Will Diverse Requirements Prevent Development of a Broad Cybersecurity Platform?

The basic idea of a product or a platform in enterprise software is to create a system that can meet many needs. The best products offer some sort of simplification or ease of use so it is possible to get a powerful result without having to master lots of complexity. The best platforms allow many different groups of users to interact with the platform, collaborate, and get what they need done in a way that orchestrates and organizes all of the activity.

At RSA 2020 I’ve been studying the question of why broad platforms have been slow to develop in cybersecurity.  See “Research Topic for RSA 2020: Comprehensive Cybersecurity Platforms” for the questions I’m trying to answer. My goal is to advance the Early Adopter Research Mission “Creating a Balanced Cybersecurity Portfolio”.

One of the powerful ideas that have come out of the podcasts I’ve done with Zscaler, Esentire, Reblaze, Tempered, and Sonrai Security, relates to the commonality of requirements or the lack thereof in cybersecurity.

Here’s the thesis: The lack of commonality of requirements in cybersecurity is restricting the size of the platforms that will develop.

To understand this, let’s take a look at the difference between how CRM and the ERP markets have developed.

In the CRM market, Salesforce is the dominant player and has succeeded in creating a powerful SaaS application. The core CRM application has then been expanded into various clouds (Sales, Service, Marketing, Commerce). Like most SaaS applications, Salesforce offers a smaller set of functionality than the first generation of on-premise CRM applications. But this has not been a problem because there is strong commonality of requirements. In the CRM realm a large number of customers want that same 20 percent of the total scope of functionality.

In the ERP market, there are dominant on-premise players such as SAP and Oracle, but in this realm we haven’t seen the emergence of a dominant SaaS player. I assert that the reason is that there is a lack of commonality of requirements for ERP. Each business needs a diverse set of the 100 percent of ERP-related requirements, so no company has been able to create a smaller set of functionality delivered in a SaaS mode that has become dominant. Companies can run ERP in the cloud, but they don’t run the simplified, streamlined SaaS version.

Now in cybersecurity we don’t have platforms that are as broad as Salesforce or SAP or Oracle’s E-business suite and we may never have them. The reason I assert, is that we don’t have broad commonality of requirements. 

We do get commonality of requirements in targeted areas like Endpoint Protection Platforms or firewalls, and in these areas we do have platforms. But we don’t have the dominance of a player like Salesforce. 

It doesn’t also seem like we will ever get to a situation in which one cybersecurity company creates an umbrella platform like SAP or Oracle E-business suite. Again, the problem is that the diversity of requirements in cybersecurity doesn’t make this broad type of platform attractive.

The question is as the cybersecurity market matures will we get more commonality of requirements or will each CISO cobble together a landscape that looks like this, lots of suites or targeted platforms along with point solutions.

It is possible that one vendor could create a broad platform, but at this point given the persistence of point solutions in cybersecurity it doesn’t seem likely.