"Most Companies Get By Without Best-in-Class Security Tools" 

When Platform Plays are Good Enough

ETR Research 

| November 04, 2022

Our recent conversation with the Managing Director of Cyber Risk and CISO Advisory for a large consulting firm centered on information security vendors and macro trends. On the topic of spending priorities, he said it “is different by sector,” with “highly regulated industries such as banks” continuing to focus on pressing cybersecurity concerns and putting innovative projects like AI/ML in the back seat for a while. Meanwhile, he says some industries unfortunately still see cybersecurity as “optional,” calling out some pharmaceutical and food processing companies as examples where they “have 30,000 to 50,000 employees, with two people working in cybersecurity.” He says the “CIO’s explanation for the two-person strategy is, ‘We haven’t had any problems yet, so we’re not going to grow that area.” Our guest quickly rebutted that the "hasn’t happened to me" defense may not even be true, since “the bad guys can be in there 250 days before anybody finds out. In fact, if you don’t have the right tools, you’re never going to find out.”

The topic of rising breaches and ransomware payouts then led to an examination of the current state of cyber insurance where our guest was rightfully skeptical of the utility of today’s policies, stating “they’re written in such ways that protect the insurance companies. The companies are barely covered for anything, yet you’re paying huge premiums.” He said “many people are just shying away” from obtaining new cyber insurance coverage today if possible, adding that “two or three years ago was a great time to buy” policies.

Lastly, our guest had strong opinions on whether organizations truly need a portfolio of best-in-class solutions or if fewer vendors with broader capabilities would suffice. He said, “there are Fortune 100 companies that still continue to need best-in-breed,” but he routinely advises smaller and less-regulated companies that the best-in-breed approach may be overkill. Instead, he believes that “80% of the people can get by with just a few tools that offer a lot of options that aren’t best-in-class but are sufficient for them.” 

Below, we break out some direct commentary from our guest regarding which of these security vendors he believes offers good-enough, or best-in-class, functionality in areas like unified endpoint management, SIEM, and cloud security, featuring commentary on Microsoft, Tanium, Tenable, Qualys, Splunk, Wiz, and more.

Microsoft Security is broad and adequate: Microsoft is high [in ETR's security sector] because they've added a lot of those second-tier tools, I’m going to call them, to their product, that again in my mind are probably not best-in-class but are adequate enough for most institutions. Those products usually are free with E5 or a little bit extra, or many of them are even free with E3. Microsoft is doing great in the market of not-the-Fortune 100 solutions, for at least security.

What will Tanium replace?: Tanium is a strong product […] but Tanium is one of those products that overlaps a huge amount with other products. So the question is, when most people I talk to want to put in Tanium, they need to really see a good business case of what other products are they going to pull out if they put Tanium in? And sometimes it's not easy to pull those other products out.

Wiz is taking off: Wiz is just taking off like crazy in the cloud space. It seems to be the number one choice from the cloud potential. […] I think it's quick, it's easy to install, and I know several of their company engineers are very excited about the project. It helps people organize their whole cloud posture. It's a tool that I think just integrates well with their cloud endeavors. There’s not a lot of competition around; what else am I going to use? There are other tools but Wiz stands out there. If people are going to do something, they use Wiz. […] It's also, as we know, a great company from Israel, and most of the employees there were formerly in the Israel Armed Forces and areas dealing with cyber as a crime, so the people really know what they're doing.

ETR Data: When sorting ETR's entire Information Security sector by Net Score (forward-looking spend metric), Wiz is the leading vendor with a 57% Net Score among All Respondents. However, the newer player does not carry a high Pervasion (citation rate in our survey) with only 4% Pervasion. By comparison, Microsoft comes in second with a 54% Net Score and first with a whopping 76% Pervasion. Seen below is a time series chart of Wiz' Net Score and Pervasion trend lines.

Accuracy of Tenable and Qualys: Both scan the same things, but I think people traditionally used Tenable to scan different things than Qualys. Qualys was always hardware and Tenable was firewall configurations. But now, I mean, I think they do the same thing right now. The problem with both of those are, you get to a point of accuracy around 80% to 90%. After that, it's very inaccurate. So what do I mean by that? You scan something and it tells you - I'll just use an example, it tells you you've got 50 Windows servers in a building, and 500 Windows devices in a building, and it kind of goes down and tells you even what version of Windows they’re using. And when you go look for those, you can’t always find them. They may be old devices in a closet. They may be printers. They may be lots of different things. So when you're trying to patch or control them, it's not just, “Oh, I found X number of Windows servers that are unpatched.” You may be talking about a printer. So the problem is, what I hear CIOs say, is “I don't know what I don't know. I need to identify and know everything that's under my roof.” These products come between 80% and 90% accurate, and after that you've got to have feet on the floor to go find the anomalies.

Splunk gets expensive quickly: Splunk is great, but people are starting to realize, as they did in the past with on-prem, that Splunk’s cloud, when not properly tuned and managed is costing a lot of OPEX a year, and they don't know if they want to continue with it. I'm starting to hear that now. It has to be fine-tuned and managed fairly well, and it not always is. So just like anything, what people do is they fill up their cloud space pretty quickly, and instead of fine tuning – which takes a lot of time and effort and risks not catching everything that's bad – they just buy more cloud space. They budget more and more each year, and that budget gets approved each year, until somebody comes in (usually the CIO over the CISO) and says this is ridiculous. The old IBM product [Qradar] that they had in place as a SIEM prior, went up 2% a year but costs on Splunk are going up 25% a year. We just can't stay there. No matter how good the product is, we just can't stay in that arena.

People are security vulnerabilities: Security training vendors are critical to a security strategy. A good training vendor [like KnowBe4] knows exactly where the new needs are for training, whereas homegrown [training] isn't necessarily there. […] All these tools, all these features, and all these functions came out, and the bad guys found ways to obstruct them, to move against them, and to fight them down and to beat them down. What does the protection come back to? People. It all comes back to people again, just like it was 25 years ago. […] So it’s very effective to train people, because the tools aren’t able to do everything we needed to do.

If you would like to explore more expert comments from ETR's ITDM community,

start your free trial today and gain access to our searchable transcript library with hundreds of expert interviews and panels.

Enterprise Technology Research (ETR) is a technology market research firm that leverages proprietary data from our targeted IT decision maker (ITDM) community to bring you actionable insights about spending intentions and industry trends. Since 2010, we have worked diligently at achieving one goal: eliminating the need for opinions in enterprise research, which are often formed from incomplete, biased, and statistically insignificant data. Our community of ITDMs represents $1+ trillion in annual IT spend and is positioned to provide best-in-class customer/evaluator perspectives. ETR’s proprietary data and insights from this community empower institutional investors, technology companies, and ITDMs to navigate the complex enterprise technology landscape amid an expanding marketplace. Discover what ETR can do for you at www.etr.ai