Introduction
Following the acquisition of Carbon Black this year, VMware CEO Pat Gelsinger reiterated a position that the cybersecurity market is broken. This is a continuation of the position he took in 2018, when he said companies are simply using too many dedicated security products, and that security had to be more intrinsic to infrastructure. It's unsurprising that a representative for a platform vendor would take this position, but he certainly isn't alone.
The 451 Take
With some suggestions that there are more than 1,200 vendors in the security space, and likely more if the tally of all the security vendors looked at by 451 Research's security analysts is taken, vendor saturation isn't a far-fetched notion. However, with only 7% of respondents to 451 Research's Voice of the Enterprise: Information Security, Organizational Dynamics study saying the number of vendors was 'very difficult to manage,' this problem may be somewhat overblown, at least from the perspective of the average enterprise security manager.
Context
A quick google search of the phrase 'too many security vendors' will produce pages of articles, anecdotes, and studies that cite some eye-popping figures for the number of security vendors, products or technologies in the average enterprise. These will be accompanied by a conclusion that this level of complexity is not sustainable, an idea enthusiastically supported by some platform vendors with security feature sets that are presented as being more advantageous because the capabilities are built-in as opposed to bolted on. The recently released 2019 VotE: Information Security, Organizational Dynamics study examines this premise, looking at the average number of security vendors at organizations of different scales, as well as the perceived complexity of managing that number of vendors.
Number of Vendors
The average number of security vendors in an organization, according to the above referenced study, is seven. That's considerably less than some of the numbers cited in security trade press sources. The number tracks closely to organizational size as shown, with the smallest companies averaging about three vendors, and the largest ones having about 15. It's important to note that this is vendors, not products. There are a few reasons for asking the question this way; one is that while a single vendor may offer multiple products, the dividing line between products from a single vendor is not always a clear one, especially if multiple 'products' are required to provide what is in the customer's perception a single function. Product-level SKUs are not always meaningful beyond a commercial perspective.
Another factor is that for each vendor whose product is installed, there is some level of work around maintaining the relationship with that vendor. It is theoretically easier to buy a product or service, all other things being equal, from a vendor that has an existing relationship with an organization.
It is easier to manage a smaller number of vendors, as well as buy from vendors with established relationships. That perspective is reflected in some of the interview narratives gathered as part of this study:
"We like to stick with existing vendors unless there's a good reason to look at a new one…"
–IT/Engineering Managers and Staff, 10,000-49,999 employees, $10bn+ revenue, Financial Services
If that's the case, why are there so many security vendors? Fifteen security vendors per large enterprise is still a big number. Two interesting points of view among security managers emerge, represented by the following two narratives. The first is a best-of-breed focus among security managers:
"I believe in diversity. I believe in doing your homework and finding the best solution…. Whether it's physical security, whether it's network security, or endpoint security, even database security, you really need to do your homework. You can't find all that in one vendor. I mean, a lot of them will say, 'Oh, yes, we got everything.' But do you really want to get everything you need from one vendor? Putting all your eggs in one basket?"
–Midlevel Management, 10,000-49,999 employees, $500m-999.99m revenue, Education & Training
"I don't prefer one vendor for everything. My preference is based upon who the right fit is, and if it becomes where a single one has more, that's fine, but I don't like to put all my eggs in one basket."
–Midlevel Management, 5,000-9,999 employees, $500m-999.99m revenue, Consumer Retail Products & Services
The second issue is rooted in the history of some acquisitions, where the product was a mainstay of a smaller security vendor, but upon acquisition was not necessarily foundational to the larger platform player or to the strategy of the acquiring firm:
"[With multiple security vendors] the biggest problem is market consolidation. You know big ones eat the little ones. So when a [larger platform vendor] buys up somebody, is that product going to be supported two years, three years down the road or, as is more likely in the case, does it just die a very quiet, private death?”
–IT/Engineering Managers and Staff, 10-49 employees, $2.50m-4.99m revenue, Construction & Environmental Services
"[When they buy tech companies, private equity firms] trim down, shave off all the areas that are under development. They buy several companies, put them under the umbrella and without investing any more money into the technology they are trying to squeeze out every single penny from their investors…. When we're onboarding a new company, I really need to know who owns them. Why? Because if it's a private equity firm, good luck getting new features."
–IT/Engineering Managers and Staff, 2,000-4,999 employees, $1bn-2.49bn revenue, Financial Services
Another factor is that for each vendor whose product is installed, there is some level of work around maintaining the relationship with that vendor. It is theoretically easier to buy a product or service, all other things being equal, from a vendor that has an existing relationship with an organization.
It is easier to manage a smaller number of vendors, as well as buy from vendors with established relationships. That perspective is reflected in some of the interview narratives gathered as part of this study:
"We like to stick with existing vendors unless there's a good reason to look at a new one…"
–IT/Engineering Managers and Staff, 10,000-49,999 employees, $10bn+ revenue, Financial Services
If that's the case, why are there so many security vendors? Fifteen security vendors per large enterprise is still a big number. Two interesting points of view among security managers emerge, represented by the following two narratives. The first is a best-of-breed focus among security managers:
"I believe in diversity. I believe in doing your homework and finding the best solution…. Whether it's physical security, whether it's network security, or endpoint security, even database security, you really need to do your homework. You can't find all that in one vendor. I mean, a lot of them will say, 'Oh, yes, we got everything.' But do you really want to get everything you need from one vendor? Putting all your eggs in one basket?"
