Shiny Object Syndrome With Value Discipline

September 15, 2023

Shiny object syndrome is a term used to describe a behavioral pattern where individuals easily get distracted by new and exciting things, often at the expense of staying focused on their current tasks or long-term goals. 

If you have ever seen the Pixar movie “Up,” the dog Doug has a bad case of shiny object syndrome. He is constantly plagued by squirrels that snag his attention from important tasks.

Just like Doug, technologists and cybersecurity professionals with shiny object syndrome can be drawn to novel ideas, projects, or opportunities that seem promising and captivating. 

However, this constant pursuit of the next shiny object can detract from focus and progress toward their primary goals.

In an attempt to differentiate, cybersecurity vendors create distracting shiny objects

The cybersecurity software space, similar to any other SaaS market, is highly competitive.

Software vendors have to heavily rely on marketing to differentiate themselves from competitors. Although this increased awareness of security products and services can help potential buyers, we’re seeing the following:

Buzzword bingo muddy the waters

For starters, the marketing teams of security software companies are more likely to highlight specific features or buzzwords rather than address the particular security needs of buyers.

The overemphasis on keywords like “AI-powered,” “behavioral analytics,” and “advanced persistent threat defense” may lead buyers to choose products that don’t align with their actual security requirements. 

While some cybersecurity offerings claim to be “totally effective” and “breach proof”, instances of cyberattacks suggest that there is still room for improvement. 

As an example of the hype machine's impact on the market, we compared the use of the term “AI” and “cybersecurity fundamentals” in the past twelve months on Google Trends and discovered the vast differences in search volumes of the two terms. This also clearly shows how “AI” is the marketing focus for most vendors.


Security content overload

To find the solutions they need, buyers are forced to sift through an abundance of security marketing content. They may settle for generic security solutions that market themselves to be the master of all trades, covering all aspects of data security, when in fact, they may not excel in a specific necessary area of protection. 

This is especially true for small and medium-sized businesses that are fairly new to cybersecurity and don't have the experience or in-house expertise to choose the right security stack—and are following the buying trends of larger enterprises.

A failure to communicate

Vendors also fail to adequately communicate the compatibility of their offerings with the buyer’s existing IT infrastructure. 

This oversight can lead to operational inefficiencies and integration issues, making the software implementation process more complex and costly.

Security pros must balance focus and exploration 

It's essential to recognize the shiny object syndrome in ourselves and develop strategies to maintain focus on our main objectives while still allowing room for exploration and learning. In the cybersecurity space, approaching problems with fact-based, data-driven insights is key. 

8 dominant security trends illuminate a better path forward

G2’s security market research team conducted an analysis of the last three years of Verizon’s 2023 Data Breach Investigations Report (DBIR), Mandiant’s M-Trends 2023 report, and IBM’s Cost of a Breach Report 2023. These three reports are considered by many in the industry to be exceptionally valuable for their research and analyses.  

Here are some notable trends raised in these reports over the past three years:

1. Increasing frequency and sophistication of cyberattacks

Cyberattacks have become more frequent and sophisticated over time. Attackers continually develop new techniques, exploit vulnerabilities, and leverage advanced tools and methods to breach systems and compromise data.

2. Rise in targeted attacks and advanced persistent threats (APTs)

Targeted attacks, such as spear-phishing, ransomware, and APTs, have seen a significant increase. These attacks involve tailored strategies to infiltrate specific organizations or industries, often with long-term objectives.

3. Growing prominence of ransomware

Ransomware attacks have been on the rise, targeting organizations across various sectors. Attackers encrypt critical data and demand ransom payments, causing significant disruptions and financial losses for businesses.

4. Exploitation of human vulnerabilities

Cybercriminals often exploit human vulnerabilities through social engineering, phishing, and other tactics. Human error, such as clicking on malicious links or falling for deceptive techniques, remains a significant factor in successful cyberattacks.

5. Challenges in securing remote work environments

With the shift towards remote work, securing remote endpoints, home networks, and cloud services has become increasingly challenging. Attackers have capitalized on the vulnerabilities associated with remote work setups.

6. Complexity of IT infrastructures

Modern IT infrastructures are complex, encompassing numerous devices, networks, and applications. Managing security across this intricate landscape can be difficult, increasing the likelihood of vulnerabilities and compromises.

