There is a staggering array of cybersecurity distributors available in the market right this moment. Like with all safety controls and instruments, CISOs ought to assess whether or not they want each vendor they use presently — and may use sooner or later.
In some circumstances, these assessments result in vendor consolidation — the method of strategically lowering the variety of distributors in use for operational and strategic advantages, monetary benefits and safety enhancements.
Let’s look at the advantages and challenges of safety vendor consolidation and discover how CISOs can assess their vendor portfolio.
Keep in mind that the “proper” quantity and sorts of distributors for cybersecurity services and products are subjective. What works for one firm may not for an additional. CISOs ought to weigh the elements coated under when deciding on the steadiness that works for his or her group.
Advantages and challenges of safety vendor consolidation
Forty % of organizations have already begun to consolidate their cybersecurity instruments and distributors and a further 21% are planning on it, based on the “2025 Fortra State of Cybersecurity Survey Outcomes.”
Advantages of safety vendor consolidation embody the next:
- Operational advantages. For instance, diminished administration complexity, simpler studying curve with fewer instruments, improved effectivity and simplified vendor assist.
- Strategic advantages. Similar to stronger vendor relationships with much less time spent negotiating contracts, providers and general value, and simplified compliance.
- Monetary benefits. For instance, minimized licensing charges and decreased upkeep prices. Eliminating instrument sprawl and shelfware — instruments being paid for that are not getting used — additionally saves cash in already tight cybersecurity budgets.
- Safety enhancements. Together with improved visibility, streamlined menace administration and improved management over your entire assault floor.
Safety vendor consolidation is not with out challenges, nonetheless. Roadblocks embody danger of vendor lock-in, introducing single factors of failure, creating safety protection gaps, administration complexity and employees coaching challenges.
How one can start safety vendor consolidation
Decreasing instrument and vendor sprawl is a frightening activity. To put the groundwork for consolidation, CISOs and their groups ought to contemplate the next:
- Consider the corporate’s wants for cybersecurity instruments, options and providers and align distributors and repair suppliers with these wants.
- Evaluate and consolidate present and new distributors, significantly as market consolidation and vendor characteristic growth deliver new options and capabilities into play.
- Put together for acquisitions, enterprise failures and different vendor adjustments in present contracts to reduce potential danger.
- Anticipate widespread vendor challenges and inevitable points that may come up throughout contract timeframes.
To begin safety vendor consolidation, CISOs and their groups ought to do the next:
- Develop a radical vendor stock. Checklist all of the cybersecurity distributors in use on the group.
- Construct a capabilities matrix. Checklist required options and performance, in addition to any non-negotiables.
- Establish vendor and product overlaps. Doc vital overlap in services and products.
- Checklist new wants. Establish any lacking instruments, providers and capabilities.
- Assess vendor relationships. Think about which distributors are simpler to work with than others. For any problematic relationships, ask if the partnership is value persevering with.
After discussing these standards, CISOs and their groups ought to analysis and doc every vendor’s prices, repute, assist, options and capabilities, and contracts.
Prices
Vendor instruments and providers needs to be as cost-effective as potential. When renewing merchandise or introducing new choices with present contracts, be ready for worth hikes, licensing adjustments, prices out of line with different main providers, hidden prices and unanticipated service expenses.
Vendor repute
A vendor’s repute may change for a lot of causes, together with poor on-line opinions or social media suggestions, cultural points, breaches and safety incidents, acquisitions and mergers, main or steady vulnerability bulletins, or monetary woes.
Vendor assist
When evaluating distributors, CISOs have to outline their assist expectations early in negotiations. Measure service-level agreements and expectations with present distributors to see whether or not it is a downside space, and doc each optimistic and unfavorable assist experiences. Observe sudden adjustments in assist coverage or achievement, as effectively. For cybersecurity platforms and merchandise, it is vital that assist is well timed and educated.
Options and capabilities
Whereas evaluating controls and evaluating performance is vital, it is also integral to give attention to the seller dedication side. Maintain smaller distributors and startups to roadmap commitments contractually, and if a contract was negotiated based mostly on guarantees of a characteristic, put exhausting dates and expectations in place inside contracts.
Contracts
Negotiating contracts and dealing with procurement groups are focus areas of vendor analysis right this moment. One consideration is contract size. Shorter contracts are much less dangerous however normally value extra. On the similar time, CISOs can normally negotiate decrease contracts for a yearly value, however this may lock them right into a long run with a probably unsatisfying relationship.
For smaller, lesser-known distributors, it is best to go for shorter contracts. Longer contracts is perhaps offset by negotiating termination clauses that define efficiency points or different negatives within the relationship, however that is extremely depending on what the seller does. To that finish, fastidiously contemplate efficiency expectations as totally as potential earlier than signing new distributors.
Dave Shackleford is founder and principal guide at Voodoo Safety, in addition to a SANS analyst, teacher and course writer, and GIAC technical director.
