As a potential buyer, empty promises are incredibly confusing. As a vendor, they’re counterproductive and dishonest—it’s pretty unethical to say your product removes all risk of any existing or future threats.

How did the industry get here? It’s a little more complicated than just too many vendors trying to get heard over all the noise—and it’s entangled in the history of cybersecurity itself. Many of us often wonder if it’s even possible today for companies to see fact versus fiction to make sure they’re investing in the right system features and benefits.

Cybersecurity has grown extremely complex over the last decade. At its earliest, the landscape was ruled by hackers steeped in computer science whose activity was mostly on the offensive side—finding ways around security protocols for street cred. As it evolved, many hackers “went corporate” and refocused their skills defensively to help companies arm their internal systems against malicious attacks. These skills, honed intricately by years of practice and trial-and-error, established the baseline for the entire cybersecurity industry.

On the plus side, a new sense of professionalism has evolved with certifications such as certified information systems security professional (CISSP) and CSA. There’s even a course dedicated to certified ethical hacking. None of these programs were available 20 years ago. In addition, more mid-level jobs now exist for cybersecurity professionals, so the role of the chief information security officer (CISO) has become significantly less technical than it once was. 

Today, it exists as an amalgamation of a variety of functions, including application security, network security, and physical security. There’s much more on a CISO’s plate and many more security vendors to choose from. Many CISOs also sit on corporate boards and are carefully watched and assessed. With breaches potentially costing millions of dollars, the stakes are high—and vendors converge on stressed out CISOs unsure of where to turn.   

In the past, hackers were highly skilled at cyber breaking and entering—and these proficient hackers became cybersecurity leaders in the private sector. 

But today’s hackers are lazy criminals. Many of them don’t even do the hard work of hacking; they buy stolen data on the dark web or buy ransomware-as-a-service. And so the people making up companies’ cybersecurity leadership are less technically proficient than they once were.

At a time when the attack space has grown considerably more complex, security professionals are relying less on innate computer science knowledge and more on marketing-driven vendors to educate and protect their companies.

This environment has become a breeding ground for false claims.

Compare cybersecurity to the CRM industry, where to procure a system, businesspeople turn to one of the big players like Salesforce or HubSpot. These big vendors educate people about their products and then deliver the product as a cloud service. 

Unfortunately, in the cybersecurity industry, there are too many players, and the majority of the “educational” information and reports from the vendor community are mostly elaborate product pitches. People who have been around the block in this industry will always roll their eyes at language like “eliminate” and “annihilate” when referring to cyber threats. But newer CISOs may not have that response because they were trained by an industry that loves to promote such claims, most of which are false and solely profit-motivated.

There’s really not a huge difference in the efficacy of many of the products out there. They all play by the same rules and are based on the same analyses. Back in the day, there was a balance of power between market leaders—and all these companies won and lost at generally the same rate. The introduction of venture capitalist companies blew up this playbook. 

Today, the industry has become overcrowded with too many vendors and led by people who don’t have nearly enough background in security and computing. It’s become easy to spot who just wants to make the sale and enter the next round of funding—and who really wants to put out a good product that solves an industry challenge. 

For CISOs and other cybersecurity professionals who may have just entered the industry, it’s a daunting task to sift through the vendor clutter. Luckily, buzzwords are easy to spot, and they’re a telltale sign of false claims. Hollow promise-makers know that CISOs are always at the mercy of the board to meet metrics and manage risk—and they prey on them with lofty claims. 

As a vendor, it’s tempting to make claims that will get your company noticed and help your product stand out in the racket—but don’t. Email security marketing tactics don’t have to be embellished or overly exaggerated to get noticed and be effective. In fact, the best way to promote your product is to ditch the buzzy bells and whistles altogether.

To truly stand out in a world where nearly everyone is lying, speak the truth. For many organizations, this requires a fairly significant culture shift—one that starts with leadership and permeates the rest of the company. The content you produce, the advertising you run, the way you train your sales team, and the priorities you choose for engineering should all be in alignment with your capabilities and your mission. That kind of self-assessment alone is a daunting task and should be a major objective for company leaders.

In a similar vein, focus on hiring, training, and retaining talented professionals, and routinely instilling in them an emphasis on the real benefits your product provides for your customers. This level of customer service, which promotes an open dialogue, holds both your solution and your people accountable for following through on promises.

Simply put, explain what your product does and how your company will support your client’s IT staff and security team. Give them realistic cost and return-on-investment numbers they can take to the board. Then prove your worth.

Kevin O’Brien is cofounder and CEO of GreatHorn.