May 12, 2023

Last Updated on January 14, 2024

Now more than ever, a product-centric information security strategy is dangerous. I’ve always said that when you ask a CISO about their security program and they start describing products, that’s probably not a great CISO.

Because products are not the answer to security problems. First you need a risk-based security strategy that aligns with business drivers. Then you can select products that function as controls to address those specific risks and problems.

Beware the nonessentials

Otherwise, you can end up expending precious resources on “nice to haves” that overcomplicate your “need to haves.” Say you’re at a big trade show like the RSA Conference (RSAC), as I recently was. And you’re intrigued by the energy and hype around cloud security posture management (CSPM) today.

CSPM tools can be all over the map in terms of their capabilities. You might think, “Well, we only really need asset discovery, asset management, and vulnerability management right now. But Product X does all these other cool things…”

What I find in practice every day is that teams rarely find the time to implement those “nice to haves” unless they are very well staffed and funded. A high percentage of product suites out there are not fully implemented and nowhere near fully utilized.

Platforms are the way to go

Similar to the challenges with optimizing big product suites, integrating a best-of-breed mix from different vendors can be very difficult in practice. Many teams end up encountering “knowledge gaps” or “coverage gaps” trying to get their mixed-breed solutions to work.

Based on experience, we are increasingly recommending platform options to our SMB/SME clients for the above reasons.

Product overload

Another challenge with multi-vendor scenarios and product-centric security approaches is “product proliferation.” Integration, training, and management complexity skyrocket—especially when you have 50 to 100 security products. An analyst I spoke with at RSAC said his firm’s research showed that a number of the Global 2000 orgs have that many. I’m not surprised because even some smaller businesses we work with have dozens of security products.

Keeping track of all those licenses, keeping all those tools operational, making sure they’re updated… it’s next to impossible. This is yet another reason why platform vendors are growing in importance in this space.

The momentum to combine XDR and SIM capabilities is an example of the “platform” trend that was evident at RSAC. Those are two solutions that you can purchase together and that should work seamlessly together to make life easier for your security team.

Risky investments

Yet another reason to consider platform options from proven vendors is the sheer overload of startups out there, not all of which are going to survive. Investing in this year’s hot new product can be a risk.

For example, another analyst I met at RSAC mentioned a company he follows that had a $3 billion valuation about a year ago. Recently they had to raise $100 million because they’re burning through cash and haven’t hit run rate yet. And they’re now valued at $300 million. Which means they lost about 90% of their valuation in a short period of time.

His opinion is that their long-term prospects aren’t good. He also shared a parallel opinion: the current number of vendors in today’s security market is unsustainable.

What’s next?

For more insights on this topic, tune in to Episode 117 of The Virtual CISO Podcast, featuring Pivot Point Security CISO and Managing Partner, John Verry.

Considering hiring a Virtual Chief Information Officer?

There are many benefits to bringing in outside information security talent into your organization, but it must be done right to realize success.
Download our vCISO Roadmap now!