The transition toward enterprise-class cybersecurity vendors

Information security professionals working at enterprise organizations want to work with vendors that have experience with business/IT initiatives and industry knowledge.

The transition toward enterprise-class cybersecurity vendors
Zapp2Photo / Getty Images

Recently, ESG completed its second annual enterprise-class cybersecurity vendor research. The story behind this project goes something like this: Enterprise organizations (i.e. those with 1,000 employees or more) have too many point tools and are now engaged in projects to integrate security technologies while eliminating some tools and vendors along the way. (Note: I am an employee of ESG.)

This sets up a security market where enterprises buy more products from fewer vendors, and this will have a big market impact – fewer transactions, more large deals, longer sales cycles, increased CISO oversight over procurement, intense competition, etc. 

I realize that this is antithetical to the way the security industry has always worked in the past when large organizations bought best-of-breed technologies for every layer of a defense-in-depth architecture. The data indicates that this historical mindset is changing however – 62% of survey respondents say that their organization would now consider buying a majority of its security technologies (as well as managed security services) from a single enterprise-class cybersecurity vendor.

OK, so what qualifications are necessary to be considered an “enterprise-class” cybersecurity vendor? ESG asked respondents this very question and the top two responses are extremely interesting to me:

  • 34% of respondents say the most important attribute is cybersecurity product and services portfolio that aligns with strategic IT initiatives. In other words, CISOs want to work with vendors with hands-on and deep cybersecurity knowledge of digital transformation, IoT applications, mobile applications, DevOps, etc. 
  • 27% of respondents say the most important attribute is cybersecurity expertise specific to my organization’s industry. I’m particularly happy about this data point as it supports my thesis that cybersecurity is becoming a vertical application, driven by industry-specific IoT devices/applications, business processes, risks, regulations, etc. 

The rest of the list consists of enterprise “motherhood and apple pie” attributes – enterprise-class cybersecurity vendors must offer broad portfolios of products and services, provide world-class threat intelligence, provide product scalability, manageability, and integration, etc.

What it takes to be an enterprise-class cybersecurity vendor

We are at the beginning of the “platform wars” where security vendors compete for a much larger part of enterprise spending. This means a few vendors will break from the pack – we’ll see one or more $5 billion enterprise cybersecurity vendors within the next few years. To get there, however, cybersecurity vendors will need to change their stripes a bit as follows:

  • Vendors will need extensive business/IT chops, not just security acumen. Furthermore, cybersecurity vendors must move beyond horizontal security technologies and gain a deep understanding of risks associated with vertical business processes. To get there, security vendors will have to invest in business/IT training, industry marketing, recruiting industry experts, reorganizing their sales forces and channels, etc.
  • Most security vendors have a transactional sales model today that is based upon what users are buying at the time. This month, it is a web security subscription renewal, next month its cloud workload security purchased by a different group with a different budget. As organizations seek out enterprise-class distributed security solutions, vendors must establish a sales model built for long sales cycles, engineering support, and lots of customer handholding. Think Oracle and SAP rather than traditional McAfee and Symantec.
  • Similarly, sales strategies must continue to target technical buyers but should also be geared toward CISO communications, value propositions, and requirements. Once again, few security vendors know what CISOs do daily – let alone know how to communicate at a security executive level.

Enterprise CISOs have a tough job, as things are changing quickly and the old ways of doing things are no longer adequate. This is changing what technologies they need and whom they will buy them from. Vendors that navigate through this transition will be rewarded handsomely, while stragglers will be left behind. This means the enterprise cybersecurity market is in play like never before. 

SUBSCRIBE! Get the best of CSO delivered to your email inbox.