Choose Your Infrastructure: Why Vendor Selection Should Matter to CISOs

When running a cybersecurity operation for an organization, there are numerous competing priorities—and the CISO is responsible for striking an intricate balance between them. Of course, the overall security posture is imperative, as are the organization’s broader business objectives. The CISO has to determine the organization’s tolerance for risk, while simultaneously understanding the most essential security use cases for the business and establishing protections for them.

Finally, all of this is enabled or constrained by the financial and material resources allocated to the security operations center (SOC). For too many organizations, questions of budget can compete with security requirements.

CISOs need to establish security’s strategic value and relevance, and transition organizational thinking away from viewing it only as a cost center. There are concrete business benefits to cybersecurity, which are multiplied exponentially for any organization that maintains digital lines of business. By articulating and defending this position, CISOs are better equipped to obtain the proper budget for the right tools for the right use cases.

The perils of concentrating on cost versus risk

When an organization is preoccupied with cost considerations, one approach is to rely on an enterprise platform vendor to supply the entire security stack—an approach that challenges the effectiveness of security information and event management (SIEM), where the SOC collects data from across a heterogenous environment to preempt and prevent threats.

There are numerous large platform players that offer a predominantly single-vendor stack—Microsoft, CrowdStrike, Palo Alto Networks, Cisco, Google, and SentinelOne, for example.

Each of these enterprise vendors originally entered the market with a core specialty that they excelled at. Then, they expanded their cybersecurity offerings by acquiring secondary solutions and presented those new acquisitions as part of a cost-effective package deal.

Yet the touted cost savings are significantly overstated. Once an organization is locked in with a vendor, the add-ons keep accumulating. In addition to a disconnected user experience, these secondary solutions often lack proper innovation, sophistication, and R&D, and they charge extra to integrate, ingest, and store data from sources outside the vendor’s ecosystem. This leads to increased cost and complexity for mission-critical—and traditionally data-agnostic—functions such as SIEM.

For business decision makers outside of security operations, the seemingly full suite of offerings and tacked-on benefits from a single vendor is an appealing prospect; streamlining the number of third-party contracts while achieving economies of scale. Enterprise vendors have been known to sweeten the pot with entertainment incentives, executive perks, and/or “free” products from other areas of their portfolios.

But knowing that large enterprise vendors can have enormous hidden costs along with lackluster products, how can CISOs and security teams ensure that their organizations stay focused on managing risk and securing strategic IP?

Reframing the Conversation Around Use Cases

Business stakeholders may fret about the number of different vendors providing the security stack, but security leaders need to be ready to refocus the conversation around the tangible performance of the various tools. How many relevant use cases does each solution fulfill? Suppose a tool brings true excellence and versatility. In that case, it promises to provide more value over the long term than a product from a large enterprise vendor, where the toolkit may be extensive, but each tool is only partially effective.

Of course, cost conversations are unavoidable, so CISOs need to take stock of the core capabilities worth fighting for. An obvious one is SIEM—it’s traditionally been a repository of data and the backbone of the SOC’s threat detection, investigation, and response (TDIR) processes. SIEM needs to aggregate and consolidate data from everywhere, so the single vendor approach—where the vendor’s proprietary data sources take precedence—can be counterproductive.

Security leaders and teams also need to consider what they’ll receive credit for from the wider organization. Demonstrating security excellence will win a lot more points than painstakingly engineering all the missing components that would align single-vendor solutions to specific business use cases.

For Strong Detection, You Need a Wide Selection

Too many organizations spend millions of dollars on massive single-vendor contracts, only to end up with tools they can’t fully adopt or deploy because they aren’t suited to actual business needs or address their most strategic use cases. CISOs need to advocate for the tools that support the SOC’s priorities, and the SOC’s priorities—where they spend the most time—are likely to be on TDIR processes.

Proper cybersecurity is based on an “assume breach” mindset. That means an organization can’t take for granted that it’s fully protected; the attack surface is simply too broad, and modern threat actors are too advanced. Therefore, security teams need to consider it inevitable that incidents will occur.

TDIR processes have to be best-of-breed to respond rapidly, contain the blast radius, and reduce the fallout. Tools should be selected for their efficacy and ability to complement and integrate with other solutions so that data, activity, and events can be correlated into meaningful insights.

A best-of-breed strategy also builds resilience and contingency. Organizations with multiple security vendors don’t have to worry about a single point of failure potentially compromising their entire ecosystem of products.

But the need for best-of-breed runs deeper than that. On a fundamental level, cybersecurity as a discipline has always depended on practitioners and technologies being able to “play nice” with each other. They move the industry forward by collectively sharing knowledge, developments, and discoveries, and working together to establish the robust standards and protocols that protect data from those who would exploit and abuse it. The monopolistic tendencies of large portfolio players run counter to this ethos, and their security offerings suffer as a result.

Today, defenders need to be able to choose the tools best suited to the TDIR workflows that matter most. They should also have vendor-agnostic environments that enable them to deploy the right solutions for the right use case, regardless of vendor. The Exabeam portfolio was built for this purpose. Its core focus is combining industry-leading analytics and automation with SIEM and the capacity to integrate a wide range of products within its cloud-native or self-hosted platforms. Learn more about how to empower best-of-breed cybersecurity in our latest whitepaper.