Why do we have so many bad security products?

How did so much $$$ invested end up in so many unloved products?

The average enterprise has something like 70 different security products. Ask the security team what they think of most of those products and you’ll receive eye rolls and expletives. Security teams seem to hate a lot of the products they use. What’s going on?

The older products are the obvious culprits. Ancient UIs, slow load times, and mind-boggling navigation systems take a lot of the heat. But it’s not just the old tools that get the criticism. I hear things like ‘oh yeah that was just snake oil’ or ‘we tried using it for 3 years, it never actually worked’ about the buzziest scale-ups in the industry regularly.

Reddit is especially entertaining for this kind of thing…

So what’s going on? How did we end up with an industry where billions is spent on building and acquiring software every year, just for the users of those products to hate so many of the tools they use?

Why are so many security products so unloved?

There are a few factors that get mentioned when this topic comes up:

1. Buyers and users are misaligned. This is the culprit that gets spoken about the most. The thinking is that the execs who make buying decisions are so far removed from the people using the products day to day, that the wrong things get prioritised when products are chosen. There is definitely some truth in this but in my experience it’s probably not as big a factor as some people think. CISOs are increasingly stepping away from buying decisions and allowing domain experts to choose the tools they need. Even when CISOs do drive a decision, they lean on their team heavily or know the problem intimately themselves.

2. Security products are hard to replace. Most security products orient around a specific integration point e.g. Crowdstrike on endpoint, Zscaler via proxy, Proofpoint at the email gateway etc. These deployments are often difficult to setup for the first time and even harder to remove or replace. As a result, it becomes easier to buy new products from the same vendor, rather than to replace that vendor with a different product with a better experience. Over time this allows vendors to get lazy and prioritise delivering a great experience less and less.

3. M&A creates Frankenstien products. Security is extremely acquisitive. Most of the big platforms have been created through 10, 20, or more acquisitions. When products are acquired, it’s typical that the acquirer will rush the new product to market to start earning revenue, rather than waiting to fully integrate it into their existing offering. As a result, the big platforms end up feeling like Frankestein’s monster. This is the cause of a lot of the pain around navigation systems and UX.

Alongside these, I think there are a few less obvious factors that lead to us having so many unlovable security products:

1. The makeup of founding teams in security is non-typical. A lot of founding teams in security come from either military/intelligence communities or from enterprise security teams. Whilst this is great for security know-how, a lot of these teams haven’t built and managed commercial software at scale before. If you think about the most loved products in other industries (Linear, Vercel, Slack, etc.) they were built by software veterans who had learnt hard lessons about UX and building products at scale throughout their career.

2. Design talent is undervalued. Good design is bizarrely undervalued in security. Designers tend to be hired too late and not given enough responsibility. If security companies championed designers more, we’d have better security products.

3. Knowledge asymmetry exists between vendors and buyers. Vendors spend 100% of their time focussed on one product in one area of security. Security buyers and users need to cover a ton of different topics. Often they use multiple products each day across a wide variety of domains. Many vendors forget this and overestimate how easy it will be for customers to learn how to use their tool, what different terminology means, and which features are available.

4. M&A distorts incentives. With many security companies seemingly seeking a quick exit in 3-5 years, their incentives become distorted. They can focus on hitting initial revenue goals as quickly as possible, and can care less about customer experience and managing technical debt.

On a positive note, I do see a lot of this starting to change. Many of the newer products coming out today are clearly being built with a lot of love and care. Security buyers are also becoming a lot more savvy and as noise in the market continues to increase, many are turning to peer recommendations before buying products, rather than being swayed by slick demos or steak dinners. We have a long way to go, but soon I hope security teams won’t totally hate the tools they have to use each day.