Experts: Best of breed security may not be the wisest path

When examining your security needs, note that more established vendors may not offer a complete solution -- then it's time to consider point solutions from smaller companies.

Flying in the face of conventional wisdom that best of breed solutions are the only way to go, experts are now recommending that organizations consider point solutions from less-established, smaller vendors to fill in gaps that others leave behind.

"Smaller and less mature vendors should be implemented as tactical solutions to 'plug security holes' in corporate networks," said Gartner analyst Lawrence Orans at the Gartner IT Security Summit earlier this week. He said "Type C companies," those that hesitate to implement new technologies or products from less-established vendors, typically steer clear of these vendors because of a lack of name recognition and because of concerns about the maturity of the technology.

"However, where you have security holes in your network, for example instant messaging risks, network access control risks, etc., it is oftentimes better to take a risk on the new vendor or the emerging technology, rather than leave the hole unplugged," Orans continued.

But changing the bigger-is-better mindset is not easy. A recent Gartner survey reported that 52% of respondents preferred best-of-breed products. Details on respondents and survey methods weren't immediately available.

After Orans' presentation at the Gartner Security Summit, a user in the financial services community, who asked not to be identified, said an analyst report created for his organization supports his premise that smaller firms initially come out with products better suited to specific needs than larger companies. He added that larger companies often catch up later via acquisition or development of their own product.

As an example, that analyst report examined deficiencies in the antivirus industry concerning the detection of spyware. "While the larger antivirus vendors are neck-and-neck in functionality and capability, they have all ignored antispyware," the report said. "The smaller specialty software firms that have focused on developing antispyware are the recognized industry leaders. During the later half of 2004, Computer Associates acquired PestPatrol, Microsoft acquired Giant Software [and others], and McAfee released its initial version of antispyware -- all in an effort to have a showing in this space."

Beyond the threats already noted, Orans believes Type C organizations, which often include cash-strapped educational institutions and government, can benefit from two other security measures they may not ordinarily consider:

  • URL filtering is important for making sure that employees "behave themselves on the Internet" -- to ensure that they are not visiting pornography sites or gambling sites, etc.

  • SSL VPN products will allow mobile workers to access key applications like e-mail without the need for a software client on their laptops. Also, via SSL technology, the IT department can limit access to only a few critical applications if it chooses.

Drawbacks to point solutions
Experts do warn that as you buy additional product lines, especially on an enterprise level, each often requires a separate management infrastructure, including its own distribution method, maintenance method and management console. This translates to additional implementation costs and training for support personnel. This is one reason suites remain an option for many companies.

"Point solutions are necessary for the degree of focus they can provide, it is the experience of this security professional that the broader product suites don't always initially offer the 'best' solution, but in some cases they can be acceptable as the already in-place integration outweighs the capability of supporting the individual," the financial services insider said. "Usually though the majority choice is for the point product until the enterprise suite comes up to speed, either through development of their product or acquisition of the point solution."

This article originally appeared on, a sister site of

Read more on IT for small and medium-sized enterprises (SME)