In any other IT technology solution, from productivity suites, CRM, or financial applications, product suites are a logical way forward. Single source of vendor provides vendor consolidation, savings on cost, support, and maintenance requirements. It makes perfect sense. However, very few organizations have been compromised based on their buying decision around a CRM solution. They are forgiving solutions with little or no blowback to the organization if things go wrong.

The Exception to the Rule

Cybersecurity, on the other hand, is a multi-faceted beast with many different disciplines, and if you get it wrong there is going to be a lot of blowback. To the point where it may jeopardize the entire organization. Cybersecurity vendors typically evolve from a single successful product and focus. As a vendor’s success grows, they feel pressured by customers and Board Members alike to provide more value, so additional solutions are concocted and added to the product portfolio. Either built in-house or via acquisition, that’s when the core focus is lost, or at least diluted. Stepping outside of a vendor’s comfort zone into uncharted technologies and away from their core competence can be an expensive learning curve.

From perimeter protection, endpoint protection, data in transit, to data at rest, the diversity of distinctive complex technologies is staggering.  Combine that with the depth of knowledge needed to build and sustain a single vendor portfolio of solutions, it becomes an almost impossible task. A single vendor just can’t compete across the entire product suite to achieve “best-in-class” standards – especially against smaller, single focused vendors.

Further reading:

Compromises Can Lead to Compromise

In reality, product suites are a compromise. The large vendor’s core technology and expertise are often the main value proposition and focus for the customer, while the supporting solutions are there for customer convenience and the vendor’s revenue growth. The primary vendor solution maybe “best-in-class” but the supporting suite products are typically second or third tier solutions at best.

With so many different attack vectors, there is no one silver bullet product suite to provide ultimate coverage. Many large vendors try to cover all these bases when in fact they just provide additional gaps in the defenses. These gaps are primarily due to inferior architectures, a product’s lack of depth, and even scarer engineering resources.

Organizations ultimately need two enablers for a successful business. Security and availability. You can’t have one without the other. Cybersecurity is perhaps the only industry where best-in-class solutions make perfect sense and mediocre products sold as part of a suite can potentially lead to compromise. Especially if that mediocre product is the last line in your defenses. That last line of defense is your sandbox. Compromising on a suite product that’s “good enough” over a best-in-class product may be not enough.

Further reading: