My last posting stimulated some interesting discussions about the merits of strategic IT platforms with integrated security features versus “best of breed” security “point solutions”. Which is best? The simple answer is that we would all love to see the former but in many cases are forced to run with the latter. Unfortunately it sends a mixed message to vendors. They see what sells and spot that it doesn’t correspond to what customers say they really want. There’s even a danger they might even stop listening to their customers. I recall a colleague of mine at Shell once saying to a group of vendors at an Open Group meeting: “Just because you can’t build it, doesn’t mean we don’t want it”. A decade later people still remember that statement. But vendors don’t want to hear this. They want something they can easily build now that will guarantee sales. So they paid no attention to his requirements, though it might have given them a longer-term edge.
In the past, vendors could safely ignore this contradiction in the marketplace. Because security didn’t sell IT platforms. And any security procurements were generally based on implementing or replacing individual products, such as a file encryption system, a remote authentication system, an enterprise firewall or an anti-virus solution. But the market has changed. Customers today have more sophisticated, all-encompassing requirements. They are building security architectures. They are thinking “services” rather than “components”. And IT vendors can now offer better security features in their products, though many still fail to hit the spot.
So what is a point-solution vendor to do? The simple answer is to ensure that their product or service can be integrated into a broader business solution. At the very least, proprietary protocols and interfaces should be avoided at all costs. But what exactly is a “broader business solution”? This is a good question because I believe there are two quite distinct answers. The first option is to be able to integrate with other security products in the same IT services space. Be part of an integrated network services solution for example. The second is to be part of a complete end-to-end security or risk process, such as vulnerability management, delivering a complete solution across business, security and IT functions.
Which approach works best? The jury is still out. Analysts would probably recommend the former, but I will always prefer the latter. Because I believe that security is a process that needs to be integrated and managed consistently across the enterprise. And I’ve been highly impressed in recent months working with security vendors such as nCircle who have been progressively extending the capabilities of their discovery tools to interface with the business risk profiling requirements of their customers. But whatever direction a vendor chooses, the important point is to listen very closely to the needs and wants of their customers. And if you can’t build what they want now, then keep them in mind until you can.