NEVERHACK Estonia
31. okt. 2025
At the Nordic-Baltic Security Summit 2025, CyberCast host Ronnie Jaanhold sat down with Henry Rõigas, cybersecurity strategist, researcher, and founder of evisec.xyz, to discuss one of the most misunderstood topics in the cybersecurity industry: thought leadership.
In a marketplace overflowing with reports, whitepapers, and so-called data-driven insights, how can vendors stand out as credible voices instead of being just another marketing machine? Henry’s answer is simple and powerful: focus on evidence, context, and credibility.
Why Thought Leadership Matters
“Thought leadership is not marketing,” Henry says early in the conversation. “It’s a beacon that helps us through the noise.”
With thousands of vendors competing for attention, the cybersecurity space has become an information battlefield. Every company wants to appear innovative, insightful, and relevant. But true thought leadership is not about shouting louder. It is about providing clarity, value, and trust.
Henry’s firm, evisec.xyz, publishes the Cybersecurity Research Digest, a regular overview of data-led trends that filters marketing fluff from real insight. The publication’s mission is to identify which vendor reports truly add value and which are built on shaky survey questions or self-serving narratives.
The Origins of evisec and the Motivation Behind It
Before founding evisec, Henry worked as a researcher at NATO’s Cooperative Cyber Defence Centre of Excellence in Tallinn. There, he saw how difficult it was to find reliable, evidence-based cybersecurity information. Governments published very little, academia worked at a slow pace, and vendors, who had access to vast amounts of data, filled the gap.
But vendor-led research came with bias. Many reports were thinly disguised marketing campaigns. “I found myself reading these reports, realizing they were relevant but also full of spin,” Henry recalls. That experience led him to develop a “filtering method” to separate useful data from the noise.
Why do so many vendor reports fall short? The answer lies in motivation. Companies publish research to attract attention, boost credibility, and drive sales. “There’s always a marketing motive,” Henry says. “But that doesn’t mean the research can’t also be credible.”
The key is to align business goals with authenticity. Credible research doesn’t just inform the market, it informs the vendor itself. For instance, a managed security provider analyzing its incident response data can learn what’s working, where to improve, and which threats matter most. “Done properly,” Henry explains, “you can kill two birds with one stone by creating valuable content and improving your own strategy.”
The Pitfalls of Fear-Based Research
Henry is honest about the state of the industry. “The lion’s share is just fear-mongering,” he says. Many reports are built around leading questions and survey bias.
He gives an example: a startup focused on shadow IT commissions a survey asking, “Do you think shadow IT is a problem?” Unsurprisingly, 90 percent say yes. That statistic becomes the headline, “90 percent of companies see shadow IT as a threat,” followed by a call to buy their solution.
It is not wrong, but it is not useful either. “There’s no nuance,” Henry explains. “Good research puts problems into context and helps decision-makers prioritize.”
Why the Cybersecurity Market Is So Noisy
The cybersecurity vendor landscape is enormous, with thousands of companies all promising to solve a piece of the puzzle. This creates a hyper-competitive environment where everyone fights for attention. According to Henry, this intensity also explains the explosion of vendor research.
Buyers often make decisions based on trust, not just technical details. “Security is such a sensitive area,” he says. “Organizations prefer local or national players, and that creates small ecosystems in every country.”
This trust-based model fuels the demand for visibility and for research that signals authority. Unfortunately, the result is often a flood of content that sounds insightful but adds little substance.
What Makes Data Good
Henry defines good empirical data as unbiased, clearly sourced, and contextualized. “The worst thing you can do is write a report that only focuses on the problem you solve,” he warns. Decision-makers need perspective. They want to know not just that shadow IT or phishing is a problem, but how big that problem is compared to others.
Neutral, contextual reporting builds trust, and that trust pays off. “You need to eat your own dog food,” Henry says. “If you start believing your own marketing too much, you lose touch with reality.”
How to Detect Bad Research
In a memorable moment, Henry introduces his “BS checklist,” a practical way to evaluate the credibility of any cybersecurity report.
-
Who’s behind it?
Identify the author and their motivation. Is the research meant to inform or to sell?
-
What’s the data source?
Look for evidence-based data, such as product telemetry, incident response cases, or financial losses, not just survey opinions.
-
Are the methods clear?
Good research defines its terms. If a survey asks, “Have you had a security incident?” but never defines what that means, the results are meaningless.
-
Can you cross-verify it?
Check whether other sources support the same insight. If not, question the finding.
-
Is it actionable?
The best reports help decision-makers take clear next steps. If it’s just noise or fearmongering, it’s not useful.
It’s a lighthearted list, but Henry’s advice is serious. “Apply common sense,” he says. “Trust but verify.”
Examples of Credible Research
Not all vendor reports are bad. Henry highlights several that get it right.
Incident response analyses by managed security service providers use real-world cases to extract lessons.
Crypto analysis reports track ransomware payments with clear, factual, and data-driven insights.
Long-running studies like Verizon’s DBIR or IBM’s annual security reports are respected because they offer consistent, comparable data over time.
Cyber insurance insights are also valuable because they are objective and financially grounded, based on claims, losses, and risk calculations.
These examples share a common thread: they are solution-agnostic, empirical, and transparent about their data.
A Call to Common Sense
As the session wraps up, Henry leaves listeners with a simple but powerful message: “Trust but verify, and use common sense.”
In a field where hype often outweighs honesty, that might be the most valuable cybersecurity advice of all. For CISOs, analysts, marketers, and anyone shaping cybersecurity narratives, this episode is essential. It breaks down how to approach vendor research critically, design credible studies, and understand the motivations behind every chart and statistic.
Listeners walk away with:
-
A clear framework for evaluating cybersecurity reports
-
An understanding of what makes research credible and impactful
-
Real-world examples of data-led studies that inform rather than sell
-
Practical tips for building trust and reputation through transparency
In an age of information overload, credibility is currency. Henry Rõigas shows us how to earn it.
Listen now on CyberCast and learn how to get thought leadership right.
