to change as more of that budget will be focused on headcount rather than tooling. I believe security has too many tools, and they aren’t actually solving problems.
Instead of writing about how to make tools less theoretical, I’m going to discuss how some of the largest security companies, such as Crowdstrike, Palo Alto Networks, Cloudflare, etc. have solved this problem and delivered tangible value for their customers, resulting in lower churn.
In my opinion, what all these tools have in common is that they address tangible risks that are easy to align with stakeholders and executive teams. I’ve talked about the idea of risk scenarios in the past, and these tools address historically dangerous risk scenarios.
Let’s talk about Crowdstrike. A key risk scenario for Crowdstrike is that malware can lead to leaked credentials and/or ransomware, which has a tangible impact on the business. These threats have occurred historically and are costly to the business, so it’s easy for executives and the board to buy into preventing this threat. On top of that, Crowdstrike has a strong incident response services business that helps businesses recover from an attack. The value there is clear because an attack has occurred or is occurring.
Email security is a big market. Phishing is a common problem that is low effort but potentially high gain. An attacker can easily obtain employee credentials and access its systems. This has also happened frequently in the past, so it’s a tangible risk to get behind.
Finally, let’s discuss Cloudflare. Cloudflare has a suite of products, but let’s focus on its web application firewall. It can prevent DDoS attacks and malicious traffic, which could affect a site's uptime and have a real business impact.
The biggest advantage of all these examples is that these tools can show actual threats that they have prevented. Crowdstrike shows malware it has blocked. Email security shows phishing emails that were remediated and didn’t reach people’s inboxes. Cloudflare WAF can show all the malicious traffic that’s been blocked. These all show tangible and arguably measurable results — they have blocked a key threat that might have escalated into a serious incident.
However, the point of discussing this is that most tools aren’t like this. In fact, most security programs aren’t like this. They are good at discussing theoretical threats and using FUD to get more budget, but they are bad at demonstrating that they have prevented certain attacks and risks. This hasn’t been an issue in the past, but given the increase in breaches, executive teams and the board want more measurable ways to show ROI on their security investments.
Therefore, security tools need to spend less time on theoretical threats and more time on helping to prevent actual issues. However, tools can’t do this alone. Security leaders must align on the concrete risks they want to prevent. One way is to use risk scenarios. Another is to focus on using frameworks, such as NIST or HITRUST, but these tend to only work well if they are specific examples that can define the maturity of the different capabilities.
Whatever way, better tools alone aren’t going to solve the problem. Gone are the days when security had a blank check on solving theoretical threats. However, overall, I believe this will be an important evolution of the security industry.