Information security professionals working at enterprise organizations want to work with vendors that have experience with business/IT initiatives and industry knowledge. Credit: Zapp2Photo / Getty Images Recently, ESG completed its second annual enterprise-class cybersecurity vendor research. The story behind this project goes something like this: Enterprise organizations (i.e. those with 1,000 employees or more) have too many point tools and are now engaged in projects to integrate security technologies while eliminating some tools and vendors along the way. (Note: I am an employee of ESG.)This sets up a security market where enterprises buy more products from fewer vendors, and this will have a big market impact – fewer transactions, more large deals, longer sales cycles, increased CISO oversight over procurement, intense competition, etc. I realize that this is antithetical to the way the security industry has always worked in the past when large organizations bought best-of-breed technologies for every layer of a defense-in-depth architecture. The data indicates that this historical mindset is changing however – 62% of survey respondents say that their organization would now consider buying a majority of its security technologies (as well as managed security services) from a single enterprise-class cybersecurity vendor.OK, so what qualifications are necessary to be considered an “enterprise-class” cybersecurity vendor? ESG asked respondents this very question and the top two responses are extremely interesting to me: 34% of respondents say the most important attribute is cybersecurity product and services portfolio that aligns with strategic IT initiatives. In other words, CISOs want to work with vendors with hands-on and deep cybersecurity knowledge of digital transformation, IoT applications, mobile applications, DevOps, etc. 27% of respondents say the most important attribute is cybersecurity expertise specific to my organization’s industry. I’m particularly happy about this data point as it supports my thesis that cybersecurity is becoming a vertical application, driven by industry-specific IoT devices/applications, business processes, risks, regulations, etc. The rest of the list consists of enterprise “motherhood and apple pie” attributes – enterprise-class cybersecurity vendors must offer broad portfolios of products and services, provide world-class threat intelligence, provide product scalability, manageability, and integration, etc.What it takes to be an enterprise-class cybersecurity vendorWe are at the beginning of the “platform wars” where security vendors compete for a much larger part of enterprise spending. This means a few vendors will break from the pack – we’ll see one or more $5 billion enterprise cybersecurity vendors within the next few years. To get there, however, cybersecurity vendors will need to change their stripes a bit as follows: Vendors will need extensive business/IT chops, not just security acumen. Furthermore, cybersecurity vendors must move beyond horizontal security technologies and gain a deep understanding of risks associated with vertical business processes. To get there, security vendors will have to invest in business/IT training, industry marketing, recruiting industry experts, reorganizing their sales forces and channels, etc.Most security vendors have a transactional sales model today that is based upon what users are buying at the time. This month, it is a web security subscription renewal, next month its cloud workload security purchased by a different group with a different budget. As organizations seek out enterprise-class distributed security solutions, vendors must establish a sales model built for long sales cycles, engineering support, and lots of customer handholding. Think Oracle and SAP rather than traditional McAfee and Symantec.Similarly, sales strategies must continue to target technical buyers but should also be geared toward CISO communications, value propositions, and requirements. Once again, few security vendors know what CISOs do daily – let alone know how to communicate at a security executive level.Enterprise CISOs have a tough job, as things are changing quickly and the old ways of doing things are no longer adequate. This is changing what technologies they need and whom they will buy them from. Vendors that navigate through this transition will be rewarded handsomely, while stragglers will be left behind. This means the enterprise cybersecurity market is in play like never before. Related content analysis 5 things security pros want from XDR platforms New research shows that while extended detection and response (XDR) remains a nebulous topic, security pros know what they want from an XDR platform. By Jon Oltsik Jul 07, 2022 3 mins Intrusion Detection Software Incident Response opinion Bye-bye best-of-breed? ESG research finds that organizations are increasingly integrating security technologies and purchasing multi-product security platforms, changing the industry in the process. By Jon Oltsik Jun 14, 2022 4 mins Security Software opinion SOC modernization: 8 key considerations Organizations need SOC transformation for security efficacy and operational efficiency. Technology vendors should come to this year’s RSA Conference with clear messages and plans, not industry hyperbole. By Jon Oltsik Apr 27, 2022 6 mins RSA Conference Security Operations Center opinion 5 ways to improve security hygiene and posture management Security professionals suggest continuous controls validation, process automation, and integrating security and IT technologies. By Jon Oltsik Apr 05, 2022 4 mins Security Practices Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe