6 Tips for a Successful Security Vendor Consolidation

November 5, 2024

In the past, organizations didn’t give much thought to security vendor consolidation. With the threat landscape continually expanding, and new cyberthreats emerging daily, CISOs typically wouldn’t bat an eye at bringing on a wide range of security suppliers.

However, recent economic conditions and increasing desires to reduce internal management workloads have put cybersecurity suppliers high on the list for potential consolidation.

A Majority of Organizations Are Considering Security Vendor Consolidation

A 2022 Gartner survey reported that 75% of organizations will pursue security vendor consolidation over the next few years in an attempt to improve their security posture. If your organization is trying to downsize your cybersecurity vendor pool, you’re in the majority.

For some CISOs, consolidation is an efficient solution for improving relationships with key suppliers, increasing cost savings and streamlining the administrative work needed to govern multiple contracts. Other CISOs believe it waters down a carefully curated pool of innovative vendors, with their organizations settling for a maybe-not-even-good-enough solution just to cut costs.

In practice, either outcome is possible. But by making careful considerations, you can reap the benefits of streamlining your security operations and working with fewer vendors without creating new security risks.

The 6 Steps to Successful Consolidation

Here are six steps to take if your organization is considering cybersecurity vendor consolidation:

1. Evaluate your spend categories to identify vendor overlap
Look at your entire security stack and identify vendors in categories like web application and API protection (WAAP), bot management, API security, extended detection and response (XDR), client-side protection, vulnerability management and incident response. Are there any overlaps or redundancies?

For example, you might find you have a bot management solution on contract with two different vendors but only use one of the solutions. A thorough spend evaluation will help you see where you can cut redundancies without expanding your overall risk. Plus, you’ll gain visibility into which vendors you only use for one offering.

2. Get an outside perspective on your vendors’ capabilities
You may have many vendors, but are they the best at what they do? Are certain vendors great in one area but weak in others? Which ones bring the greatest value to your organization, and which don’t pull their weight?

Reading security analyst reports is a quick way to get a broad overview, but also consider using a consultant or trusted third-party service provider to gain more granular insights.

And keep an open mind while researching. It’s easy for startups to say they’re the only innovators out there, but you’ll often find that bigger players have more resources to innovate. The story you uncover may be different from what you expected.

3. Map your vendors’ capabilities to find where you can safely cut
Create a capabilities map by plotting your current vendors’ strengths and weaknesses.

For instance, perhaps you can cut a cloud security point player for an equally good (or better) cloud security capability from a broader vendor without sacrificing security needs.

4. Assess your vendors’ abilities to be long-term partners
Now that your capabilities map is completed, research your preferred vendors’ finances, client management quality and technology roadmaps. Are they financially stable? Do you like working with them, and are they responsive to your needs? Are they committed to the security category you’re using them for now? What are their plans to expand into other areas you need?

Any vendor can look good at one point in time (often when you first buy their solution). But ensuring that your chosen vendors will be with you for the long term is a good way to reduce the cost and resource drain of switching vendors when one no longer fits your goals.

5. Consider what your vendors offer beyond technology
When evaluating a specific vendor, ask questions like: Are their services as good as their products? How is their security research team? Have they been able to help when we have trouble or escalations? Can they support us in every geography where we operate? Do they offer managed services and professional services? Do they deliver work directly or use subcontractors? Do they offer executive briefings to discuss trends and industry direction?

Pure technology will only take a relationship so far. Evaluating overall value is important.

6. Weigh your consolidated list of vendors against other risks
Before you reduce your number of vendors, remember: It's possible to consolidate too much.

If you over-consolidate your security stack, you may run into a problem called concentration risk. This occurs when you become so dependent on one vendor that you’re essentially forced to accept price increases, high maintenance fees or bad service simply because you can’t replace the vendor easily.

Your goal should be to narrow down to a strategic set of cybersecurity vendors, not just one or two behemoths.

Paving the Way for Productive Partnerships

Before you begin consolidating security vendors, seek the counsel of your sourcing/vendor management and legal teams. Together, you can work through these six considerations to launch a structured, strategic process.

When done right, vendor consolidation can help you: