As organizations are increasingly asked to do more with less, now is a great time to explore cybersecurity consolidation both with vendors and the tools and services they provide. Your own relationships with vendors are shaped by economics, driving you to accumulate vendors over time to a point where costs can be significant. If you want to get a handle on vendor and tool consolidation, you have to be ready to understand the true costs—in money and time—of continuing down your current path as opposed to making a change.
How Vendor Proliferation Happens and Why
The same economic forces that impact vendors also impact you. To compete in your market, you are often forced to add features or make changes to meet expectations. You are then forced to either change your roadmap—potentially upsetting other clients—or quickly add capabilities. The easiest way to add capabilities is to add new vendors. Over time, the number of vendors helping you grows.
Of course, the same thing is happening to your vendors and, as they add capabilities to compare well against their own competitors, the number of your vendors with overlapping capabilities grows. If you do not periodically review and prune these vendors, you wind up paying a fortune just to stay where you are.
Download: Classic+ Vendor Management Policy Template
How to Identify Vendor Overlaps
There are two points where you can identify overlaps between vendors: at initial investigation and during a review later.
When you are investigating a new vendor—whether you need to add a capability, are doing an internal experiment or engaging in shadow IT—you need to identify the vendor capabilities you need, as well as those that would just be nice to have. Then, take a serious look at the “nice to have” list and identify what it would require of you to truly use those features. Consider the cost and time hit it would take to move each feature fully into production. This means going beyond experimental, minimum viable products (MVPs) and proofs of concept (PoC). This level of effort must be attached to each feature to determine the true cost so you can compare options in a fair way.
The same logic goes for the features you really need. It’s common to pick a vendor for a single feature that is fastest to integrate, ignoring the fact that doing so may mean that next month, you’re adding a new vendor that has a similar, if somewhat harder to integrate feature. This is just as damaging as picking vendors based on a large set of unassessed features.
Good vendor selection requires a true understanding of how a vendor will fit into your organization, and that means assessing the entire vendor, not just the parts you need today. A large number of factors come into play, including personality match, respective locations and schedules, and other things.
- Periodic Vendor Review Steps
This can be logistically difficult, but in addition to doing a comprehensive vendor risk review on a regular basis, you may want to periodically review vendor overlap. To do so, you need to identify the space(s) in which each vendor operates and look for overlaps. Similar to the tagging method used to identify what vendor s currently do for you (and accordingly, what risks they pose), you can tag each vendor with a set of generalized descriptions that cover what they do for you. Then, it’s as simple as looking at all vendors tagged with the same descriptions.
By reviewing all the features of each vendor as if you were going to onboard them today and seeing which vendors can theoretically be eliminated entirely due to overlap, you can then estimate the cost of shifting off one vendor and on to another (or others) and compare it to the cost of staying with your current vendor. That makes it easy to calculate how long you can stay in the current situation before you hit the break-even point.
Avoiding Vendor Overuse
There is the option to not go with a vendor in the first place. Once you have a true effort calculation to fully onboard a vendor, you can estimate both the startup cost and the time to completion, as well as an estimate at long-term cost of ownership. These numbers can be compared to an internal estimate of what it would take to build and maintain a similar set of features on your own.
In many cases, doing it yourself will not be cost-justified. However, in some, it can be cheaper to just bite the bullet and do the work. Should you not have capacity to do the work, you can do another calculation against the cost of bringing in contractors or leveraging open source components to get the work done in other ways.
Vendor Consolidation Best Practices
It may not make sense to identify vendor overlaps for every single use case. It may simply be more expedient or politically safer to go with the vendor “easy button.” However, in cases where you care about efficiency and alignment, it can really help to:
- Calculate the true costs of onboarding: Consider both capital cost and how much time it would take fully onboard the vendor, not just do the basic work to get things working.
- Calculate the true costs of maintenance: Combine the costs of subscription to vendor tools services along with the expected time needed to maintain things on your side of the relationship. It can help to calculate one-, three- and five-year estimates for this work.
- Consider doing it yourself: Periodically ask the question: Do I want to keep working in the current mode? Doing some things yourself may make sense in some cases.
Selecting a particular vendor is an option. Like all options, it’s useless to just have one. Consider what life would be like with other vendors and ways to address your needs that don’t involve vendors.
Streamline Vendor Selection Decisions
Selecting a vendor can be a painful process, even if you’re an experienced cybersecurity decision-maker.
IANS Vendor Assessment Community (VAC) provides unbiased, independent, practitioner perspective from IANS Faculty and industry peers on InfoSec domains and vendor solutions. Save time with research and tools developed from peer feedback to compare vendors and maximize the ROI of your vendor spend.
Not an IANS client?
Get in touch to learn more about our VAC product offering and additional resources available to help you navigate the vendor and security tool landscape.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.