First there was the boom – now there’s the bust. Organizations that invested in myriad new solutions to handle the complexity of myriad security problems now have a different problem on their hands – how do you handle all of the vendors?
Companies are finding there’s a different kind of noise when too many providers are in the mix, and they’re looking to cut back. They still need the effectiveness that these solutions provide; they just don’t need the hassle of learning a gaggle of different companies and dealing with the unique bit of bureaucracy that inevitably comes with each one. Security today is all about running lean, and too many chefs spoil the soup. Read on to learn the advantages of vendor consolidation and how having a single source for proactive security tools like penetration testing and vulnerability management can be particularly beneficial.
What is Vendor Consolidation?
Vendor consolidation is a well known practice of reducing the number of security vendors by buying multiple solutions from a single provider. But why is it being seen more and more these days in regards to cybersecurity?
Cybersecurity tools (and consequently, companies) proliferated at an incredible rate over the past several years, due to a number of reasons. First, the demand for solutions was out there, as increasing threats of growing complexity drove the need for new solutions.
Second, there were not (and still are not) enough qualified cybersecurity specialists to fill the jobs. What there lacked in personnel was made up for in technology. Soon, a new tool for every niche problem could be found on the market, and organizations grabbed them up by the dozens.
The Need for Vendor Consolidation: By the Numbers
According to a study by the Ponemon Institute, the average company employs roughly 45 security tools. Each of those tools require maintenance, training, reporting, integration, and in many cases, annual renewal. In a sense, we’ve traded one set of problems for another, and companies today are looking to consolidate.
Vendor consolidation is increasingly gaining steam among security practitioners. As noted in the 2023 Pen Testing Report, 80% of participants consider vendor consolidation to be at least somewhat important.
This indicates that the vast majority assign at least some level of importance to getting tool sprawl under control by reducing the number of vendors.
The trend we see now is organizations looking for Swiss Army Knife solutions, platforms that can easily integrate with others, and ways to do more with less. It’s no wonder, as it takes a team of trained cybersecurity analysts just to run the full gamut of tools successfully. More often than not, you end up with tool sprawl and solutions languish unused on the shelf (hence the term “shelf ware”). Money is wasted, time is wasted, and without having all tools integrate into one centralized hub (like a control panel or dashboard), the number of disparate streams of data and accumulated alerts leaves SOCs just as disoriented as when there were none. Too much of a good thing ceases to be a good thing. All of these elements trend towards the same conclusion: Security needs to simplify.
Benefits of Going with a Single-Vendor Suite
- Fewer vendors equals fewer vectors. Supply chain attacks are rampant, and each new vendor you bring into your environment brings their own separate ecosystem with them. The fewer you have, the less risk you introduce. It’s one thing to vet a single provider for compatible security policies and secure source code; it’s another thing to do it for the 76 or more companies deal with on average. When you consider that at least one code vulnerability was found within 84% of code bases, reducing the number of providers provides a significant reduction in possible attack outcomes.
- Unified sales and support for multiple tools. When something goes wrong, it’s rarely ever one thing. Having the expertise to troubleshoot all involved technologies when you reach out to technical support isn’t only convenient, it’s smart. By having a subject matter expert that understands the interoperability of the entire suite, you can help ensure a big-picture fix and make sure fixing one tool won’t interfere with another. Not only will they understand the tools, but going with a single vendor means that they’ll know you - your company, your SOC, your goals, and your problems – and understand best how to meet your needs.
- Reduced administration. Research indicates that workers waste six weeks per year on unnecessary administrative tasks, and 58% of workdays are spent managing work (rather than doing it). Sound familiar? Trainings, meetings, deployments, SLAs, and more are all cut back when you consolidate the number of vendors in your ecosystem. That way, your SOC can spend that time on more important things – like securing the enterprise.
- Integration/interoperability between tools. While many solutions may have some useful and time-saving features, you have to consider their value in an overall cost/benefit equation. After all the time and resources it will take to integrate this tool into our existing stack, will the few salient features still be worth it? And does our dependence on this tool rest with a single person, or are there enough people trained on all the security tools to keep the ship afloat even if someone should leave? Security stability and longevity become more fragile the more solutions you have.
- Bundle opportunities for reduced cost. A provider will often offer services at a reduced price when you invest in a suite of them. This allows you to try new opportunities, technologies, and platforms at a reduced cost risk. It also gives you someone in your corner to provide expert-level advice as you select which tools will work best with your environment and give feedback as you fine-tune your security stack.
- Establishing relationships with vendors you trust. To be truly effective, enterprises and vendors not only need to interface when the platform is deployed, but consistently thereafter. New solutions are going to take some breaking in, they’ll come with the gamut of usual queries, and there will be multiple opportunities to either build bridges or create frustration. The more you work with a vendor you trust, the more they learn about your particular security goals and strategies, and the better they can help you find the tools to achieve them.
Consolidating Vendors with Fortra
Offensive security is one area in particular that benefits from a holistic view. Assessing the state of your security is a job that takes multiple solutions and being able to find solutions under the same umbrella has numerous advantages, particularly when those solutions can integrate. Finding a vendor that successfully combines all necessary technologies is key to ensuring streamlined, monitored growth as you progress in your security journey.
Fortra offers vulnerability management, pen testing, and red teaming tools, allowing you to assemble your proactive security portfolio all in one place, choosing the combination that best fits the needs and security stance of your organization. Each one of our bundle offerings provides centralization and reduced console fatigue that will enhance and accelerate your security.
Want to learn more about the benefits of vendor consolidation?
Explore the Complete Guide to Layering Offensive Security to find out about combining different proactive solutions.