Cybersecurity pros want the computer industry to push for vendor consolidation and open standards.
This major change in how IT pros safeguard networks is long overdue, according to new research by the Information Systems Security Association (ISSA) International and independent industry analyst firm Enterprise Strategy Group (ESG), a division of TechTarget.
The push toward vendor consolidation and open standards is driven by the buyers themselves who are challenged by the increasing complexity, costs, and hype of best-of-breed technology “tool sprawl.”
Nearly half (46%) of organizations are consolidating or plan on consolidating the number of vendors with whom they do business. Concerned over the growing complexities of security operations, 77% of infosec pros would like to see more industry cooperation and support for open standards promoting interoperability.
Thousands of cybersecurity technology vendors compete against each other across numerous security product categories. Organizations want to optimize all security technologies in their stack at once.
Vendors supporting open standards for technology integration will be best positioned to meet this change in the industry, according to the research report.
“Given that nearly three-fourths (73%) of cybersecurity professionals feel that vendors engage in hype over substance, the vendors that demonstrate a genuine commitment towards supporting open standards will be best positioned to survive the industry-wide consolidation taking place,” said Candy Alexander, board president, ISSA International.
CISOs have been so overburdened with vendor noise and dealing with security “tool sprawl” that for many a wave of vendor consolidation is like a breath of fresh air, she added.
Shift to Security Platforms
ESG conducted the study of 280 cybersecurity professionals, most of whom are ISSA members. The results, released last month, focused on security processes and technologies, and show that 83% of security professionals believe that future technology interoperability depends upon establishing industry standards.
Details of the report exhibit a cybersecurity landscape that looks favorably toward security product suites (or platforms) as it moves away from a defense-in-depth strategy based on deploying best-of-breed cybersecurity products. That approach is based on historical precedent that has steadily increased organizational complexity and contributed to substantial operations overhead.
“The report reveals a massive change taking place within the industry, one that for many feels like a long time coming,” said Jon Oltsik, senior principal analyst and ESG fellow.
“The fact that 36% of organizations might be willing to buy most security technologies from a single vendor speaks volumes to the shift in purchasing behavior as CISOs are openly considering security platforms in lieu of best-of-breed point tools,” he added.
Why the Jump From Best-of-Breed
The number of competing security suites has skyrocketed, with many organizations managing 25 or more independent security tools. It follows that security professionals are now balking at the need to juggle so many independent security products to do their jobs.
Managing an assortment of security products from different vendors has increased training requirements, difficulty getting a holistic picture of security, and the need for manual intervention to fill the gaps between products. As a result, 21% of organizations are consolidating the number of cybersecurity vendors they do business with, and another 25% are considering consolidating.
“In general, it has gotten too hard to purchase, implement, configure, and operate lots of different tools, let alone the ongoing support relationship with vendors. Consolidation makes management/operations sense,”.
That ongoing complexity is influencing 53% of cybersecurity pros to purchase security technology platforms rather than best-of-breed products. The study showed 84% of respondents believe that a product’s integration capabilities are important, and 86% see it as either critical or important that best-of-breed products are built for integration with other products.
Tighter integration between previously disparate security controls rather than best-of purchases are a primary need, according to 60% of IT teams. Improved threat detection efficiency such as accurate high-fidelity alerts and better cyber-risk identification was on the wish list choice for 51%.
Generalized Government Mandates
The cybersecurity products cover the basics, noted Oltsik. That includes a range of products for antivirus software, firewalls, some type of identity management system, and endpoint encryption.
“In many cases, these technologies are mandated by government and industry regulations,” he added. “The biggest influencer in cybersecurity protection is the U.S. federal government that can and has mandated certain standards.
For example, the Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. The in-process Cybersecurity Maturity Model Certification (CMMC) standard demands certain security certifications for DoD vendors.
“We have also seen standards come out of the industry, like the activity of the Organization for the Advancement of Structured Information Standards (OASIS) and other OASIS standards. Just this week, we saw the introduction of the open cybersecurity framework (OCSF), a standard data schema for security data. There are many identity management standards as well,” he said.
Seeking Common Security Ground
After reviewing this data, ESG and ISSA recommend that organizations push their security vendors to adopt open industry standards, possibly in cooperation with industry Information Sharing and Analysis Centers (ISACs). Also, there are a few established security standards from MITRE, OASIS, and the Open Cybersecurity Alliance (OCA) available.
Many vendors speak favorably of open standards, but most do not actively participate or contribute to them. This lukewarm behavior could change quickly, however.
For that to happen, cybersecurity professionals — especially organizations large enough to send a signal to the market — establish best practices for vendor qualification.
Also, they need to push for process requirements that include adopting and developing open standards for technology integration as part of the comprehensive process for all security technology procurement, according to the report.
Cybersecurity standards and vendor consolidation will strengthen the cybersecurity landscape against the constant rise in cyber threats by easing product development and integration. That will let the industry and security teams focus more on innovation and security fundamentals and less on building connectors for interoperability, Oltsik explained.
He sees a chance of these efforts being supported within the industry.
“It is starting to look like some industry leaders are cooperating. I would point to OCSF where 18 vendors agreed to support it,” he said.
This group includes numerous leaders — AWS, CrowdStrike, IBM, Okta, and Splunk for starters. Another potential driver would be the backing of large security technology customers, he added.
Oltsik concluded, “If Goldman Sachs, GM, Walmart, and the U.S. federal government said they would only buy from vendors supporting OCSF, it would really influence the industry.”