June 3, 2026
InfoSec Europe 2026 — a showcase of what is wrong with cybersecurity
This week many people and organisations involved with cybersecurity travelled to the Excel in London to attend Infosecurity (InfoSec)…
Glenn Wilson
3 min read
This week many people and organisations involved with cybersecurity travelled to the Excel in London to attend Infosecurity (InfoSec) Europe 2026. I won't be there. Tube strikes aside, commitments elsewhere meant traveling to London over the three days of the event was not possible. Although I miss seeing many of my cybersecurity peers, I do not miss being reminded of why cybersecurity is in such a mess. For what I would see is nearly 600 security product and service providers ranging from cloud security, application security, and network security to risk management and compliance, managed security, and zero trust solutions. Throw into the mix a splash of AI whether as standalone products or incorporated into existing products and the overwhelming mishmash is complete. With so many 'solutions' to our cybersecurity problems, why is our industry failing to keep up with the 'bad guys'?
Let's look at some data…
According to Mondoo (https://mondoo.com/vulnerability-intelligence/state-of-vulnerabilities-2026), between 2020 and 2025, the number of CVEs reported each year has grown by almost 200% from 18,363 to 48,175. This data is corroborated by Jerry Gamblin's research which shows almost identical growth over the same period (https://jerrygamblin.com/2026/01/01/2025-cve-data-review/).
When looking at the impact vulnerabilities have on organisations, according to Ed Bellis, co-founder of Kenna Security, small business have between 10 and 100 open vulnerabilities, while large organisations can have as many as 10 million open vulnerabilities (https://www.darkreading.com/vulnerabilities-threats/there-may-be-a-ceiling-on-vulnerability-remediation). From my own experience, some of the larger organisations with which I have worked have more than 1 million open vulnerabilities. As Bellis highlights, these volumes are impossible to manage no matter how small or large an organisation is.
Those who are responsible for solving this problem turn to security products to help 'manage' their vulnerabilities. Added to this are regulatory requirements such as the EU Cyber Resilience Act (CRA) that mandate companies identify and document open vulnerabilities and have security testing vulnerabilities embedded in their processes (https://www.tributech.io/blog/cra-8-vulnerability-handling-requirements). These requirements result in vendors offering products that discover even more open vulnerabilities to add to the mess we already have.
InfoSec Europe is like a department store offering a plethora of security 'solutions' that promise a world of better security. 600 security vendors is a large number, far too many for a CISO to evaluate objectively, but this is a drop in the ocean compared to the 6,500+ vendors currently in the security market (https://www.msspalert.com/news/platform-trend-drives-mssp-msp-market-growth). According to Market Reports, the cybersecurity is forecast to grow from $227 billion in 2025 to over $350 billion by 2030 (https://www.marketsandmarkets.com/Market-Reports/cyber-security-market-505.html). And therein lies the incentive for aspiring security vendors.
The problem is though, these tools are not solving the problem, unless the problem is to seek investment. According to various reports, the forecast for data breaches and security incidents over the next few years is also likely to trend upwards. The Word Economic Forum's published report on Global Cybersecurity Outlook for 2026 (https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2026.pdf) sees global security as a growing threat driven by technological advances including AI, autonomous systems and robotics, digital currencies, and quantum technologies. The situation is only going to worsen.
So, what is the solution? Unfortunately, there is no fix as simple as buying a tool or two. In a recent two-part podcast (https://www.youtube.com/watch?v=NC3wb_vx2Xg and https://www.youtube.com/watch?v=dLRKTvyqlk0), I mention to Laksh Raghavan that we are being sold drills when what we really want are holes. The focus is on the tool, not the outcome. We buy tools that scan code, identify and document vulnerabilities, manage vulnerabilities, generate SBOMs, and so forth. Yet which solutions are providing the real outcome we want, that is, better security? We need to ask ourselves how do we improve the security of our systems? But often we start with the question of which tool to buy — the wrong question for which InfoSec has a lot of answers!
For too long, the paradigm of scanning and fixing vulnerabilities has failed to improve security. Of course, it is impossible to guarantee 100% security, and that is why we must seek ways to build resilience into our organisations. We need to continuously test the behaviour of our systems for operational weaknesses, learn from failure, and remain viable in an environment of increasing threat. This requires a cultural shift in how we manage security and unfortunately, there are no tools that do that for us and there are no easy solutions. Security outcomes are driven more by interactions within the organisation and how engineering, operations, security, risk, procurement, and leadership work together than by any individual tool.
To quote Russel Ackoff, "The performance of a system depends more on how its parts interact than on how they act independently".