The cybersecurity vendor marketplace is growing so crowded that some companies have been resorting to extreme tactics to get security executives on the phone to pitch their products, including lying about security emergencies and threatening to expose insignificant breaches to the media.
The aggressive tactics come as the cybersecurity market expands dramatically, with a "long tail" of thousands of vendors with niche specialties. These sales tactics can make it harder for overworked cybersecurity execs to find and stop real threats. It can also result in overhyped publicity about breaches and hacks that are actually minor, which confuses customers and consumers.
CNBC spoke with four top cybersecurity executives at Fortune 500 finance, health care and payments firms about unsavory practices from vendors. These executives all said they have been pressured by vendors and researchers who claimed — rightly or not — to have found a cybersecurity problem at their company. Some hinted at the possibility of negative news coverage if the executive did not listen to the vendor's full pitch.
Complicating the picture, many ethical hackers use their contacts with the company to report legitimate problems. One executive complained the noise makes it difficult to pinpoint the legitimate reports of infrastructure flaws that need to be fixed.
It's hard for cybersecurity companies to get noticed. Smaller vendors particularly struggle because top corporations already have contracts or strong customer relationships with the biggest companies.
This is where the threat of negative media coverage comes in. Exposing a security flaw, no matter how small, can garner big headlines if it's at a big company. Enough press coverage can spark weeks of outrage and land top leaders in front of Congress.
However, breaches that actually cause damage are relatively rare. As a result, vendors often try to make a big deal out of minor breaches that don't expose important company or customer information.
For instance, all four executives said vendors tried to draw their attention to potentially exposed data on Amazon and Microsoft Azure cloud servers. None of this data included any current material information.
In one case, a database housed business plans for a 10-year-old project that had already been reported on and was now irrelevant. In another case, the data included information about customers — but only their names and the fact that they had attended a technology conference several years earlier. There were no further personally identifying details, Social Security numbers or other data that would have raised the ire of regulators or even senior company executives.
But the representatives pressured the execs on the phone, saying they had repeatedly tried to warn them about these minor issues and were ready to go to media outlets.
Fearing negative publicity, these execs typically agreed to spend around an hour allowing the vendor to offer "free services" to fix the problem, followed by a bigger pitch for paid services.
Two of the executives also said vendors used questionable tactics just to get through to their phone. Vendors have called in to report "emergency" incidents, then once they got past the company's gatekeepers, turned the "alert" into a sales pitch. They have also lied to administrative staff about their reasons for calling, characterizing their call as a matter of grave security importance, only to present a sales pitch once they'd worked their way up to the right executive.
All told, this results in a great deal of wasted time. Worse, as one executive said, "I distrust most of them, so it's possible I miss the people who may be trying to raise actual issues."
Cybersecurity vendors also often try to scare executives based on the type of perpetrator launching a given attack.
These pitches often work on board members or less technically inclined executives, who are scared of the prospect of defending their networks from Iran, China, North Korea or Russia and impressed at the vendor's purported investigative skills, the executives said.
But for the vast majority of companies, attribution doesn't matter at all, they said. That's because no matter who did it, the vast majority of private-sector data breaches can be attributed to the same basic security weaknesses that all hackers exploit.
"If you're vulnerable to SQL injection," said one bank chief information security officer, referring to a basic type of hack that often is used to steal consumer data, "then you're going to fall prey to SQL injection. It doesn't matter if some kid in the basement does it or the PLA [China's People's Liberation Army]."
Regulators don't particularly care, either, the bank official said. If you have a weakness that you should've fixed, regulators will focus on that weakness.
"Unless you're the NSA, attribution doesn't matter," the security head said.