Following the acquisition of Carbon Black this year, VMware CEO Pat Gelsinger reiterated a position that the cybersecurity market is broken. This is a continuation of the position he took in 2018, when he said companies are simply using too many dedicated security products, and that security had to be more intrinsic to infrastructure. It's unsurprising that a representative for a platform vendor would take this position, but he certainly isn't alone.
The 451 Take
Number of Vendors
Another factor is that for each vendor whose product is installed, there is some level of work around maintaining the relationship with that vendor. It is theoretically easier to buy a product or service, all other things being equal, from a vendor that has an existing relationship with an organization.
It is easier to manage a smaller number of vendors, as well as buy from vendors with established relationships. That perspective is reflected in some of the interview narratives gathered as part of this study:
"We like to stick with existing vendors unless there's a good reason to look at a new one…"
–IT/Engineering Managers and Staff, 10,000-49,999 employees, $10bn+ revenue, Financial Services
If that's the case, why are there so many security vendors? Fifteen security vendors per large enterprise is still a big number. Two interesting points of view among security managers emerge, represented by the following two narratives. The first is a best-of-breed focus among security managers:
"I believe in diversity. I believe in doing your homework and finding the best solution…. Whether it's physical security, whether it's network security, or endpoint security, even database security, you really need to do your homework. You can't find all that in one vendor. I mean, a lot of them will say, 'Oh, yes, we got everything.' But do you really want to get everything you need from one vendor? Putting all your eggs in one basket?"
–Midlevel Management, 10,000-49,999 employees, $500m-999.99m revenue, Education & Training
"I don't prefer one vendor for everything. My preference is based upon who the right fit is, and if it becomes where a single one has more, that's fine, but I don't like to put all my eggs in one basket."
–Midlevel Management, 5,000-9,999 employees, $500m-999.99m revenue, Consumer Retail Products & Services
The second issue is rooted in the history of some acquisitions, where the product was a mainstay of a smaller security vendor, but upon acquisition was not necessarily foundational to the larger platform player or to the strategy of the acquiring firm:
"[With multiple security vendors] the biggest problem is market consolidation. You know big ones eat the little ones. So when a [larger platform vendor] buys up somebody, is that product going to be supported two years, three years down the road or, as is more likely in the case, does it just die a very quiet, private death?”
–IT/Engineering Managers and Staff, 10-49 employees, $2.50m-4.99m revenue, Construction & Environmental Services
"[When they buy tech companies, private equity firms] trim down, shave off all the areas that are under development. They buy several companies, put them under the umbrella and without investing any more money into the technology they are trying to squeeze out every single penny from their investors…. When we're onboarding a new company, I really need to know who owns them. Why? Because if it's a private equity firm, good luck getting new features."
–IT/Engineering Managers and Staff, 2,000-4,999 employees, $1bn-2.49bn revenue, Financial Services
Difficulty Managing the Number of Vendors
"[With vendors] one problem is just the overlap…. Everything's trying to become unified threat management, where they do a bunch of different solutions. And so we have this giant matrix of, 'Okay, for this data loss prevention, we've actually got four different products that can do it, but what's our primary one, our default one?' And so I think that's a challenge."
–IT/Engineering Managers and Staff, 100,000+ employees, $10bn+ revenue, Food, Beverage and Agriculture
"One of the most frustrating things is… one vendor might do three or four things really well and two things quite badly. So no matter what happens there, we'd end up with three vendors. And we have had regional proliferation as well, where we see the same problem solved by two different tools, which we're also trying to get our arms around."
–Midlevel Management, 10,000-49,999 employees, $10bn+ revenue, Financial Services
"We find that we buy a product, we use 20% of its functionality. We buy another product and use 20% and another and use 20%, and guess what: 15% of that 20% is replicating the other two products we already have…. We're not doing a great feature rationalization.… [And] just bloat we have – on the endpoint systems, in particular, have all these agents."
–Senior Management, 10,000-49,999 employees, $10bn+ revenue, Telecommunications
The market is in part sustaining that average of 15 vendors at large enterprises, as well as the number of offerings on the market. But as security budgets have ticked up continuously since 2008, the time period of the last serious economic contraction, it's reasonable to ask whether CISOs or their organizations will tolerate the overlap described above when cost-cutting becomes a greater concern, or whether the level of investment available to new security companies will be available. Amid all that, there are further legitimate discussions about whether certain targeted offerings are really features of another product masquerading as a complete product by themselves, or whether there are products offered to the enterprise CISO that potentially would be better targeted as a B2B supply side offering to another security product, rather than relying on the customer to patch this all together.
Daniel Kennedy is responsible for managing all phases of the research process. He is an experienced information security professional who has written for both Forbes online and Ziff Davis, has provided commentary to numerous news outlets including The New York Times and The Wall Street Journal, and his personal blog Praetorian Prefect was recognized as one of the top five technical blogs in information security by the RSA 2010 Conference.
Jeremy Korn is a Research Associate at 451 Research. He graduated from Brown University with a BA in Biology and East Asian Studies and received
Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation