The cybersecurity technology consolidation conundrum

If you are in the cybersecurity market, you’ve heard (or read) about the point tools problem hundreds – nee thousands – of times. Enterprise organizations base their cybersecurity defenses on dozens of point tools from different vendors. These point tools don’t talk to one another, making it difficult to get a complete end-to-end picture for situational awareness. This also leads to tremendous operational overhead, as the cybersecurity staff is called upon to act as the glue between disparate tools.

CISOs aren’t taking this situation lying down. According to ESG research, two-thirds of organizations (66 percent) are actively consolidating the number of cybersecurity vendors they do business. In other words, they are willingly buying more security technologies from fewer vendors. (Note: I am an employee of ESG.)

Vendor consolidation and tools integration makes a lot of sense, but there’s a fundamental problem with this strategy – it’s goes against a 20-plus-year culture of the cybersecurity community at large.

In reality, cybersecurity professionals have always been indoctrinated into buying best-of-breed products. This led to a situation where security technicians went out of their way to research and test numerous products, such as endpoint security software, firewalls, and IDS/IPS, with little regard for integration or the operational impact of this approach. Given this buying behavior, security vendors addressed the market with a transactional perspective. Sales people were conditioned to ask customers where they had budget dollars rather than what security challenges they were looking to solve.

It’s worth pointing out that we industry analysts became part of the best-of-breed culture, as well, through our magic quadrants, product assessments, tests, and waves. We test and recommend products, not solutions.

The shift to solution-based purchase decisions

It’s now 2019, and organizations are poised to eschew best-of-breed for vendor consolidation and integrated solutions. In my humble opinion, it’s the right decision but let’s be realistic here – we are fighting 20 years of embedded cultural bias, so it won’t be easy. CISOs are now being presented with consolidated solutions in areas such as threat defense (i.e. endpoint, network, sandbox, threat intelligence, etc.), cloud gateways (i.e. CASB, DLP, SDP, web proxy, etc.) and others. How will they decide whom to buy from when their instincts (and the staff they trust) are conditioned to go with best-of-breed products?

I have a few ideas and suggestions for how this will play out:

1. CISOs will get more involved in the procurement process. In a best-of-breed world, CISOs often delegated product decisions to the folks in the trenches. They will still enlist feedback, but as CISOs make larger bets on fewer vendors, they will embed themselves in the purchasing cycle. This is already happening – ESG research indicates that security vendor and tools consolidation has led to a situation where 38 percent of CISOs are significantly more involved in procurement decisions, while 46 percent of CISOs are more involved in procurement decisions. This means longer and more in-depth sales cycles. It also means that vendors must employ a dual path go-to-market strategy that targets CISOs and security technologists simultaneously.
2. Organizations need to think in terms of projects not products. Few organizations will rip and replace multiple security at once, as they want to avoid operational disruption and financial penalties associated with usurping product amortization timelines. This means that CISOs will have to replace individual products as part of longer-term projects. For example, firms may start by replacing legacy packet capture (PCAP) tools with modern network traffic analysis (NTA) alternatives, but then supplement NTA with tightly integrated endpoint detection and response (EDR), malware sandboxes, threat intelligence platforms, and security analytics over time. Once again, this is counterintuitive cybersecurity behavior, so infosec teams will need help from service providers and product vendors to guide them through product architectures that produce incremental value as tools are integrated together through multi-phased project milestones.
3. Metrics will be key. Vendors will push 1+1 = more than 2 messages around integrated product suites, but how will users know these claims are true? By establishing key performance indicators (KPIs) and metrics to gauge progress. There will be numerous metrics, but they will all bubble up to answering four key questions: Do integrated solutions improve cyber risk identification and mitigation? Do they improve security efficacy? Do they improve operational efficiency? Do they help align cybersecurity and business enablement? Every cybersecurity solutions vendor needs definitive proof points in each of these areas.

Clearly, organizations must think “outside the box,” with the “box” being a traditional best-of-breed cybersecurity mentality. To be successful, vendors must provide real cybersecurity, operational, and business metrics and guide customers through a solutions transition.

Yes, there’s a lot of uncertainty and competition ahead, but the opportunities seem worthwhile to me. The demand side can simplify cybersecurity technology and processes while improving prevention, detection, and response. On the supply side, winning vendors will garner bigger deals and closer relationships with customers.

Let the games (and transition) begin.