Why we need to avoid consolidation for consolidations sake

A common trend for CISO’s is to look at the number of tools a security team has at their disposal and come to the conclusion that we need to consolidate, and they’re sometimes completely correct in that observation, but not always.

Gartner are masters of listening to and understanding the concerns of senior executives, and then encapsulating them in a new marketing term. They will coin new buzzwords for the industry and generate whole new markets overnight. The security platforms will then jostle for the position as leader on the Gartner “Magic Quadrant” for that new term. One example of this is Cloud-Native Application Protection Platform (CNAPP), an all-in-one platform to prevent, detect, and respond to cloud security threats.

On the surface it’s difficult to see a problem, Gartner listens to our senior leaders and acts on our behalf to essentially dictate the future roadmaps for security vendors. The problem is the natural evolution of these platforms are bypassed in favour of competing for status. Some of the largest security platforms are now a Frankenstein of acquisitions to try and fill the gaps in their offering, so that it aligns with the latest buzzwords. In the same way vendors are saturating the market with AI solutions to problems nobody asked for.

Which leaves me to question, when it comes to these more generic terms for monolithic platforms, such as CNAPP or Secure Access Service Edge (SASE), are we really getting a better deal?

The disconnect between customer and vendor

You may have noticed that Gartner are not interacting with the Security Engineers, Security Operations Center (SOC) Analysts, Governance, Risk, and Compliance (GRC) Specialists, or Software Engineers - they’re often relying on second-hand insights from senior executives. After all, executives are the ones who purchase the software licenses.

A business that has evolved over time, and possibly has had its own acquisitions along the way, will often have multiple tools for the same tasks, which is prevalent across all departments of the business and security is no different.

Consolidation of specialist security tools that do the same thing, such as multiple like-for-like SAST scanners, is a sensible approach. It will save the business money, time, and resources, while facilitating a more LEAN business model.

Where this becomes a problem is when a new Gartner term encompasses many distinct tools under an umbrella term, and consolidation into a single security platform becomes the goal. Often what we end up with is a platform that does everything we want, but it does it badly.

Gartner have made themselves a gatekeeper of innovation within the security industry, by playing both sides with the security platforms and the senior executives. We’re in a weird situation where both sides feel they need Gartner, but in reality they could probably do better by simply talking to each other directly.

The problem with one size fits all platforms

Amazon Web Services (AWS) have over 130,000 employees worldwide, and they have some of the best public cloud services available on the market, but they also have some terrible ones. If the biggest public cloud provider in the world, with the headcount of a small European city, can’t get it right with competing priorities, how do you expect the all-encompassing security platforms to do any better?

There are so many specialist tools available on the market, and the trend with a lot of them is to grow into other areas, and it’s understandable, they are a business after all. It’s important to really take the time to explore a platform like this to ensure you’re getting the same level of quality if you’re looking to consolidate. Doing one-to-one comparisons is infinitely easier than many-to-many, and what might suit your situation now, might not be the case in the future. Ensure you’re not trapped by vendor lock-in, and carry out extensive testing during a trial period to ensure it’s a good investment.

Alternative models for consolidation

I’ve painted a bleak picture of comprehensive security platforms, but they’re not all bad. You need to understand which tools complement each other well and as such make sense to be collated into a single platform.

Let’s take a look at a popular term that is used for a platform consisting of many security tools, and how we can break this down into a more suitable approach.

An example of a potentially bad combination is CNAPP, which covers code, cloud, and runtime. Each one of these would be a substantial platform in its own right, but combined it’s likely doing too much and quality will suffer. You might find with bloated platforms that they have a polished UI and good branding, but when it comes to using a specific tool you require in practice they fail to pass the litmus test.

There are alternative approaches for those looking for consolidation, but want to get the best out of their tools. You could find a suitable Application Security Posture Management (ASPM) platform for use by your developers, a suitable Cloud Security Posture Management (CSPM) platform for your systems administrators or DevOps teams, and a robust Security Orchestration, Automation, and Response (SOAR) platform for the SOC team.

These 3 platforms chosen correctly will likely provide more value than a generic CNAPP tool, which is likely trying to do too much.

The ASPM tool will allow the software engineers in their product teams to manage the security posture of the services they build, across the full software development lifecycle.

A CSPM tool will facilitate the discovery and remediation of misconfigurations and weak spots in your cloud environments, which can be managed and monitored by systems administrators as well as the product teams.

The SOAR platform will enrich security findings with observability data to provide contextualised alerts to the SOC team, which will facilitate the SOC team remediating issues without reliance on the DevOps team or other internal teams.

I recently discovered this interesting article from James Berthoty, which discusses a similar concept, but he puts forward his own idea regarding a new consolidation platform in Cloud Application Detection and Response (CADR): https://pulse.latio.tech/p/wtf-is-cloud-application-detection

The CADR solution could be an alternative to a robust SOAR platform, in that it’s designed to collate data in a meaningful way for SOC engineers.

Final thoughts

I’m not convinced any platform that tries to do it all will be successful in practice, the focus on the demands of investors will ultimately overtake the demands of the customer.

Of course I’m referring to success in relation to solving customer problems, I concede they will be successful financially as customers will continue to overpay for services that claim to solve all their problems in one nice off the shelf solution, especially when Gartner tells them to.

In recent times, security companies have become experts in marketing. I don’t have any evidence to back up this claim, but I imagine they spend more on branding, marketing, and sales, than they do on software engineering, customer success, and research.

If you want to maximise success with securing your business, I would recommend investing in people above all else. You will likely discover that you spend less on security platforms that don’t live up to expectation, and will simultaneously help solve the real world problems your business faces, whether that’s through a multi-use platform or OSS. I’ll take a well funded internal security team over an external platform who promises the world.

If you liked this post, you may also be interested in...

Phishing simulation is a waste of time and money

Unfortunately, throwing money at the problem and trying to simulate a phishing attack doesn’t solve any of your problems, it might actually make them worse. People will click links, people will look at attachments, it’s the responsibility of security professionals to ensure their people have all the information they need to make smart decisions, and that you have the technical capabilities in place to ensure any mistakes have minimal impact.

Compliance doesn’t care about your security culture

Working as a security engineer I’m heavily focused on helping teams maximise the security posture of the systems they build, without introducing bottlenecks. We have access to many tools and the teams are building many products and services, it can be a challenge to find the right balance, when often one size does not fit all. Different risk appetites, different languages and platforms, different ways of working, and much more mean we need to be flexible in our approach.