Hello... Is there anybody out there?
Purchasing cybersecurity products and services can be overwhelming. There are too many options, too many threats, and the environments are too complex. This often leads to long decision timelines and less-than-ideal results. After working with our customers for over 15 years on these types of decisions, it reminds me of the Pink Floyd song “Comfortably Numb.” The feeling of delirium described in the song is not too dissimilar to the feeling many of us get when researching and selecting technical security controls.
In this blog, we will examine the inefficiencies in the business model at the center of cybersecurity procurement activities that have led to this situation. With this understanding, we can begin to address the real issues that have hindered our ability to transform this process to meet the needs of a modern security organization.
This blog also serves as an introduction to our Peer-Sourced Decision Analysis approach, which enables security organizations to speed up the solution analysis and vetting process by 80%+ while making better decisions. It may sound impossible, but let’s start from the beginning.
So how did we end up here?
To figure out how we got here, we need to look back about 14 years when IT security was mostly an insurance program reluctantly adopted by the Information Technology (IT) organization. At the time, there were very few solutions available (compared to today) and the threat landscape was immature and not professionally organized.
As a reference, the first data breach of credit cards happened between 2005 and 2007. In this much simpler world, industry participants like Value Added Resellers (VARs), Security Integrators (SIs), and analysts (like Gartner) provided their customers with high-value information and integration services to help them decide on the best solutions to deploy. With a limited number of solutions provided by mostly larger security manufacturers, the system worked well and filled a gap in the market.
Now, fast forward to today. Over the past decade or so, we’ve seen a massive increase in cyber-attacks coming from highly sophisticated threat actors targeting a broader set of organizations. This has resulted in a radical change in the market.
Most organizations now have a dedicated security team as breaches have escalated in both intensity and cost. Innovation by existing and new IT security vendors and service providers is skyrocketing to meet the new demands. The government has made cyber a fifth warfare domain and we see endless references to cybersecurity in popular TV shows and movies. It may sound like job security and an opportunity to be the “cool person” at the party… But, not so fast.
The catch is that the need for IT security experts has far outpaced the available resources in the market. Leading analysts estimate a shortage of at least 30%, meaning that security professionals are overworked and stretched thin – so forget having time to go to those parties.
The solution reselling model is broken
In stark contrast to all of these changes in the market, is the lack of changes in the services associated with reselling security solutions. Effectively, there’s been little to no innovation of the “business model” that sits at the center of these activities, which has greatly impacted our ability to digitally transform these processes.
The root of the problem lies in unrealistic expectations between buyers and sellers, which stem from the traditional approach to delivering and consuming these services. On one side there are the customers, who expect their partners to provide expert advice, delivered from a client centric perspective, on the solutions they resell. On the other side, there are VARs and integrators that would provide that expert advice at “no cost” with the expectation that their customers would buy the solution from them so they could recoup that investment.
This relationship worked well in the early days of the cybersecurity market, but as the industry has grown, VARs and integrators have struggled to find or afford the resources they need to keep up with the accelerating demands of their clients. To compensate, they adopted a more vendor-centric model, leveraging the expertise of their vendor partners to make up for their skills gap. But, as customers became aware of this approach, they lost trust in their partners and started seeking advice from multiple companies, which commoditized margins and further disincentivizing partners from making the necessary investments to enhance their services.
Vendors too changed their behavior by creating deal registration programs that favor VARs and integrators who brought them into an engagement first, rather than for the ones that provided the most value to their customers. As innovation spiked, this approach incited a solutions “arms race” fueled by marketing hype and VC investments that added an additional layer of confusion.
The impact on end-users
The result of these changes has unintentionally created a misalignment between the goals of customers, partners, and vendors, leading to a perception of solution reselling as a low-value service. This shift has caused VARs and integrators to refocus their attention on other services, leaving solution recommendations to be dumbed down to a “best efforts” activity, which is where it stands today.
Additionally, 3rd party analysts and peer review sites that produce reports about security products provide very little value for most companies. After all, the process of security integration needs to account for customer-specific interests, such as the maturity of their operations, critical system integrations, compliance requirements, budgets, and even their culture. Reading a paper about an analyst’s perceptions of the best technologies is a narrow and myopic view that has little to do with a reader’s actual considerations.
Due to this, customers have taken ownership of the solution analysis process, as they don’t trust other sources. As cybersecurity risk management continues to increase in complexity, so does the importance of having a strong methodology for doing these activities. To help alleviate this burden, security leaders have turned to third-party validation and specifically peer feedback as the number one way to accelerate their analysis and reduce their decision risk.
For the IT security teams supporting these activities, this means more work, late nights, tons of research material to scrutinize, and delirious thoughts as they sift through marketing messaging and industry hype. Which brings me back to Roger Waters’ famous line “Hello… is there anybody out there?”
A new solution is needed
The answer is “YES”, we have been listening! For the past six years we have been working hard at innovating an approach that not only meets he need of a modern security organization, but focuses on the metrics these teams value most – peer data.
Our Peer-Sourced Decision Analysis approach leverages data science to normalize the way your peers have made similar decisions, creating a best practices analysis framework that enables companies to engage project immediately. Over the past 18 months we have measured the ability to reduce the workload on our customers by over 80%, while providing much better results.
What could that do for your organization?
To learn more, visit our solution page on this topic at: https://latussolutions.com/connect/
Also check out our blog that goes into the drivers that make our Peer-sourced Decision Analysis (PsDA) a game changer for security leaders: https://blog.latussolutions.com/what-is-peer-sourced-decision-analysis-and-why-is-it-important-2/