It should be central to the role of the CISO to build a vision and a product strategy, and drive the decluttering of cybersecurity landscapes
Every year, as we approach conference season, I can’t help but being amazed by the monumental number of cybersecurity products, services and vendors.
I have written at length about this since 2019 and I must admit I cannot see any form of consolidation over the horizon. I still believe this is not a sign of a healthy marketplace.
As a matter of fact, the situation is getting worse, as countless startups have jumped on the AI bandwagon over the past two years.
Many cybersecurity vendors appear to be reasonably successful, at least at attracting funding from investors – helped by the accumulation of cyber-attacks over recent years and possibly the investors’ rush towards AI-based products.
But increasingly, I have been asking myself: Who is actually buying all those products?
Of course, the traditional “box-checking” market will always be there: Many products are simply purchased, without proper procurement scrutiny or a competitive selection process, in response to audit observations or ahead of a regulatory inspection; this market has always existed and is not showing any sign of disappearing.
But some segments have become incredibly crowded over the years (GRC, IAM), so how can you be heard and scale on those markets without a clear, distinctive and credible message, strong enough to carry you through to a sufficient volume of sales?
In fact, in many cases, when you look in detail into the marketing storytelling those vendors produce, you realise that the business problem those tools are meant to solve is rarely explicitly defined.
In some cases, the simple fact that those tools have to solve a business problem, does not appear to be understood, as their marketing storytelling consists of an avalanche of technical terms, rarely intelligible to anyone outside the specific field where the tool operates.
It looks to me like many of those tools are simply designed by technologists for technologists.
Invariably purchased as point solutions by the team leaders in charge, they simply aggravate the proliferation of cybersecurity tools and the problems this is creating for large enterprises, now operating with tens of different “solutions”, many of them designed to address nothing else but a particular problem arising in a particular context.
All this complexifies security operations across the board, from compliance reporting to incident handling, forcing security teams into complex manual processes as nothing is never properly joined up.
It pushes up costs as more and more manual resources are required to scale up those processes in the face of escalating threats, creating a monumental skills gap problem across the industry, as nothing is never properly addressed in terms of automation, tools integration or process re-engineering.
That’s the harsh reality behind those trade shows: Even if most of those tools serve a purpose, their raw accumulation is at the heart of the inability of large enterprises to deal effectively and efficiently with the evolution of the threats, because after several decades of such accumulation, it has forced them into unmanageable, inefficient and unscalable operational security processes.
Continuing to buy more tools is unlikely to help, and until those dynamics change, things will simply get worse.
The time has come to move away from the raw technical handling of each and every cybersecurity problem in isolation of all others, and this should be seen as a matter of strategic direction for many cybersecurity practices in large firms.
It should be central to the role of the CISO in those firms to build a vision and a product strategy, and drive the decluttering of cybersecurity landscapes and the simplification of operational processes.
Automation will be key in this, as long as the simple principle we relayed and supported years ago is followed: “For every new tool, remove two legacy tools”.
More than ever, that makes tremendous sense, and it should be at the heart of any approach to AI-based cybersecurity solutions, as they develop and mature.
JC Gaillard
Founder & CEO
Corix Partners
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.