A symptom of the unhealthy relationship between cyber security and large firms
As we reach one of the high points of each year’s conference season, one has to reflect once more on the staggering number of products and vendors active across the cybersecurity space.
Once again, they will line up in their hundreds at Infosec in London and elsewhere. Of course, not all of them are making money; many are still burning the cash of their generous VCs, but the fact that such a crowded market still attracts large amounts of investment is still – in itself – bewildering.
In addition, many of those products still aim to address security requirements which are as old as security good practices themselves, for example across segments such as Incident and Event Management or Identity & Access Management.
To see those segments so fragmented across so many players after 15 or 20 years of evolution is not the sign of a healthy marketplace.
They should have consolidated years ago and each should be dominated by a few players – in addition to the usual big names – all bound by healthy competition.
The fact that it’s not the case simply tell us that buyers are not serious: They do not buy those products because they address a real business need: They only buy those products to put ticks in compliance boxes, to close down some audit points or in support of somebody’s pet project. Or very often, in reactive mode, under pressure to show responsiveness after an incident and without any attempt – or time – to analyse the market, compare offerings and structure a defensive strategy.
Even if the “tick-in-the-box” market is huge – and GDPR has just made it bigger – in the long-term, nobody wins at that game: Product development ends up driven by regressive compliance-led dynamics, instead of positive dynamics aimed at countering ever-evolving threats, poorly-protected buyers get breached and the industry at large stagnates.
In many large organisations, the situation has reached astounding levels: The 2019 Cisco CISO benchmark study highlights that 37% of respondents have more than 10 security vendors to manage (3% have more than 50 !!!)
“Best-of-breed” may be an interesting concept in the security space, but as we pointed out above, it is rarely the real reason behind product proliferation, and in practice, it presents operational teams with considerable challenges: How to orchestrate an efficient incident response when the data you need is scattered across so many platforms? How to build an effective and meaningful reporting capability?
And the situation is often compounded by the fact that many security tools only end up partially deployed, or simply covering a fraction of the estate – functionally or geographically.
Firms which find themselves in that mess must stop buying more tech, look back at their genuine security requirements in relation to the threats they face and start building a consolidation strategy.
They should also look beyond the products marketplace and consider the ever-growing services offerings in that space. MSSPs have been active for over 15 years but the cloud has also facilitated the emergence of a number of new players in recent years.
Consolidation and integration become key factors, as the “when-not-if” paradigm around cyber attacks takes centre-stage with senior executives and their focus shifts away from risk and compliance, towards execution and delivery.
All those who have been riding the compliance wave should bear that in mind.