The real problem with cybersecurity? Vendor greed…

Want to hear a paradox? The global cybersecurity market is expected to generate $276.9bn in revenue in 2025. By 2030, that figure is expected to rise to over $500bn. But here’s another thing that’s rising: the cost of cybercrime, which is projected to cost the world $23 trillion in 2027, a whopping 175% increase from 2022.

It’s true that the more the world digitally transforms, the more cracks start to form in every organisation’s security posture. Even so, though, the numbers just aren’t adding up. The amount by which cybersecurity vendors profit off their solutions seems almost directly proportional to the amount of battering enterprises are taking worldwide from cyber breaches.

Not even high-profile brands can escape the wrath of cybercriminals, whether it’s retail Marks & Spencer, or big logistics firm KNP, which was hacked recently after criminals guessed an employee’s password before locking the whole company out of its own systems. A company trading for over 150 years, brought down…because of a weak password. 

There can be no mincing of words on this: traditional cybersecurity is broken. It’s time we fix that.

A Marketplace Built to Thrive on Confusion

It would be easy to poke holes at what brands are doing, but you can’t blame everything on negligence. In reality, businesses are trying their best. It’s the cybersecurity industry that’s failing to deliver simpler, more effective solutions that make life easy for customers. You can trace that problem to how security products are packaged and sold.

Vendors often modularise their offerings, forcing companies to navigate a maze of overlapping tools, hidden costs, and unclear coverage. A good example of that is EDR, which is great technology, but it doesn’t protect against phishing, one of the most common threats companies face today: 93% of cybercrime in the UK alone.

Vendors do not adequately explain these issues to customers. The fact that a weak password took down a whole logistics company is proof of that. Basic password hygiene is so bad now that hackers crack 70% of passwords in 1 second. It’s a big reason why password-based attacks make up over 99% of identity attacks. 

What this shows is that large enterprises are struggling to detect even basic security threats despite having invested millions in solutions like intrusion detection, proxies, and SIEM (Security Information and Event Management), as well as having tried to build internal security operations centres. Even tier 1 companies often have intrusion detection sensors cabled up incorrectly, including SIEM solutions with no working rules, broken event feeds, brittle detections, or even lacking threat modeling capabilities.

I’ve personally seen companies trying to detect threats by correlating logs from disparate point solutions (e.g. proxies, intrusion detection, OS, firewalls) – except the logs tend to be in totally different formats, often missing key details. There’s not nearly enough standardisation across security infrastructure, which has left a critical gap in threat visibility.

A Marketplace Built to Aggressively Upsell, Not Shield

We find ourselves in a strange place today where enterprise buyers face a bewildering number of three- or four-letter acronym products. Whether it’s SIEM, EDR, SOAR, XDR, or whatever technology promising innovation and resilience, these products often obscure to businesses what they must prioritise. 

What do cyber vendors do instead, you ask? More often than not, they’re perfectly content to develop yet more tools to monitor SaaS security logs for breaches. Many tools are designed for aggressive upselling. Rare is it today to find a solution that you buy once. 

No, instead enterprises face fragmented, expensive tech stacks and a cybersecurity ecosystem infested with products built to hook organisations on perpetual licensing, add-ons, and complex integrations.  Need email protection? You better buy from Vendor X. Oh, wait, you need phishing through WhatsApp instead of email? That’s Vendor Y. Who even knows at this point all the solutions a company needs to protect itself? Could an enterprise figure it out by themselves?

While all of this confusion is happening, basic real-world threats and vulnerabilities like weak passwords go unchecked. This "security by shopping list” will take a heavy toll on the industry. 

A Marketplace That Doesn’t Have to Succumb to Greed

Vendor greed doesn’t have to ruin cybersecurity, though. If you’re buying any solution from a vendor, prioritise the ones who are going to be a partner, who share accountability for outcomes rather than offloading blame when things go wrong.

Remember that there are thousands upon thousands of solutions claiming to make your business safer in a myriad of specific ways. But are they comprehensive? You should be considering whether their solutions exist in a vacuum, whether they integrate easily with what you already have, or if the solution even covers the basic vectors threat criminals have been exploiting for years. You should also insist on transparency in pricing and claims, with vendors committing to clear, honest communication on risks and capabilities. And businesses should be within their right to demand fewer, better-integrated solutions built around core principles of threat visibility, real-time response, and perhaps most importantly, ease of use.

It’s really important that companies of any size be able to consistently implement a high quality set of security and monitoring controls across their entire environment. It doesn’t matter if they’ve acquired a new company, are growing organically, or they have different subsidiaries across the world. Everyone needs a consistent level of security, otherwise an attacker will find the weakest point and exploit it.

It’s time, however, for vendors to accept responsibility for their role in securing brands. It starts with making life easier for organisations.