7. Continuous evolution of threats

Cyber threats are continuously evolving. Attackers adapt their techniques, exploit emerging technologies, and target new attack vectors. Zero-day vulnerabilities, supply chain attacks, and attacks on Internet of Things (IoT) devices are areas of concern.

8. Shortage of skilled cybersecurity professionals

The demand for skilled cybersecurity professionals exceeds the available talent pool. This shortage poses challenges for organizations in effectively defending against sophisticated cyber threats.


First, let’s put to bed the question of “where should we invest first?” 

This graph details where the most bang for the buck will exist. Looking at the data, it’s clear that the overwhelming majority of compromises stem from bad password management, followed by users who get phished. These two issues constitute nearly 65% of the total avenue of compromise that businesses face. The last major area of threat is from unpatched software. 

Simplistically, these data points tell us that the areas that we should invest the most in are identity and access management (IAM), removing the user from the wilds of the internet, and vulnerability management. Period. Anything else strategically should come later. Fixing these areas first and investing in them sooner will help with being more secure than others who ignore these realities.

Treat shiny object syndrome with a heavy dose of value

When in doubt, look for accounts of tangible value. 

G2 reviewers report their observed return on investment (ROI). Interestingly, the fastest sector to provide ROI is that of mobile data security, followed by browser isolation. This makes sense as data that resides or is stored “outside” of an enterprise or business security portfolio is exceptionally susceptible to attacks and exploitation. 

Browser isolation fits well into the current state of enterprise business operations as the technology is native to the user experience and extends the control plane for security operations to the active threat space, the internet.


Relieve employees of the cybersecurity burden

Organizations are unable to treat the root cause of security breaches--the human element, which, according to 2023 Verizon DBIR, causes 74% of all breaches.


of all breaches are caused due to the human element

Source: 2023 Verizon DBIR

This makes social engineering incredibly effective and lucrative for malicious actors. 

The ROI of security awareness training programs and tools may not be as prevalent as advertised. This is because security awareness training can lead to overfitting among employees. Employees will be trained to spot only certain types of phishing emails. This makes it harder for organizations to fight against sophisticated phishing attacks.

Logic suggests that it will likely be quicker to secure the ecosystem using the above-mentioned tools than to expect a cultural change among employees with a security awareness training tool. However, security awareness training can be used as a first line of defense, and in the long run, it may prove to be a fruitful initiative.

Instead, organizations should invest more in creating a security framework or ecosystem that offloads the burden of detecting threat vectors from employees who aren’t involved in the cybersecurity trade. This doesn’t mean employees should be given the freedom to expose sensitive information or welcome threats without consequences. 

The idea here is that the cybersecurity framework and its associated infrastructure should be set up in such a way that regardless of the employee’s action, the security posture of the organization stays resilient. 

The above-mentioned concept may sound idealistic, but only when employees are relieved of excessive additional security-focused duties can they truly collaborate and innovate. 

More precisely, in a perfect world, it would be similar to placing employees in a sandbox environment in which none of their actions will disrupt the security posture of the organization’s networks or devices. The main focus is to not place the security of an organization at the mercy of employees and likely risk actions.

Don’t be oversold: no solution is foolproof 

It is important to acknowledge that no security solution is foolproof, no matter how seemingly effectively it is marketed. 

While vendors make bold claims about their products, there is always a possibility of undiscovered vulnerabilities, design flaws, or inherent limitations. The rapidly changing threat landscape demands constant innovation and proactive measures from security solution providers to stay ahead of cybercriminals. 

However, the reality is that not all security solutions live up to their marketing hype, leaving businesses exposed to risks despite their investment in security measures.

Data protection is crucial. Learn how organizations can protect employee data

Headshot-AmalJoby This article is co-written by Amal Joby, G2 market research analyst, cybersecurity.


Edited by Sinchana Mistry

identity and access management (IAM) software Prevent unauthorized access

Invest in identity and access management (IAM) solutions and prevent unauthorized access to sensitive information.

Shiny Object Syndrome With Value Discipline Vendor marketing of cybersecurity products may not always help businesses choose the right solution. Learn more about how to combat it in this article.
Dr. Chase Cunningham Chase Cunningham is VP of Security Market Research at G2. With over two decades of experience in Cyber Forensic and Analytic Operations, he has held senior security and analyst roles at NSA, CIA, FBI, and other government agencies, as well as with industry leaders Accenture and Forrester. A retired U.S. Navy Chief, Chase most recently was Chief Strategy Officer at Ericom Software. Chase also hosts the DrZeroTrust podcast.