Firms would prefer to use fewer infosec vendors, but don’t expect to

17 October 2018 3 min. read
More news on

Though companies would like to work with a single information security vendor across security domains, various demands force the use of multiple vendors. Infosec leaders surveyed by strategy firm EY-Parthenon don’t expected the situation to change anytime soon, however.

Through information security, or infosec, organizations attempt to prevent the data and info breaches that can be ruinous to a company’s reputation, customer relationship, and bottom line. Infosec professionals have to protect against viruses, worms, Trojans, phishing attacks, and the risky practices of employees that open the business to such threats.

As firms have become more digitalized, the infosec landscape has become more complex, with an explosion of systems and applications needing to be secured – as well as a requisite swelling of the amount of infosec vendors on the market.

In a new survey from strategy consulting firm EY-Parthenon – which queried 251 enterprise infosec leaders – the consultancy found that while companies would like to use an integrated security suite from a single vendor, they instead have to patch together services from multiple vendors. Though the desire is there, firms don’t expect their currently complex and fragmented infosec environment to change for the simpler.

EY-Parthenon’s survey found that, on average, companies use two to three vendors for each of the four infosec domains – network security, endpoint security, identity and access management, and vulnerability management. Companies which had a previous security breach were almost twice as likely to use multiple vendors per domain.Consolidation OpportunitiesReasons cited for using multiple vendors included a constantly shifting regulatory environment (e.g. GDPR) which means turning to yet another vendor; the fact that different vendors might be better suited for cloud versus on-premises systems; and the reality that no single vendor supports all of the company’s systems and applications that require protection.

Most respondents in almost every category, however, said that they would prefer an integrated solution from a single vendor – meaning less management overhead, lower costs, and lower complexity. Unfortunately, respondents are underwhelmed by current integrated solutions, which are often disparate products that loosely patched together.

Respondents don’t expect to realistically be able to consolidate infosec vendors, with 30% believing that they will actually increase the number of vendors used in the next three years. With new threats arising and more systems to protect, IT professionals are under intense pressure to keep their organizations as secure as possible.

“While companies desire an integrated solution, they consider it infeasible for achieving the caliber of security program they require,” notes the report, co-authored by Barak Ravid, Clark O'Niell, Spencer Lee, and Adele Young. “Where the suite solution offers benefits, they currently are outweighed by the risk of letting a breach slip through the cracks.”

Scarcity of R&D and engineering resources means that vendors have a tough strategic choice on whether to work on new products and functionality, or whether to effectively build products into an integrated suite. While customer success or renewal teams might favor better integration, engineering teams will favor work on new products, while sales teams will also push for new products as a more appealing sales motivator.

Even customers, though, are split, with EY-Parthenon’s survey revealing a tie between enhanced product capabilities and better product integration as the best avenues for vendors to improve their offerings.