I’m not sure when the bubble began. Three years ago? Five? Security needs – driven by methodical risk management practices – took a backseat to new security “trends,” new product categories, and new startup companies. At some point, we passed the point of no return. IT security vendors began to outnumber IT security practitioners. Everyone became fixated on vendors with “silver bullet” solutions – at the expense of security fundamentals.
The result? No one has enough personnel to do security, but everyone has an army of security salespeople waiting to take them to lunch, to dinner, to the game… and to sell them another solution.
It’s time to stop running blindly toward the Next Great Thing. It’s time to hit the reset button on our security budgeting and prioritization efforts. We need to evaluate, test, scrutinize. Every solution needs the executive support, staff resources, and time it deserves to be successful.
We need to focus on expertise, not just tools.
We’ve Gone Supernova
The IT security market is exploding: it’s nearly $70B and growing every year1. By some counts, there are more than twelve hundred vendors selling cybersecurity solutions to us2. Investors and marketers know this and they’re lining up to capture their pieces of the pie.
At the 2016 RSA Conference, I counted more than 400 vendors and exhibitors proposing all sorts of fixes for your encryption, application, Cloud, access, virtual, orchestration, threat, incident, endpoint, SOC, web, messaging, mobile, identity, response, assessment, and GRC problems. There was literally a sea of vendors. The sound was like a present-day Tower of Babel, where no one spoke the same language; it was all buzzwords and blank stares.
The glut of vendors in the space is approaching a peak, presuming we haven’t already blown past that point.
Don’t Blame the Vendors
It’s an unsustainable and unfortunate situation: vastly more money and focus is spent by vendors figuring out how to sell to consumers than by consumers on how to buy from vendors. Forget how those consumers should evaluate, use, or manage solutions.
Vendors are as vendors do (apologies to that Gump guy). We can’t blame them for selling. The phrase “caveat emptor” – buyer beware – has never been more true, or more relevant, for our industry.
- Do you really need what you’re buying? Did you determine your security need first, before seeking out a vendor and solution? Or did someone in your organization get convinced of a “great need” by a steak dinner, a marketing campaign, an ad, a vendor pitch?
- Do you really know what you’re buying? How the solution is designed, how it will work in your environment, how it integrates, how it overlaps, complements, competes, and completes the other solutions you’ve already purchased?
- Are you staffing up to take advantage of all these new solutions? Can you report on how well all your other purchases have gone? Which are huge successes, which are mediocre, and which are sitting on a shelf completely untouched?
- How do you measure the utilization of your security solutions? Which solutions are you leveraging to their fullest potential? How do you know when your solutions have added new features, new functions, improved performance, or lost ground?
- What gets more funding in your organization: annual security solution renewal costs, or staff training and knowledge development? How do your budgeting priorities compare to those of your peers?
Don’t Tail Wag The Dog
It’s easy to accept and adopt a vendor’s “sample RFP” as your guiding document. Vendors can give you generic requirements and propose general use cases – and this may lend a façade of thoroughness – but it’s fundamentally backwards.
The “shelfware” phenomenon (software or computer resources paid for but unused or underutilized) represents 37% of IT spending by U.S. organizations3. That means more than one out of every three dollars spent goes down the drain. Why is that?
With some planning, your organization can move away from wasteful spending on unused and unusable products. By clearly defining short- and long-term needs, identifying gaps in controls, and vetting technical requirements, you can focus your spending on solutions with features and functions you will comprehensively utilize. You can measure twice, and cut once.
Attack the Status Quo
Make your vendors and solutions work for you, not the other way around:
- Analyze your annual spend (FTEs/contractors, new products, legacy solution renewals, training, audits/assessments) to gauge balance and priorities
- Root out shelfware – be ruthless!
- Define utilization levels on existing solutions – identify unused functions and features on existing solutions
- Determine where solutions overlap
- Find opportunities to consolidate
- ·Map FTEs to IT security categories and solutions
- Compare your technical controls coverage with peers
Define your unique needs and priorities before engaging vendors:
- Determine clear compliance requirements, control gaps, and functional shortcomings
- Drive toward audit/assessment recommendations in a measured way
- Employ a systematic requirements collection and analysis process
Get a real handle on vendor features and functions:
- Review industry and analyst recommendations
- Create a repeatable and defensible vendor evaluation process
- Press for substantive post-sales support
- Analyze “cooked” RFPs for vendor bias
Find the sweet spot:
- Insist on defined needs and requirements first, before evaluating anything
- Determine where your needs and requirements overlap with existing solution features and functions – can you do more with what you already have, or must you purchase something new?
- Research the market, find vendors independently, and assess their capabilities firsthand
- Validate with a rigorous evaluation in a Production-like environment
- Document your results
- Get organizational buy-in before finalizing any purchase
There’s Reason for Hope
By 2020, I believe the present cybersecurity vendor bubble will have burst. There’ll be fewer vendors, as customers push back, exerting long-overdue influence and pressing for consolidation, clarity, and differentiation. In the meantime, we’re deep in it: our priorities are wrong, our processes are broken, and we’re drowning in vendors.
My advice? Proceed cautiously, buy strategically, and base purchases on real research and planning. Invest in what you already have, especially your people. We’ll all be more secure if you do.
1 “Cybersecurity spending in the U.S., percent of GDP and USD billions, 2009-2017”, http://test.tiaonline.org/resources/market-forecast
2 “The 4 Kinds of Cybersecurity Customers”, http://www.networkworld.com/article/3024298/security/cybersecurity-customer-segments-in-2016.html
3 “The Real Cost of Unused Software,” November 2015
Sean Steele is Co-Founder, Managing Partner, Technology & Professional Services at Infolock.
- CISO, We Have a Problem
- Managed DLP Services
- Drowning in Data?
- Buying Bad
- Learning from the Equi-Fail
- Data is the New Black
- Data Loss in a Galaxy Far, Far Away
- Peak Vendor: Reclaiming InfoSec Priorities and Budgets in the Age of Big Marketing
- The Four Do’s of DLP
- Building a New MSSP, Overcoming the DLP Blame Game