Bye-bye best-of-breed?

When I started working in cybersecurity 20 years ago, there were a few rock-solid security technology principles treated as gospel.  One of those was the insistence on best-of-breed security technologies.  Those of you working in security in the early 2000s may remember installing independent firewall and antivirus software on every endpoint. 

Best-of-breed technologies were then combined as part of another time-honored principle—defense-in-depth.  In theory, best-of-breed technologies would complement one another for incremental security protection.

During the intervening years, the best-of-breed mentality was imbued within cybersecurity culture, while individuals and groups closely protected their preferred technologies.  Your organization was a McAfee or Symantec shop and used Check Point, Cisco, or Fortinet firewalls.  Security “server huggers” saw any suggestion of change as blasphemy. 

While best-of-breed security may have had some security benefits back in the day, the operational overhead was costly.  Each technology needed its own training, configuration administration, and support, and they really didn’t work together well. 

This was tolerable in the early 2000s, but as organizations added new security technologies and IT infrastructure distributed and scaled, best-of-breed operations overhead became a real problem.

Signs of change

It now appears that best-of-breed is loosening its grip on the hearts and minds of security professionals.  New research from ESG and the Information Systems Security Association (ISSA) indicates that organizations are moving toward product integration and multi-product security “platforms” and away from best-of-breed strategies.  For example:

• While 24% of security professionals say that their organizations still tend to purchase best-of-breed products, 38% say their organization now tends to buy integrated security platforms rather than best-of-breed products, while another 15% say that their organization is switching from best-of-breed products to integrated security suites.
• 86% of security professionals say it is either critical or important that best-of-breed products are built for integration with other products.
• After cost (46%), product integration capabilities is the most important security product consideration for 37% of the security professionals we surveyed.

As organizations move from best-of-breed to product integration and multi-product suites, they will naturally consolidate the number of vendors they do business with.  According to our research, 21% of organizations are already consolidating security vendors, while another 25% are considering vendor consolidation. The old assumption was that organizations would have to compromise on product efficacy in exchange for integration, but it’s clear that CISOs and procurement managers will increasingly demand both.  As one CISO told me, “Integration and interoperability are the new best-of-breed.”

4 changes to watch for

What does this change mean for the security technology industry?  As best-of-breed point tools give way to integrated suites, I expect:

1. Security technology platformization. This year’s RSA conference was highlighted with industry ga-ga around cloud native application protection platforms (CNAPP); security observability, prioritization, and validation (SOPV) platforms; eXtended detection and response (XDR) platforms, and zero trust.  Confusing?  Get ready as this is just the beginning.  We’ll see even more security platforms in the future – even more hybrid IT infrastructure/security platforms like secure access service edge (SASE).
2. A push for open standards. No one vendor can offer every necessary security technology.  And even if they did, security technology server huggers will resist giving up their chosen best-of-breed binkies at all costs.  I’m hopeful for a ‘cake and eat it too’ compromise as large organizations demand more industry cooperation and open standards.  What kind of standards?  Log formats, APIs, transport protocols, scripting languages, etc.  Leading security vendors have ignored standards efforts in the past but may be changing their tune.  Open standards would make it easier for them to integrate acquired technologies or grab the lion’s share of security budgets without alienating the server hugger population.
3. Startups will balance functionality with integration. Yes, there will still be a need for best-of-breed point tools here and there, but their lifespan will be abbreviated, and opportunities will be limited.  Unless startups have strategic plans to develop security platforms, they will need to build their tools with integration and interoperability in mind.  This may encourage VCs to jump on the open standards bandwagon.
4. The value of individual product evaluations and tests will marginalize. As the old saying goes, ‘the cybersecurity chain is only as strong as its weakest link.’  As organizations embrace platforms and integrated solutions, they will need to evaluate the whole enchilada, not the individual ingredients.  This is good news for breach and attack simulation technology that can emulate a cyber-adversary’s tactics, techniques, and procedures to validate security platform efficacy.  It may be bad news, however, for my fellow analysts who make boatloads of money selling product-focused waves and magic quadrants.  

As always, I’ll be watching carefully as things develop.  What’s your opinion?  Let me know!