6 Tips for a Successful Security Vendor Consolidation
In the past, organizations didn’t give much thought to security vendor consolidation. With the threat landscape continually expanding, and new cyberthreats emerging every day, company leaders typically wouldn’t bat an eye at bringing on a wide range of security suppliers.
However, recent economic conditions and increasing desires to reduce internal management workloads have put cybersecurity suppliers high on the list for potential consolidation.
A majority of organizations are considering security vendor consolidation
A 2022 Gartner survey reported that 75% of organizations will pursue security vendor consolidation over the next few years in an attempt to improve their security posture. So if your organization is currently working to downsize your cybersecurity vendor pool, you’re in the majority.
For some security pros, a consolidation strategy is an efficient solution for improving relationships with key suppliers, increasing cost savings, and streamlining the administrative work needed to govern multiple contracts. Other CISOs see it as a watering down of a carefully curated pool of innovative vendors, with their organizations settling for a maybe-not-even-good-enough solution just to cut costs.
The reality is that both of these outcomes are possible — but by making careful considerations, you can reap the benefits of streamlining your security operations and working with fewer vendors without creating new security risks.
The 6 steps to successful consolidation
Here are six steps to take if your organization is considering cybersecurity vendor consolidation:
- Evaluate your spend categories to identify vendor overlap
- Get an outside perspective on your vendors’ capabilities
- Map your vendors’ capabilities to find where you can safely cut
- Assess your vendors’ abilities to be long-term partners
- Consider what your vendors offer beyond technology
- Weigh your consolidated list of vendors against other risks
1. Evaluate your spend categories to identify vendor overlap
Take a look at your entire security stack and identify vendors in categories like web application and API protection (WAAP), web application firewall (WAF), bot management, API security, extended detection and response (XDR), client-side protection, vulnerability management, and incident response. Are there any overlaps?
Since vendors often offer multiple security products, you’ll likely find redundancies. For example, you might find you have a bot management solution on contract with two different vendors, but only use one of these solutions.
A thorough spend evaluation will give you a sense of where you can cut redundancies without expanding your overall risk. Plus, you’ll gain visibility into which vendors you only use for one offering.
2. Get an outside perspective on your vendors’ capabilities
You may have plenty of vendors, but are they the best at what they do? Are certain vendors great in one area but weak in others? Which ones are bringing the greatest value to your organization, and which are not pulling their weight?
Reading security analyst reports is a quick way to get a broad overview, but you might also consider using a consultant, analyst, or trusted third-party service provider to gain more granular insights.
Keep an open mind while researching, since your findings may surprise you. For example, it’s easy for start-ups to say they’re the only innovators out there, but you’ll often find that bigger players have more resources to innovate. The story you uncover may be different from what you expected.
3. Map your vendors’ capabilities to find where you can safely cut
Create a capabilities map by plotting your current vendors’ strengths and weaknesses.
For instance, perhaps you can cut a cloud security point player for an equally good (or better) cloud security capability from a broader vendor without sacrificing security needs.
When evaluating vendors’ capabilities and inefficiencies, don’t forget to think holistically and include services like customer support — this way, you don’t sacrifice quality in your consolidation efforts.
4. Assess your vendors’ abilities to be long-term partners
Now that your capabilities map is completed, research your preferred vendors’ finances, client management quality, and technology roadmaps. Are they financially stable? Do you like working with them and are they responsive to your needs? Are they committed to the security category you’re using them for now? What are their plans to expand into other areas you need?
Any vendor can look good at one point in time (often, when you first buy their solution), but it’s important to seek out fruitful long-term partnerships. Ensuring that your chosen vendors will be with you for the long term is a good way to reduce the cost and resource drain of switching vendors when one no longer fits your goals.
5. Consider what your vendors offer beyond technology
When evaluating a specific vendor, ask questions like: Are their services as good as their products? How is their security team? Have they been able to help when we have trouble or escalations? Can they support us in every geography where we operate? Do they offer managed services and professional services? Do they deliver work directly, or do they use subcontractors often? Do they offer executive briefings to discuss trends and industry direction?
Pure technology will only take a relationship so far, so considering overall value is important.
6. Weigh your consolidated list of vendors against other risks
Before you begin to reduce your number of vendors, remember: It's possible to consolidate too much, and working with just a single vendor can be a liability.
If you over consolidate your security stack, you may run into a problem called concentration risk. This occurs when you become so dependent on one vendor that you’re essentially forced to accept price increases, maintenance fees, or bad service simply because you can’t replace the vendor easily.
Keep in mind that your goal should be narrowing down to a strategic set of cybersecurity vendors, not just one or two behemoths.
Paving the way for productive partnerships
Before you begin to consolidate security vendors, it’s important to seek the counsel of your sourcing/vendor management and legal teams. Together, you can work through these six considerations to launch a structured, strategic process.
When done right, security vendor consolidation can lead to true optimization of your security tools and result in:
- Lower total cost of ownership for your security solutions
- Less time spent managing vendors and integrating solutions
- A better risk posture as you minimize inefficiencies and close any gaps among security technologies
Bundle best-in-class solutions with Akamai
If you’re looking to consolidate, consider adopting a comprehensive ecosystem of solutions. Akamai, the leader in application security, bundles best-of-breed security solutions with seamless interoperability across your attack surface — protecting your digital presence and your bottom line.