Even With No Recession, Smaller Firms Aim to Consolidate Security Tools
Small and midsized companies work to jettison some security tools to simplify operations and reduce cost, even as any economic downturn continues to remain at bay.
June 22, 2023
Enterprises are not the only organizations looking to consolidate their security tools and vendors in the face of a potential economic slowdown — small and midsized businesses are looking to reduce their costs and simplify their security as well.
The vast majority (86%) of SMB customers using managed security service providers (MSSPs), for example, are aiming to reduce their current portfolio of security tools, according to a survey published this week by OpenText. The majority of those businesses are driven primarily by an effort to reduce costs (28%) or to simplify complex security environments (26%), the survey found.
Consolidation does not just benefit the company, but can help the provider of security services as well, says Geoff Bibby, senior vice president at OpenText Cybersecurity, a cybersecurity conglomerate.
"Consolidation is two-fold," he says. "Businesses are going to service providers because they don't have the staffing or financial resources to purchase and manage multiple tools, and from the service-provider perspective, fewer tools — and fewer vendors — means simplified billing and greater ease of doing business."
Consolidation of vendors has become a major trend following the rush to adapt to the pandemic-era business landscape by moving more services to the cloud. By mid-2022 — when 83% of companies predicted a downturn in the coming year — three-quarters of companies planned to reduce the number of security vendors they used, up from 29% in 2020. The top strategies explored by companies were reducing non-essential spending (43%), re-evaluating vendors (30%), and decommissioning infrastructure (29%), according to Spiceworks Ziff Davis's "2023 State of IT" report.
Efforts to cut costs remain strong, despite a reprieve in the dark economic forecast. A majority of economists (59%) polled in May still predict that the US would enter a recession in the next 12 months, but poor-performance predictions have remained unfulfilled as employment numbers and the stock market continue to resist a downturn.
"This is the most anticipated recession that won't ever seem to arrive, and all of the data indicates that it might never arrive because none of the factors for recession seem to be there," says Jeff Pollard, vice president and principal analyst at market intelligence firm Forrester Research.
Optimizing Vendors and Security Services
Yet while economic risks certainly spurred concerns over IT and IT-security budgets, initiatives to both simplify and reduce the cost of security operations inside companies has a life of its own, Pollard says.
"If you go back ... to the heady days of growth just nine months ago or so, what I was consistently hearing from security leaders was: too many tools, too many products," he says. "And it wasn't based on an economic argument. It was based on simplification of technology and portfolio rationalization — they felt like they had too many security controls and too many security products."
Business intelligence firm Gartner sees a similar picture. Most midsized enterprises (MSEs) — firms with $50 million to $1 billion in revenue and up to 2,500 employees — are looking to reduce the number of vendors, but rather than focus on consolidation, the companies are looking to optimize their security operations, says Patrick Long, an analyst with Gartner.
Such optimization generally focuses on two approaches. Outsourcing to service providers allows companies to overcome a shortage of security workers, because there are currently 21 IT employees for every security-focused employee, he says. Another form of consolidating is through the products, adopting all-in-one suites from a single vendor, which helps reduce licensing costs and can result in more holistic security capabilities, he says.
Currently, two-thirds of MSEs (68%) are pursuing security-vendor reduction strategies, while the remaining third have delayed consolidation but will likely simplify their security within the next three years, Long says.
"They are optimizing their architecture and integration strategies, vendor management, workforce management, and their costs," he says, adding that "current economic conditions influence security vendor consolidation but is not the primary driver for consolidation."
Integration Still a High Hurdle
Reducing the number of security products is not easy. Licensing can often become a blocker, especially if a company signed long contract periods, and products from the same vendors do not always have seamless integration, says Forrester's Pollard. In addition, any adoption of an integrated product will require a security team to learn the new system, so efficiency gains can take a while to materialize, he says.
"When you buy a bundle and consolidate, in theory, the product will integrate well, but what I really hear from a lot of security leaders is that the cost savings, frankly, doesn't often materialize," Pollard says. "Because what you wind up having to do is learn a new product, a new solution, and people have to get trained on it, so you have to modify your processes."
Yet companies are making headway. Overall, companies that pursue consolidation have seen IT security costs decrease by more than 2%, with data security costs reduced by a quarter and identity management shrink by more than a third, says Ben Pippenger, chief strategy officer at Zylo, a SaaS management platform.
"There tends to be some redundancy within security categories," he says, pointing out the cloud identity and access management are among the top-15 most redundant software functions, with nearly five applications handling that capability in the average company.
"While security is an important business function, it's one that could still likely benefit from consolidation," he says.
About the Author
You May Also Like
Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024