The plethora of commercial security products available today is staggering. At no juncture is this more apparent than when your security team is looking to trade up on legacy equipment or add a new capability to your already-bountiful trove of technology. Given today’s threats and organizations’ desires to minimize cyber disruptions so that employees can work fluidly towards new growth strategies, cybersecurity spending is definitely not on the decline.
However, an overabundance of individual tools in an IT environment comes with its own set of challenges, and security teams, already short staffed and overworked, are looking for ways to lessen the burden on personnel. Chasing down hundreds of thousands of alerts—including false positives—that result from the organization’s toolset is not a method of creating greater efficiency (however important it may be).
Over the years we’ve watched the security product market expand then consolidate through acquisition (wash, rinse, repeat), providing acquirers of best-of-breed solutions the opportunity to build out and sell security suites. The theory behind suites is simple: one “single pane of glass” through which to view your security defensive capabilities. The reality, though, is slightly more complex. Suites have some clear advantages over groupings of disparate point solutions, but the reverse is also true. What’s evident is that there’s no one-size-fits-all when it comes to tooling up your security infrastructure. The only way to know for sure what’s right for you is to conduct a detailed analysis of your threat landscape, current capabilities, and resources (budget and human), then map them to the organization’s desired state.
To help you in your journey, Infosec Insider tapped two security executives to learn their perspective on the pros and cons of buying point products versus suites.
Point product vs. integrated solution
Todd Fitzgerald, Managing Director of CISO Spotlight, LLC., has had a long career as a security leader and has thus weathered many technology purchasing discussions and decisions. He knows the benefits of buying the right tool and the headaches of implementing the wrong one. With that in mind, he says that there is no “right” or “wrong” decision when it comes to choosing best-of-breed vs. suite—if that’s the only criterion.
The technology an organization chooses to implement, he offers, “depends on the maturity of the current product for the problem you are trying to address.” He points to security analytics and artificial intelligence tools as “fairly immature” categories. In the case of newer technologies, he says, it might not be prudent to buy a point solution (yet), but instead look at suite offerings that incorporate elements of these products to be able to “check the box.”
For technologies that have proven themselves as a commodity, Fitzgerald says that suites are a safe and effective bet. “Antivirus suites, for example, with spam blocking, real-time scanning, automatic updates, vulnerability scanning, firewall blocking, VPN support, etc. incorporate a bit of everything and work well.”
That said, Fitzgerald also points to the fact that “funded startups may have some really cool ideas…but they’re not yet proven.” Either CISOs of large companies that have the budget and person power or cutting-edge CISOs at private organizations might be able to experiment with new technologies, but buying the latest and greatest might not be an option for everyone. In these cases, niche firms that have demonstrated success in categories like behavioral analysis, says Fitzgerald, “may be better to pursue as a point solution instead of a suite that can’t compete capability wise.”
From a cost perspective, says Kevin Ricci, Director within Citrin Cooperman’s Technology and Risk Advisory Consulting team, “deploying a security suite that combines all of the required solutions into a single platform is more cost effective to implement than purchasing and rolling out several diverse point solutions.” Though cost isn’t the only factor, he warns, no company has unlimited funds. Allocating funds prudently, especially if a suite encompasses adequate capabilities, might be the best choice for certain categories of purchases.
Another tricky issue for security teams is tools integration. Because the products landscape is vast, and in many cases enterprise technology has been added on an “as needed” basis, ensuring integration between point solutions can pose significant challenges, especially if the organization has older equipment that can’t sit comfortably alongside newer technologies. When it comes to making all of the organization’s tools play well together, says Ricci, “leveraging a suite of security solutions will ensure that they can co-exist without issue, versus having to deal with the potential conflicts (e.g., updates, resources, information sharing, etc.) of integrating point solutions from different vendors.”
Every organization will have to conduct a cost-benefit analysis (when the time comes) before deciding if it’s worth the effort to integrate disparate solutions or rip and replace with a suite. Don’t forget, though, that personnel time and effort are part of that equation, on top of whatever dollar outlay it takes to acquire the new tool.
When it comes to deciding between a best-of-breed point solution and an integrated suite, both experts say that leading practice is for security teams to conduct a thorough evaluation—of both what’s commercially available and what’s required for your organization to improve its security defenses. Industry analysts, peers/colleagues, and non-vendor supplied product reviews are just a few resources companies can use in their market analysis.
Based on this groundwork, create a shortlist of potential candidates that fit your environment, says Fitzgerald, and develop an RFP that focuses on “the Top 20—not two hundred!” most important criteria for your business. Once you have narrowed your field, he says, “bring in the vendors to present. If the vendor is a point solution, be sure to understand integration capabilities right out of the box. Ask for the best and final pricing, and the choice usually comes clear.”
Interested in learning more best practices for tooling your security program? Attend InfoSec World 2018 in Orlando, Florida, March 19th-21st, where Chuck will present on IT integration challenges. Todd will co-lead the CISO Leadership Summit on March 18th, where attendees will learn and practice techniques for being a better leader -- not just a boss.