When I’m asked to explain what’s happening with enterprise cybersecurity technology, I often use an analogy from the business software market in the 1990s.
Back then, application vendors tended to specialize in one area – PeopleSoft owned HR, Baan offered manufacturing apps, JD Edwards played in finance, etc. Around 1995, companies began replacing these departmental applications with enterprise-class ERP solutions from Oracle and SAP. The objective? Centralize all business data into a common repository that could anchor the business and be updated and used for various departmental functions and business processes in real-time. Yes, the ERP journey was a bit painful but the transition resulted in a steady increase in business productivity, enhanced efficiency, and better decision making.
On the supply side of the equation, the ERP evolution led to industry consolidation as large software vendors acquired smaller ones. By the early 2000s, just a few enterprise-class business application software vendors remained while other specialists became ecosystem partners for large vendors, adding niche value in specific areas.
According to ESG research, the same type of thing is now happening with enterprise cybersecurity technology. In a survey of 176 cybersecurity and IT professionals, 24% say that their organization is actively consolidating the cybersecurity technology vendors they do business with, 38% are consolidating the cybersecurity technology vendors they do business with on a limited basis, and 21% are considering consolidating the cybersecurity vendors they do business with.
As enterprises consolidate cybersecurity vendors, they are also integrating individual products into a common architecture. This is where enterprise-class cybersecurity vendors are beginning to emerge. A few vendors will provide products, services, and software architecture (i.e., middleware, cloud services, application architecture, etc.), doing for cybersecurity what Oracle and SAP did for business application software in the 1990s.
What do cybersecurity professionals look for in these enterprise-class cybersecurity vendors? The ESG research provides a few answers to this question as follows:
- 35% of cybersecurity professionals say that enterprise-class cybersecurity must offer cybersecurity expertise specific to their organization’s industry. Boy, this one really parallels the ERP transition! Rather than horizontal infosec solutions, CISOs want security technologies that align with industry business processes, regulations, global operations, etc. As IoT applications gain strength, I truly expect cybersecurity to evolve into vertical industry specialization.
- 32% of cybersecurity professionals say that enterprise-class cybersecurity must offer a cybersecurity product and services portfolio that aligns with their organization’s strategic IT initiatives. Infosec pros want to work with cybersecurity vendors who support things like cloud computing, mobile applications, digital transformation, etc. I see a lot of M&A activities and ecosystem plays for big cybersecurity players (i.e., Cisco, IBM, McAfee, Symantec, Trend Micro, etc.) in this area.
- 32% of cybersecurity professionals say that enterprise-class cybersecurity must be committed to reducing operational complexity and lowering the cost of ownership of cybersecurity. In this case, enterprise cybersecurity vendors must improve security while streamlining and lowering the cost of operations. A tall order but consolidation, integration, enhanced intelligence, automation, and a software architecture should help here.
- 32% of cybersecurity professionals say that enterprise-class cybersecurity must provide products and services designed for enterprise scale, integration, and business process requirements. This is the classic functionality that all enterprise-class vendors must deliver: Scalability, manageability, distributed data management, high-performance, 7 by 24 support, etc. Enterprise organizations generate billions of security events daily and collect TBs of security data monthly so these are “gotta haves” for CISOs.
This trend is in its infancy but based upon the ESG research it appears to be gaining momentum. Large organizations want (and need) an integrated end-to-end cybersecurity technology architecture that can help improve incident prevention/detection, automate and orchestrate response, and streamline security operations. This need is even more pronounced with midmarket and small enterprise organizations lacking appropriate levels of cybersecurity skills.
Over the next few years, a few vendors have the opportunity to achieve market leadership in cybersecurity technology as Oracle and SAP did in ERP. The race is on but the finish line is already in place.