By Wallace Witkowski, MarketWatch
MarketWatch photo illustration/iStockphoto
At the anniversary of the Equifax Inc. breach disclosure, the biggest headache for executives in charge of protecting company data has to do with choices — as in, way too many of them.
The number of cybersecurity choices facing chief information security officers, or CISOs, is truly overwhelming, according to those in the industry, as hundreds of “Best in Show” companies vie for rising corporate security budgets while claiming superiority for their small niche of the sector. The growing pressure to protect customer data, and with it, the company’s reputation, has given way to the idea of a Holy Grail of a central solution for cybersecurity.
On Sept. 7, 2017, Equifax /zigman2/quotes/208789454/composite EFX +0.63% disclosed that hackers had gained access to data on about 143 million customers, a figure that grew to up to 148 million. Hackers got into Equifax because the company was slow to patch a vulnerability in Apache Struts, a popular open-source web software. As recently as Aug. 22, another vulnerability was detected in Apache Struts by software engineering analytics company Semmle.
Over the course of the past few months, MarketWatch interviewed several top cybersecurity executives for views of the industry in the wake of the Equifax disclosure, and the need for consolidation in a fractured sector was the most recurring theme. Many see companies dealing with a patchwork of different software offerings for different needs, which can make mistakes — like a delayed Struts patch at Equifax — more likely.
“I think you’ll have to see consolidation,” FireEye Inc. /zigman2/quotes/204730283/composite FEYE -0.26% Chief Executive Kevin Mandia told MarketWatch in a recent interview. “The best of breed isn’t sticking out as much anymore.”
To get an idea of how many companies are pitching solutions to CISOs, more than 600 exhibited at the RSA Conference, one of the cybersecurity sector’s biggest annual conferences, this past April in San Francisco. The vast number of options was so overwhelming that executives interviewed by MarketWatch all wildly overstated how many companies were there — they all cited “thousands” of companies exhibiting at RSA, often several thousands, underscoring the bewilderment that appears to be at play in the industry.
SailPoint Technologies Holdings Inc. /zigman2/quotes/208922889/composite SAIL +1.14% CEO Mark McClain had one thing to say for CISOs having to deal with it: “Good luck.”
“There’s so many nuanced, isolated, specialty offerings, so the word you hear is ‘fragmentation’: We have a massive fragmentation challenge in the world of security,” McClain told MarketWatch. “You’re hearing a lot of frustration in the buyer side.”
Gearing up for cybersecurity ‘platform wars’
The problem appears to stem from all the different vulnerabilities a particular company faces, and security priorities differing for some companies, which has led to an explosion of specialists in different security fields such as endpoint protection, network security, identity management, email protection, firewalls and on and on.
What most CISOs at companies are looking for, though, is a single-pane, centralized approach that covers all of these fields and can be easily adapted to accommodate new products or face new threats, FireEye’s Mandia said.
“It’s a journey and I don’t think anyone’s arrived at it yet,” Mandia told MarketWatch.
In a recent blog post , Jon Oltsik, an analyst with ESG Market Research, said that 62% of businesses polled want to buy a security suite from a single vendor.
“So, we are at the onset of the cybersecurity ‘platform wars’ where vendors compete for bigger, lucrative deals where deployment projects could span several years,” Oltsik said.
Competing in that battle could lead to huge returns, as worldwide security spending is expected to hit $114.15 billion in 2018 and grow to $124.12 billion in 2019, according to research firm Gartner . It could cost a lot to become a competitor, though — Cisco Systems Inc. /zigman2/quotes/209509471/composite CSCO +0.19% , believed to be one of the largest security competitors in the market, recently promised $2.35 billion to acquire Duo Security for identity management, which adds to its $2.7 billion purchase of Sourcefire in 2013 and $635 million acquisition of OpenDNS in 2015, among others.
FireEye’s Mandia told MarketWatch, that of all security vendors, Cisco was closest to providing an “envelope” platform.
Gee Rittenhouse, the general manager of Cisco’s security business, told MarketWatch that delays in security-incident detection and complexity due to juggling multiple vendors cobbled together to form a coherent cyberdefense is driving consolidation. Rittenhouse said about 20% of customers polled by Cisco in 2016 said they were using 10 to 20 vendors for their cybersecurity systems. Today, about 25% of customers are saying it has grown to more like 20 to 50 vendors.
“When you have multiple vendors built into your systems, it takes a while to coordinate the response and correlate all those events,” Rittenhouse said, explaining that by then an attacker could already be off with stolen data.
“It’s just becoming harder to deal with the complexity of adding in all these elements,” Rittenhouse said. “And before you know it you just don’t have enough staff to operate the gear that you have.”