–Midlevel Management, 10,000-49,999 employees, $500m-999.99m revenue, Education & Training
"I don't prefer one vendor for everything. My preference is based upon who the right fit is, and if it becomes where a single one has more, that's fine, but I don't like to put all my eggs in one basket."
–Midlevel Management, 5,000-9,999 employees, $500m-999.99m revenue, Consumer Retail Products & Services
The second issue is rooted in the history of some acquisitions, where the product was a mainstay of a smaller security vendor, but upon acquisition was not necessarily foundational to the larger platform player or to the strategy of the acquiring firm:
"[With multiple security vendors] the biggest problem is market consolidation. You know big ones eat the little ones. So when a [larger platform vendor] buys up somebody, is that product going to be supported two years, three years down the road or, as is more likely in the case, does it just die a very quiet, private death?”
–IT/Engineering Managers and Staff, 10-49 employees, $2.50m-4.99m revenue, Construction & Environmental Services
"[When they buy tech companies, private equity firms] trim down, shave off all the areas that are under development. They buy several companies, put them under the umbrella and without investing any more money into the technology they are trying to squeeze out every single penny from their investors…. When we're onboarding a new company, I really need to know who owns them. Why? Because if it's a private equity firm, good luck getting new features."
–IT/Engineering Managers and Staff, 2,000-4,999 employees, $1bn-2.49bn revenue, Financial Services
Difficulty Managing the Number of Vendors
To be sure, there are a lot of security vendors out there and frustrations with market complexity, especially around sifting through new products or services, or rationalizing and integrating existing products. Ironically, some of the complaints center on products not being atomic enough, or in other words, attempting to do more than solve the problem they were put in place for:
"[With vendors] one problem is just the overlap…. Everything's trying to become unified threat management, where they do a bunch of different solutions. And so we have this giant matrix of, 'Okay, for this data loss prevention, we've actually got four different products that can do it, but what's our primary one, our default one?' And so I think that's a challenge."
–IT/Engineering Managers and Staff, 100,000+ employees, $10bn+ revenue, Food, Beverage and Agriculture
"One of the most frustrating things is… one vendor might do three or four things really well and two things quite badly. So no matter what happens there, we'd end up with three vendors. And we have had regional proliferation as well, where we see the same problem solved by two different tools, which we're also trying to get our arms around."
–Midlevel Management, 10,000-49,999 employees, $10bn+ revenue, Financial Services
"We find that we buy a product, we use 20% of its functionality. We buy another product and use 20% and another and use 20%, and guess what: 15% of that 20% is replicating the other two products we already have…. We're not doing a great feature rationalization.… [And] just bloat we have – on the endpoint systems, in particular, have all these agents."
–Senior Management, 10,000-49,999 employees, $10bn+ revenue, Telecommunications
The market is in part sustaining that average of 15 vendors at large enterprises, as well as the number of offerings on the market. But as security budgets have ticked up continuously since 2008, the time period of the last serious economic contraction, it's reasonable to ask whether CISOs or their organizations will tolerate the overlap described above when cost-cutting becomes a greater concern, or whether the level of investment available to new security companies will be available. Amid all that, there are further legitimate discussions about whether certain targeted offerings are really features of another product masquerading as a complete product by themselves, or whether there are products offered to the enterprise CISO that potentially would be better targeted as a B2B supply side offering to another security product, rather than relying on the customer to patch this all together.
"[With vendors] one problem is just the overlap…. Everything's trying to become unified threat management, where they do a bunch of different solutions. And so we have this giant matrix of, 'Okay, for this data loss prevention, we've actually got four different products that can do it, but what's our primary one, our default one?' And so I think that's a challenge."
–IT/Engineering Managers and Staff, 100,000+ employees, $10bn+ revenue, Food, Beverage and Agriculture
"One of the most frustrating things is… one vendor might do three or four things really well and two things quite badly. So no matter what happens there, we'd end up with three vendors. And we have had regional proliferation as well, where we see the same problem solved by two different tools, which we're also trying to get our arms around."
–Midlevel Management, 10,000-49,999 employees, $10bn+ revenue, Financial Services
"We find that we buy a product, we use 20% of its functionality. We buy another product and use 20% and another and use 20%, and guess what: 15% of that 20% is replicating the other two products we already have…. We're not doing a great feature rationalization.… [And] just bloat we have – on the endpoint systems, in particular, have all these agents."
–Senior Management, 10,000-49,999 employees, $10bn+ revenue, Telecommunications
The market is in part sustaining that average of 15 vendors at large enterprises, as well as the number of offerings on the market. But as security budgets have ticked up continuously since 2008, the time period of the last serious economic contraction, it's reasonable to ask whether CISOs or their organizations will tolerate the overlap described above when cost-cutting becomes a greater concern, or whether the level of investment available to new security companies will be available. Amid all that, there are further legitimate discussions about whether certain targeted offerings are really features of another product masquerading as a complete product by themselves, or whether there are products offered to the enterprise CISO that potentially would be better targeted as a B2B supply side offering to another security product, rather than relying on the customer to patch this all together.
Daniel Kennedy
Research Director, Voice of the Enterprise: Information Security
Daniel Kennedy is responsible for managing all phases of the research process. He is an experienced information security professional who has written for both Forbes online and Ziff Davis, has provided commentary to numerous news outlets including The New York Times and The Wall Street Journal, and his personal blog Praetorian Prefect was recognized as one of the top five technical blogs in information security by the RSA 2010 Conference.
Jeremy Korn
Research Associate
Jeremy Korn is a Research Associate at 451 Research. He graduated from Brown University with a BA in Biology and East Asian Studies and received
Aaron Sherrill
Senior Analyst
Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation