How companies are building their information security solutions in an ever-evolving vendor landscape, and what that means for vendors and investors
With the World Economic Forum rating a large-scale breach of cybersecurity as one of the five most serious risks facing the world today1, the Information Security (“infosec”) market has been evolving rapidly as infosec threats have proliferated. Coupled with its ascent as a boardroom topic, and an explosion of vendors serving the market, the infosec landscape has become more complex in recent years. With that context, we set out to understand how companies are compiling vendor solutions to meet their infosec needs.
EY-Parthenon conducted an online survey of 251 enterprise information security decision-makers across the US to learn more about how companies are deploying vendor solutions across the myriad segments of the infosec market (e.g., network and data security, endpoint security, identity and access management, etc). Through this research, we uncovered several key findings around vendor usage that will influence the information security market in the coming years:
- While companies generally prefer to work with best-of- breed vendors who can provide an integrated suite, they end up having to patch together offerings from multiple vendors in what ends up being a highly complex and fragmented infosec environment.
- Companies express a desire to consolidate the number of vendors they use, but the reality often proves more difficult and so they end up working with an ever increasing number of vendors.
- With a clear incentive to simplify and integrate solutions into a suite of products, companies seem largely underwhelmed by existing product suites.
- While obvious opportunities exist for infosec vendors to capture share by better serving customers through consolidation and improved product integration, the path to achieving this presents vendors with some strategic choices.
Does everyone use multiple vendors?
Our survey found that on average, companies deploy two or three vendors for each infosec domain2 where an external vendor is used. This held true for companies of all sizes and end-markets that we surveyed with the one exception being companies that have previously declared a security breach. These companies were almost twice as likely to use multiple vendors per domain as those that have not.
Commonly cited reasons for using multiple vendors were:
- Internal and external compliance requirements — Similar to the threat landscape, the regulatory landscape related to security and data privacy is ever-evolving. Companies must maintain security programs that keep up with both governmentally imposed and internal governance requirements, and often turn to vendors to achieve this.
- Multiple deployment options — Different vendors may be better suited for cloud vs. on-premise deployments.
- Integration with existing systems and applications — No single vendor may support all systems or applications that need to be protected.
How many vendors do companies want to use?
Having more vendors may provide a stronger sense of security, but it comes with trade-offs. An increased vendor count means added costs, complexity and management overhead. Perhaps that is why, (see figure 1), the majority of respondents in almost every category indicated that they prefer an integrated solution from a single vendor over the use of multiple, “best-of-breed” offerings. Respondents highlighted that in theory improved ease of use and better technical integration are drivers for their preference for integrated solutions. However, at the same time they were generally underwhelmed by the reality of supposedly integrated solutions, which in some cases are no more than disparate products loosely patched together and branded as an integrated suites.
This may explain an apparent disconnect between what decision-makers prefer and what they expect to happen. Across all infosec domains, the proportion of respondents who expect to consolidate vendors is much lower than the proportion who prefer to consolidate. In fact, 30% of respondents expect to increase the number of vendors used in the coming three years. A key driver of that expected increase is the fluidity of the security marketplace itself. Survey respondents indicated that the No. 1 pain point in pursuing infosec objectives is keeping up with the latest security vendors and technologies. This was cited as a more significant headache than responding to potential security incidents or finding or hiring technical staff (see Figure 2).
So while companies desire an integrated solution, they consider it infeasible for achieving the caliber of security program they require. Where the suite solution offers benefits, they currently are outweighed by the risk of letting a breach slip through the cracks.
Figure 1: Consolidation Opportunities
Q: Do you prefer the use of multiple vendors or would your company prefer a consolidated solution offered by a single vendor?
Q: How many information security solution vendors does your company currently use? How many do you expect that your company will use 3 years from now?
Figure 2: InfoSec pain points
Q: What are the most challenging pain points when pursuing your company’s information security objectives?
How should security vendors respond?
There are plenty of opportunities for vendors to capitalize on customers’ desire for a simplified landscape and savvy vendors have been marching down this path for some time. With time-to-market being a key consideration, building out product suites has most typically involved growth through acquisition versus developing new products organically.
The challenge facing vendors is therefore how to effectively patch disparate products into integrated suites. However, the scarcity of R&D/Engineering resources forces them into a difficult strategic decision:
- Is it more value-enhancing to utilize scarce R&D/Engineering resources in better integrating a combination of home-grown and acquired products into a suite? Or is it better to deploy these same resources on developing new products or adding functionality to existing products?
This involves a complex decision-set as different stakeholders will likely have differing points of view. For example, working on new product or added functionality is more likely to be favored by engineering teams looking to keep engineering talent motivated and engaged, as well as quota carrying sales teams looking for something new and improved to sell. In contrast, customer success or renewal teams may generally favor better integrating existing offerings. The choice gets no simpler when the aperture is broadened to also include customers who, in our survey, were tied on whether better product integration or some enhanced capabilities were the best way for vendors to improve their offerings.
Figure 3: Vendor areas for improvement
Q: What could your company’s infosec vendors do to most improve the way in which they address your company’s needs?
About the EY-Parthenon Infosec Market Study 2018
For more insights on Information Security, see EY’s 2017-2018 Global Information Security Study
The EY-Parthenon 2018 Information Security Market Study is a survey of senior information security decision-makers in the US with the objective of understanding how they are assembling security programs across different domains and where opportunities for suite solutions may exist. The study included analysis of 20 information security domains, across network security, endpoint security, identity and access management, and vulnerability management.
This survey of 251 respondents from companies ranging from small and midsize businesses to Fortune 500 organizations.
EYG no. 011376-18Gbl
Managing Director, Co-head of Technology
Ernst & Young LLP
Ernst & Young LLP
Ernst & Young LLP
Ernst & Young LLP
1 World Economic Forum, “Global Risks 2018: Fractures, Fears and Failures,” reports.weforum.org/global-risks-2018/global-risks-2018-fractures-fears-and-failures/
2 The four infosec domains studied were as follows:
- Network security — SSL VPNs, web content filtering, web application scanning, network firewalls, network intrusion detection/prevision systems (NIDS/NIPS), deception and attack simulation
- Endpoint security — antivirus, anti-spam/email security, secure file transfer, mobile device management and host-based intrusion detection/prevention systems (HIDS/HIPS)
- Identity and access management — multifactor authentication, authorization and access control, SSO/identity as a service/identity federation and cloud access security brokers (CASBs)
- Vulnerability management — patch management, log management system, security information event management (SIEM), vulnerability/risk assessment/scanning