How Vendor Complexity Increases the Costs of Cybersecurity

Security teams do not have it easy at the best of times, playing an ever more complicated game of cat and mouse with cyber-threat actors. A World Economic Forum report suggests things are only going to get worse, with cybersecurity measures in place by businesses, governments and individuals increasingly being rendered obsolete by the growing sophistication of cyber-criminals. Part of the issue is that the tools provided by vendors to deal with cyber-attacks are diffuse, each covering a different area of cybersecurity. 

This is a significant problem, both in terms of the associated hard cost of a lack of unity amongst security teams (and their vendors) and the soft, human cost on the security people responsible for keeping us safe across the enterprise. 

The Hard Cost 

Cybersecurity professionals are responsible for dealing with vendors covering the breadth of the threat landscape. As we all know, this landscape is constantly evolving as threat and defensive actors scramble to up their game and achieve their goals. 

The vendors used at the average enterprise are part of this, integrating identity management across the entire business and often working alongside more than a dozen other providers that deal with specific security subsets. The associated hard cost means hiring integrators and maintaining these integration links in an already stretched technology market. According to Connecting Software, of the $3.69 trillion spent globally on IT in 2020, 39% of this was on integration. 

These vendors must also update their products to counter emerging attacks and trends. These changes then need to be integrated into the stack. Furthermore, if other products plug into a product that is then updated, this also needs to be reconfigured. For a Global 2000 enterprise, this kind of complex architectural management could cost millions.  

What is more concerning, however, is that this disintegrated system works to create something even more damaging: points of potential entry for a threat actor. 

The Soft Cost 

A point often missing from discussions around security and technology concerns like this is that human beings operate these systems. Security teams are among the most stressed – more than 75% of CISOs believe the pandemic has increased work-related stress, and the past two years have not changed much in this regard.

This is not just a CISO problem, however. Security teams are highly susceptible to burnout and, worse, mental health challenges. Additionally, recruiting then retaining security team members is becoming increasingly difficult and expensive. A recent Fortinet study looking at the skills gap suggests that 60% of enterprises struggle with hiring and 52% have difficulty retaining qualified employees.

These challenges are self-fulfilling. Failure to address the issues can lead to stress, burnout and alert fatigue. This can then lead to further security issues slipping through the cracks. Multiple security vendors create multiple sources of accountability, leading to a significant rise in vulnerabilities.

Even those enterprises that can afford ongoing integration costs, minimize security team stresses and maintain high levels of retention must ensure that their teams are appropriately supported in doing so. 

Unify to Identify

Any of these issues are a concern for a large enterprise. Failure to hire the right talent and integrate and ensure that entry points are secure could lead to significant losses, both financially and reputationally. So too can burnout among the security teams working to respond to these issues. 

The answer is not purely technical. Companies need HR departments that are aware of these issues, and they must foster a culture that encourages people to ask for help. 

Additionally, organizations must reduce the complexity of technology systems by unifying issues such as identity management and partnering with a vendor who can help to correlate alerts across identity platforms. This could solve many of these pain points while providing a more economically sound and secure enterprise. 

What’s Hot on Infosecurity Magazine?