How Many Security Vendors Do I Need in My Cyber Security Stack?

How many security vendors does a business really need? It’s easy to feel overwhelmed by this question with the number of choices and complexity that cyber security in general presents us. You might be left wondering if you’re throwing money at solutions that you don’t really need or if you’re not covered for things that you should be. 

That’s where we come in. I’m Andy Powell, Key Commercial Account Manager at Babble. Thousands of SMBs in the UK trust us with their cyber security needs, and we help businesses like yours to navigate these choppy waters every day. We understand the challenges you face, and we’ve got the expertise to guide you toward a solution that fits your specific needs. 

So, while there’s no magic number, in this article, I’m going to give you a framework that will help you to make informed decisions, avoid common pitfalls, and ultimately, achieve that “just right” level of protection. We’ll explore how to balance your security needs with your budget, ensuring you’re not left exposed, or wasting money on overlapping tech. Think of it as a practical guide to building a cyber security strategy that actually works for you. 

The “How Long Is a Piece of String?” Question 

As I often say, the question of how many security vendors you need is a tricky one. The honest answer is; it depends. It depends on several factors unique to your business such as your budget, your risk tolerance, and the specific needs of your company all play a role in determining the right number of vendors.    

Ultimately, you’re aiming for that “Goldilocks” scenario: investing in the right amount of security – not too much, not too little.    

Understanding Your Risk Profile 

A crucial step, arguably the first step, in this process is understanding your company’s risk profile. To determine the appropriate level of security investment, you need to ask yourself some key questions. As I always say, “What is the risk profile of my users?” because it’s usually the users that seem to cause all the problems.    

Think about it: 

• What are your users doing, where are they going, and what are they using? 
• What is the risk to the company based on their activities?    
• Are there compliance issues related to user behaviour?    
• What does the company deem to be the most significant risk?    

It’s important to remember that security solutions should be balanced and proportionate to what you’re looking to protect, without hindering productivity. Frameworks like NIST can be helpful in addressing cyber risks.    

The Pitfalls of Too Few or Too Many Vendors 

One thing to keep in mind; it’s a balancing act. Having too few vendors can leave gaps in your protection, meaning you might not cover all the key aspects of security. On the flip side, having too many can lead to overlapping solutions, wasted budget, and what I like to call “double counting” of threats, which can cause confusion and inefficiency. Security teams can also get held up with unnecessary work and excessive reporting, which delays response times and can even lead to cyber fatigue.    

Another thing I’ve noticed is that endpoint protection solutions don’t always “play nice” together, so you could end up paying for something that isn’t even turned on.    

Key Security Capabilities to Cover 

When building your security stack, it’s essential to cover the critical capabilities. I like to think of it as working from the “network from the end user outwards”. Here are a few of the basics that I think every business should be thinking about when it comes to critical cyber security cover:  

• Endpoint protection: Solutions like CrowdStrike or Sophos are crucial for protecting PCs and users, whether they’re in the office or on the go.   
• Web content control: Tools such as Cisco Umbrella help ensure users aren’t accessing malicious sites.    
• Network protection: This includes firewalls, access controls, VPNs, and monitoring to secure your network.    
• Email protection: Robust email security should include anti-spam/antivirus, data loss prevention, secure messaging, and archiving.    
• Data storage security: Secure, corporate-sanctioned data storage solutions like OneDrive, Box, or Google Cloud Storage are essential, along with strict access controls and monitoring.    
• Identity management: It’s important to manage what users can and can’t do within your systems.    
• Data security posture management: You need to know where your data is, who has access to it, and how it is being accessed. Don’t forget resilience, redundancy, and data backups, especially permanent data storage to protect against tampering. We already know that hackers are sneaky, and their tactics switch constantly – targeting backup systems being a new favourite.  

Here’s why: They understand that if they can compromise your backups, you’re far more likely to pay a ransom because you’ve lost your ability to recover independently.  That’s why immutable data storage is so important.  This means your backup data can’t be altered or deleted, protecting it from being accessed by hackers.  It’s a critical layer of defence in your overall security strategy. 

AI Security: A new But Critical Frontier 

Something I feel we also need to address is the growing importance of AI security – it’s a whole new frontier, and businesses need to start asking themselves some tough questions when it comes to how AI could be impacting what their security stack looks like.  

Questions you should be asking are ones like: 

• What are you using AI for within your organisation? Are you using it for automation, data analysis, customer service, or something else? The specific use cases will dictate the security risks. 
• What data are you using to train your AI models? Is it sensitive data? Where did it come from? How is it protected? The quality and security of your training details something to be carefully considered.    
• How trusted is the data and the output from your AI systems? If you can’t trust the data going in, or the results coming out, you’ve got a problem. This is about data integrity and validation.    
• How do you secure AI used on personal devices? With the rise of AI on smartphones and tablets, how do you ensure that corporate data accessed or processed by AI on those devices remains secure? What rules and regulations do you have in place to protect it?    

AI presents fantastic opportunities, but it also introduces new security challenges that must be addressed proactively. 

Why One Vendor Is Just Not Enough 

Let’s be clear: there’s no single product that does everything. You might be looking at multiple providers to cover all your bases. That’s where a trusted technology provider comes in – to guide you through the complexities of choosing the right solutions and help you build a security stack that truly meets your specific requirements.  

In my experience, you’ll likely need to work with around three or four different providers to get comprehensive coverage. You might get endpoint security and data loss prevention from one vendor, but still need separate solutions for web content control, email protection, and so on. 

Vendor Consolidation vs. Best-of-Breed 

You’ll often hear talk about vendor consolidation versus a best-of-breed approach. There are pros and cons to each. Consolidating your cyber security to as few vendors as possible can offer streamlined management and potentially lower costs.

A best-of-breed approach , on the other hand, involves strategically selecting point solutions to address each specific security challenge. This means identifying individual risks and vulnerabilities, and then choosing the most specialised tool to mitigate them.

For example, instead of relying on a broad suite of tools, you might opt for a dedicated web application firewall for web security, a separate data loss prevention tool for sensitive data, and a specialised endpoint detection and response solution.

This granular approach allows you to choose solutions that may provide superior protection in specific areas.  

Building Your Stack: A Step-by-Step Approach 

To build your security stack effectively, here’s a step-by-step approach: 

1. Assess your business risk areas.
2. Implement multiple levels of security.    
3. Plan for interoperability and integration between your security solutions.    
4. Keep your stack updated to address emerging threats.    
5. Consider compliance frameworks like ISO 27001 and SOC 2.    

Conclusion 

So, how many security vendors should you have? As we have just seen, there’s no magic number; the ideal setup really does depend on your unique circumstances. 

Hopefully, this has given you some food for thought and you’re responding by taking a fresh look at your cyber security. Ultimately, it’s about taking what you’ve learned here and using it to refine your approach. Reconstructing your security strategy might involve reassessing your current vendor relationships, identifying any gaps in your defences, or seeking expert guidance to build a more robust security posture. If you’d like to gain a clear understanding of the components of a comprehensive Cyber Security Risk Assessment and learn how to prepare for one effectively, have a look at our guide. 

Remember, cyber security isn’t a one-off task; it’s an ongoing process. It requires continuous attention, adaptation, and a willingness to evolve alongside the ever-changing threat landscape. Stay alert, stay informed, and don’t hesitate to ask for help when you need it.