The makers of point security products may have a struggle on their hands over the next few years: Three-quarters of businesses — 75% — are planning to reduce the number of security vendors on which they rely, up from 29% in 2020, according to a survey conducted by business-intelligence firm Gartner and published this week.
The massive surge in interest in vendor reduction is not driven by cost savings, but a focus on making security more manageable and effective, according to Gartner’s 418-person survey. Of the companies pursuing or planning to pursue security vendor consolidation, two-thirds — 65% — stated that improving risk posture is the primary goals, while less than 30% expected that spending on products and licensing would be reduced, the analyst firm found.
The trend could fuel another round of consolidation among vendors in the industry, says John Watts, vice president analyst at Gartner.
“Gartner believes that security and risk management leasers are dissatisfied with their current operational inefficiencies and lack of integration of their existing heterogeneous security stacks,” Watts says. “Many organizations are seeking more efficient and integrated solutions rather than point security products.”
Consolidation of security vendors and products is a trend that has been building. In July, a survey conducted by the Information Systems Security Association and the Enterprise Strategy Group found that 46% of companies had begun consolidating, or were planning to consolidate, the number of security vendors.
In its 2020 CISO Benchmark Study, Cisco found that 86% of companies had 20 or fewer vendors, up from 79% two years earlier. In addition, more than a quarter of firms — 28% — thought that managing security in a multi-vendor environment had become very challenging, and another 53% considered the state of affairs to be somewhat challenging, according to Cisco’s report.
“Most organizations are now in the ‘finding it challenging’ categories,” Cisco stated in the report. “This might mean that you have fewer vendors to manage or that you have started to use tools, such as analytics engines, to improve results from multiple, disparate tools.”
Two years later, Gartner’s survey suggests that companies have consolidated even more, with 57% of companies having 9 or fewer vendors for their security products and services, Gartner said in its announcement of the survey results.
Many companies are aiming to consolidate vendors with new contracts as they move to zero-trust technologies, such as secure access service edge (SASE) and extended detection and response (XDR). More than half of all organizations — 57% — claimed to be able to resolve security threats more quickly after implementing an XDR strategy, Gartner stated. Similarly, SASE projects help simplify network and security policy management, the analyst firm stated.
“Security and risk management leaders must consider XDR and SASE as compelling options to start their consolidation journey,” Dionisio Zumerle, vice president analyst at Gartner, stated in the survey announcement. “SASE provides secure enterprise access, while XDR focuses on detecting and responding to threats through increased visibility on networks, cloud, endpoints and other components.”
While a minority of organizations are looking to consolidate to reduce costs, they will have to be willing to give up some features and shrink the number of products and licenses — or renegotiate their contracts, Gartner stated.
The cybersecurity industry has already started consolidating as vendors look to satisfy the demands of easier and more efficient security processes. In July, Google bought cybersecurity services firm Mandiant, beefing up its portfolio in its competition with other major cloud providers, such as Microsoft and Amazon.
The endpoint security market has already undergone significant consolidation, with VMware acquiring Carbon Black, HP hopping on the bandwagon with Bromium, BlackBerry cornering Cylance, and Thoma Bravo snapping up Sophos.
Companies that have not successfully consolidated vendors cite both time constraints and too-strict vendor agreements as the cause of failure, the firm said.
“Security and IT leaders should plan at least two years for consolidation as it takes time to effectively consolidate and consider incumbent vendor switching costs,” Watts said in a statement announcing the results of the survey. “It is also important to anticipate vendor M&A disruption as the security market is always consolidating but never consolidated.”