X
98490

Are there too many security vendors?

December 23 2019
by Daniel Kennedy


Introduction


Following the acquisition of Carbon Black this year, VMware CEO Pat Gelsinger reiterated a position that the cybersecurity market is broken. This is a continuation of the position he took in 2018, when he said companies are simply using too many dedicated security products, and that security had to be more intrinsic to infrastructure. It's unsurprising that a representative for a platform vendor would take this position, but he certainly isn't alone.

The 451 Take

With some suggestions that there are more than 1,200 vendors in the security space, and likely more if the tally of all the security vendors looked at by 451 Research's security analysts is taken, vendor saturation isn't a far-fetched notion. However, with only 7% of respondents to 451 Research's Information Security, Organizational Dynamics study saying the number of vendors was 'very difficult to manage,' this problem may be somewhat overblown, at least from the perspective of the average enterprise security manager.

Context


A quick google search of the phrase 'too many security vendors' will produce pages of articles, anecdotes, and studies that cite some eye-popping figures for the number of security vendors, products or technologies in the average enterprise. These will be accompanied by a conclusion that this level of complexity is not sustainable, an idea enthusiastically supported by some platform vendors with security feature sets that are presented as being more advantageous because the capabilities are built-in as opposed to bolted on. The recently released 2019 Information Security, Organizational Dynamics study examines this premise, looking at the average number of security vendors at organizations of different scales, as well as the perceived complexity of managing that number of vendors.

Number of security vendors


Figure 1
How many different security vendors does your organization currently use? (n=433) 451 Research's Information Security, Organizational Dynamics 2019

The average number of security vendors in an organization, according to the above referenced study, is seven. That's considerably less than some of the numbers cited in security trade press sources. The number tracks closely to organizational size as shown, with the smallest companies averaging about three vendors, and the largest ones having about 15. It's important to note that this is vendors, not products. There are a few reasons for asking the question this way; one is that while a single vendor may offer multiple products, the dividing line between products from a single vendor is not always a clear one, especially if multiple 'products' are required to provide what is in the customer's perception a single function. Product-level SKUs are not always meaningful beyond a commercial perspective.

Another factor is that for each vendor whose product is installed, there is some level of work around maintaining the relationship with that vendor. It is theoretically easier to buy a product or service, all other things being equal, from a vendor that has an existing relationship with an organization.

It is easier to manage a smaller number of vendors, as well as buy from vendors with established relationships. That perspective is reflected in some of the interview narratives gathered as part of this study:

If that's the case, why are there so many security vendors? Fifteen security vendors per large enterprise is still a big number. Two interesting points of view among security managers emerge, represented by the following two narratives. The first is a best-of-breed focus among security managers:

The second issue is rooted in the history of some acquisitions, where the product was a mainstay of a smaller security vendor, but upon acquisition was not necessarily foundational to the larger platform player or to the strategy of the acquiring firm:

Difficulty managing the number of vendors


Figure 2
How easy is it to manage the current number of different information security vendors? (n=433) 451 Research's Information Security, Organizational Dynamics 2019

To be sure, there are a lot of security vendors out there and frustrations with market complexity, especially around sifting through new products or services, or rationalizing and integrating existing products. Ironically, some of the complaints center on products not being atomic enough, or in other words, attempting to do more than solve the problem they were put in place for:

The market is in part sustaining that average of 15 vendors at large enterprises, as well as the number of offerings on the market. But as security budgets have ticked up continuously since 2008, the time period of the last serious economic contraction, it's reasonable to ask whether CISOs or their organizations will tolerate the overlap described above when cost-cutting becomes a greater concern, or whether the level of investment available to new security companies will be available. Amid all that, there are further legitimate discussions about whether certain targeted offerings are really features of another product masquerading as a complete product by themselves, or whether there are products offered to the enterprise CISO that potentially would be better targeted as a B2B supply side offering to another security product, rather than relying on the customer to patch this all together.