Security: A Single or Multi-Vendor Approach

A week or so ago, there was a post from Nikesh Arora, the CEO of Palo Alto Networks.? The post (https://www.dhirubhai.net/posts/nikesh-arora-02894670_i-know-we-have-sparked-a-debate-around-platformization-activity-7166581847525707776-XsOE) encouraged the move in Cyber-security to take 'platformization' (single vendor) vs. 'best of breed' (multi-vendor approach).

While there are benefits gained from leveraging one vendor, there are also disadvantages.? The first obvious ones that come to mind from my experiences are risk accountability, vendor dependency or 'lock in' and maintaining competitive pricing.

Before I continue, it is important to state that I have worked with Palo Alto quite extensively in my career.? I was part of a group of three with a amazing leader where we were the first in Canada to use them to completely re-design the security of our global.? At another company years later, I led the teams again with one of their solutions to secure a global environment containing more modern systems.? Both times I spoke at their Ignite security conference on our work. They are a great security company and even better when it comes to client management in my opinion.

Accountability

Most of the regulators that regulate the financial and insurance industries ultimately put risk accountability squarely on the company. It is up to the company to ensure the same controls, monitoring, and security are implemented regardless if the deployment is in-house or at a third-party vendor. As a result, this is constantly re-enforced in companies internal documentation, presentations, employee training and project risk assessments.? I led third-party risk management (TPRM) at a large financial institution. TPRM was my biggest team. Between conducting risk assessments, working with business, monitoring for changes in vendors security stance, following up on open risks, they were really busy. For reference here is what is stated by the Canadian regulator (OSFI) in their TPRM guidelines:

The FRFI (regulated entity) has the flexibility to arrange its operations in a way that achieves its business and strategic objectives. However, the FRFI retains accountability for business activities, functions, and services outsourced to third parties, for data exchanged with third parties or data to which third-parties have access, and for managing risk arising from third-party arrangements.?(https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/third-party-risk-management-guideline#toc1.1)

Vendor Dependency

This is the "all your eggs in one basket" debate.? While there are benefits to integration such as potential response time improvement, more seemless upgrades, ease of management and maintenance as it is a single 'platform', there is introduced an increased risk of a large breach with the service provider. Everyone remembers the Solarwinds breach (https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack) and how it affected so many companies, but one can just look at the recent news. Bank of America?had a very large breach reported in February 2024 this year (started in November) and it was due to a third-party provider (https://www.forbes.com/advisor/personal-finance/data-breach-affects-bank-of-america-customer).

One could also suggest that if our cloud solution is mostly in Amazon, why would I not use their security? They have security offerings. Those offerings are integrated with their products and services and they are a single platform. This would reduce the need for yet another third-party provider and integrate security directly into the platform.

Competitive Pricing

Throughout my career, I have experienced times when a vendor becomes the "standard" in an organization or the market. Inevitably they will raise prices as a result. They become more confident of their customers dependency on them. This has been my experience as a customer at several companies over the years. You've bought their solution, integrated your systems, processes, responses, reporting, automation. It becomes costly for a customer to leave, and that cost extends way beyond what is paid to the vendor themselves. Vendors know this whether they admit it or not. By having more than one vendor and using proper architecture when designing and deploying solutions, a company can mitigate these risks to a large extent, however it requires conscious investment and executive support which sometimes is hard to obtain.

Overall my view is that consolidation to one solution versus expansion to more solutions is like the tide rising and falling. New leaders come in as the old ones leave, and each has different tolerance levels for the risks described in this article and other risks the organization encounters. They have past relationships and experiences with people that come into play and these all affect a companies risk posture when it comes to how many vendors to have, what the separation if any looks like.? It is a subjectivity that is due to us being human.