Collectively, these forces have major implications for the security technology marketplace. Already, we’re seeing some ‘old guard’ technology vendors being overcome by newer, more agile vendors. In addition, security technology vendors are scrambling to build out their security product portfolios through strategic acquisitions.
Don’t create a monster
Over the years, I’ve seen large security companies put together “Franken-mergers” that never worked well. These ill-fated combinations often hampered execution and killed customer satisfaction. Unfortunately, some of these organizations have earned reputations as “places good products go to die.” These companies didn’t grasp that technology fit alone isn’t sufficient – an effective merger must also blend people, culture, and go-to-market capabilities in a sustainable way or the merger will fail. In these scenarios, it’s ultimately the customers who suffer.
Another problem is that some of these deals are driven by emotions and hype, rather than business value and a sustainable business plan.
Many CISOs recognize that mergers can bring instability and increase risk, so they are consciously diversifying their vendor portfolios to avoid relying on a single vendor. This approach is accelerating due to the complexity of today’s threat environment, which continues to change so quickly it can’t be effectively addressed by a single vendor.
I’ve worked with a number of forward-thinking CISOs and they have a few things in common. First, they deliberately connect security to their business goals and metrics, and this in turn makes it easier to get recognition for the value information security provides to the organization and get their non-technical peers on board with what they are doing
Second, rather than looking for “silver bullet” security tools, these CISO’s determine a composite set of capabilities required to defend their organizations. Understanding those capabilities makes it easier to objectively evaluate the onslaught of new options available.
Third, these CISO’s diversify their own technology portfolios to build a ‘defense in depth” security model to minimize single points of failure. This has the additional benefit of making it easier to adjust their security strategy as the threat landscape changes.
Finally, these CISOs evaluate the capabilities of their organization to ensure they address any skills gaps, lean on outside expertise as necessary, and fully understand how any new technology will fit with their existing technology set.
All of that makes sense, right? If you take a step back, you’ll notice that security companies would benefit from asking the same before they rush out and buy another technology company.
You’re not done just when the deal is done
Once the acquisition is made, the real work begins. How will the new product addition add value without causing distractions or creating a bunch of thrash? Technology product companies have a tendency to create a bunch of new data and alerts that might very well overwhelm an enterprise’s ability to consume the data.
The current tendency is to lump this problem in with “big data” and “security intelligence” solutions, which doesn’t necessarily solve the problem. The challenge for all vendors is that of prioritization and discrimination, and this problem becomes particularly acute for security vendors with a large portfolio of solutions.