ETR Insights recently interviewed the Chief Information Security Officer of a large technology organization. Despite the current climate, our guest is expecting a minimum of 5% growth in IT spend at their firm on the organization's move from SMB to targeting enterprise clients, which comes with a new range of tools, responsibilities, and regulatory requirements. That said, to save costs, the company has begun delaying or stopping new projects, reducing access to cloud resources, and consolidating redundant vendors. “SaaS licensing and optimization is part of it, but we're in a transition state through M&A, and we keep bringing on new tools. We need to figure out who’s got the best-to-breed, who's doing the best job, and where do we get the best value.”
Our guest details their experience with Qualys, Rapid7, and Tenable. He also discusses why he prefers subscription-based pricing models and explains how XDR vendors like CrowdStrike and SentinelOne may replace traditional vulnerability management tools and possibly SIEM, as well. Read on for a healthy dose of information security.
Vendor-Specific Commentary: Information Security
Priorities. Vulnerability management and patching have taken center stage, driven by headline risk and increased visibility in the boardroom. "I'm examining opportunities to consolidate some of the vulnerability management and patching under EDR / XDR, but we're still very much in the early exploratory phases on that." Edge computing is undergoing significant transformation as enterprises aim to secure the points where employees interact with data; the pandemic has shifted the focus to identity-based security as the new perimeter. "MFA comes up in almost every conversation I have with our clients. They want to make certain that we're using true two or three-factor authentication, rather than two single-factor authentication methodologies, like two passwords or a PIN." MFA is also being driven by regulatory requirements and growing attention on cybersecurity from regulatory agencies.
Our guest is cautious when adopting new tools. "Once you bring a tool like this in, it becomes very deeply embedded in your processes, and swapping a tool out can be more effort than it's worth, even in the light of 20% to 30% of cost savings." A key consideration is how a company will manage the inevitable problems that arise. He's similarly cautious about adopting all-in-one solutions, as companies may have standout primary offerings but face challenges in expanding to new areas or are slow to ramp new capabilities brought on through M&A. "A hatchet does one thing, and it does it incredibly well, but you're not going to use a hatchet to whittle a stick to a point." Our guest prefers to cherry-pick specific products from full-service vendors instead of relying on them for an all-in-one solution.
Qualys, Rapid7, and Tenable. While all three vendors have similar technological approaches, a key differentiator to our guest is their FedRAMP authorization, which allows tools to be used within a specific regulatory framework. Qualys stands out with its longstanding ATO, making it an easier choice for organizations dealing with federal agencies. "That makes it very easy to put them on your worksheet when you talk about your tools." Rapid7 is right behind Qualys, whereas Tenable's current status is less clear. In this CISO's personal experience, Rapid7 has been mostly positive despite some hiccups. Tenable initially had great support but faltered over time, and although Qualys suffered from problematic regional support, the company has worked to address these issues.
ETR Data: According to data from the OCT23 TSIS, spending has leveled across most vulnerability management vendors tracked within the Information Security sector, with the most sizeable year-over-decline coming from Tenable. Rapid7 shows more stability but still holds the lowest overall Net Score of the three major players. Meanwhile, Qualys captured a six percentage point increase from prior survey levels, jumping from a 22% to a 28% Net Score.
CrowdStrike + Sentinel One. Our guest also adds that CrowdStrike and SentinelOne have a good foothold in the containerization space. “They are able to leverage the data that they collect on the endpoint to meet the intent of the control for vulnerability management.” Both offer elements of auto-remediation, as well. Our guest believes these vendors can ultimately replace traditional vulnerability management tools, in no small part, based on cost savings around consolidation. “I think that is driving the inroads for CrowdStrike and SentinelOne, and those inroads are going to drive their maturity in the market so that they will be technologically on par with what you see in the big three vulnerability management.”
If you would like to see the full interview summary or replay, check out the ETR Insights library, and while you're there, peruse hundreds more ITDM interviews and panels. You can also gain access to the entire research platform, including the industry's leading technology spending data, analysis, and ITDM commentary, with your own free trial.
Enterprise Technology Research (ETR) is a technology market research firm that leverages proprietary data from our targeted IT decision maker (ITDM) community to provide actionable insights about spending intentions and industry trends. Since 2010, we have worked diligently at achieving one goal: eliminating the need for opinions in enterprise research, which are often formed from incomplete, biased, and statistically insignificant data. Our community of ITDMs represents $1+ trillion in annual IT spend and is positioned to provide best-in-class customer/evaluator perspectives. ETR’s proprietary data and insights from this community empower institutional investors, technology companies, and ITDMs to navigate the complex enterprise technology landscape amid an expanding marketplace. Discover what ETR can do for you at www.etr.ai