What is Vendor Sprawl?
The cyber security space is experiencing vendor sprawl and inflated promises. This has a detrimental impact on small to mid-sized businesses. There are several factors that contribute to this environment, but more importantly, it leaves small to mid-sized business leadership overwhelmed and with many questions that need to be answered.
Before we can dive into that, it’s important to understand what vendor sprawl is. You may have heard of data sprawl before, which is the considerable amount of data created every single day. Vendor sprawl refers to the staggering number of vendors in any one area. Cyber security is an industry especially hard hit by vendor sprawl.
Cyber Security Vendor Sprawl
As several high-profile cyber security events make headlines these last few years, and public awareness shifts towards these issues, the market finds itself inundated with a host of vendors, each offering their own solution to a piece of the security problem pie. With so many high-profile breaches, the flood of new consumer products connected to the Internet, and the gradual global realization that nearly everything you own nowadays can be hacked, security is finally getting the attention it deserves. With cyber security developing into the hot new sector comes an overabundance of vendors looking to make a profit.
The importance of cyber security solutions for small businesses cannot be understated. We know small to mid-sized companies are hit incredibly hard by phishing scams and other targeted cyber security attacks, making cyber security vendor selection critcal.
Vendor, Product, and Solution Sprawl
With each new product available, the security solutions ecosystem becomes incrementally more confusing and chaotic. The overwhelming number of options makes it far more difficult for CISOs and executive leadership teams to make an informed decision on which solutions are right for them and their organization. Some companies react to this by buying up too many tools that introduce complexity, overhead, and lots of management time, with little impact on their actual security posture.
One of my favorite images of the industry is here. Digital Guardian updates this every year, and it’s a bit mind-blowing:
Infographic by Digital Guardian
Looking at this graphic makes it clear why some organizations feel overwhelmed by the pressure to make the right decision on their cyber security vendor. Choosing the wrong vendor for your organization can be easier to do than anything else when your options are so plentiful. The wrong vendor could promise you the world, but not be able to deliver. Other vendors might have a more robust offering than what an organization really needs to protect themselves.
Questions Left Behind
Natural questions that arise from this landscape include:
- How many tools do I need?
- Who is running the tools I have?
- Who should I trust to by from?
- Is my current security portfolio enough for our business?
- Should they be run by internal teams or external teams?
- What are the shortcomings of low-cost solutions?
The infamous Target breach from 2014 likely occurred specifically because of vendor sprawl and inflated promises. The attackers used email phishing to acquire the credentials of an employee at a third-party vendor, and used those credentials to breach Target’s vendor portal. From there, they got access to Target’s internal network, and then managed to take over their servers. They accessed the point-of-sale systems, and scraped credit card data for over two weeks. The attackers exfiltrated something close to 11 gigabytes of data, including names, addresses, phone numbers, and email addresses for around 70 million people. Target had quality tools in place. They had access control, firewalls, and sandboxing technology. But none of those tools communicated with the others, and the attack profile was not identified until it was far too late.
This glut of technical solutions and vendors in the space has led to inflated IT budgets and skepticism of the industry in general. When there are thousands of vendors in the space, it’s hard to gain credibility. Additionally, the pace of the IT landscape means most companies are evaluating these questions every year, or even every six months.
In the end, the only question that matters is whether or not your company is investing in solutions that are impactful relative to their cost (in both dollars spent and time invested).
There is no quick fix questionnaire to send you off to so you can answer that question on your own. It’s a complex situation that requires a lot of scrutiny.