Security platform or best of breed? There’s only one answer

In the debate over an all-in-one cyber security platform versus best of breed solutions, there’s only one answer: best of breed. The questions are: How many tools can you afford, and is the software in your stack designed for security?

Traditionally, best of breed means buying multiple security programs, each a separate tool that’s best at the individual problem it solves. For example, you might use Forum Systems to secure your API gateway, Splunk for log correlation, and Okta to manage who accesses what data when. Each vendor brings something different to your stack, leaving IT to piece the platforms together like a Jenga tower, hoping there are no holes in the plan to keep company data safe.

The alternative to best of breed is to buy or build an inclusive, all-in-one platform, but no single software, whether you call it all-in-one or not, can really keep all company data safe. Why? Culture and money.

The trouble with all-in-one security platforms

Michael Cook, a senior security consultant at Indianapolis-based advisory Pondurance, says all-in-one platforms are generally made up of “about 15 applications or modules around that platform.” Each module addresses a different need, such as securing that API gateway. Cook cautions that not every module is equally strong and that with a single platform you risk a Jack of all trades, master of none scenario.

Say, for example, the platform you use offers gateway security but isn’t great at it. Good luck getting management to approve a Forum Systems purchase. “When you’re using a platform versus best of breed, if there’s something you don’t like in one of the modules in the platform you’re kind of, ‘Well, we’ve gotta use it because we bought the whole thing,’” he says.

Of course, just because a specialized tool might work better doesn’t mean all-in-one doesn’t offer any protection at all. The module is there. The real hole in platform security is SaaS, and SaaS is everywhere.

Why SaaS drives a best-of-breed approach to security

For over a decade, SaaS vendors have promised buyers that their software’s so easy to use, there’s no need for IT to even know. The rogue software spend that results means rogue data: Every time a sales rep circumnavigates IT, all-in-one protection becomes less inclusive. If platform security providers want to survive, Cook says, “They’re going to have to be integrated with other applications that share information.”

As Centre College, a liberal arts institution in Danville, Kentucky, moves into its own best-of-breed reality, Senior Systems and Networks Coordinator Shane Wilson centralizes control by overseeing every software purchase that the college makes, whether it’s for the IT department or not. From Moodle for learning management to Jenzabar enterprise resource planning software to Microsoft 365 for email, the college has its share of SaaS providers. Wilson vets these enterprise vendors just as thoroughly as he would security tech. “They don’t care about my data like I do,” he explains.

Questions Wilson asks include: How do you store data? How often do you patch your operating system? How are other security best practices followed? If he doesn’t get answers, Centre doesn’t buy no matter how fantastic a SaaS platform is at its core business offering. “If you go back through the big publicized breaches over the last five years and you look at the details of why they got breached, they were almost always [caused by not following best practice]. Some system didn’t get updated, some default passwords were left in. They were all relatively simple things,” he says. “Haven’t we learned that lesson?”

SaaS isn’t going away, and neither are sales reps who try to get around your department. Their “don’t tell IT” approach is also making inroads in how chatbots are sold. That’s today’s vendor culture and, even if it weren’t — even if purchasing is centralized through IT like at Centre — as long as SaaS exists, company data will flow through the capillaries of the cloud, bleeding everywhere. If we want to prevent breaches everywhere they can happen, maybe it’s time to consider the security features in individual SaaS programs part of our security stack, too. There is no true all-in-one platform anymore.

Best-of-breed security tools maximize resources

Another pro to best of breed: Wilson says outside providers are essential to the college making the most out of limited resources: “We’re a small liberal arts institution. We don’t have the kind of money that a large research institution is going to have to do security.” He then mentions that a colleague at a bigger university in a neighboring state spends $10 million a year. Centre’s IT department employs 12 people. (For perspective: during the academic year 2016/2017, 1,425 students were enrolled at Centre.)

Still, Wilson makes use of what he has, using individual security tools to “do a lot of monitoring of the traffic on our network, looking for anomalies in logs, employing certain technologies — firewall technologies, other technologies, intrusion detection systems, and so forth — to try to detect unusual events that might indicate a security problem. That’s what we can do with the resources we have. It’s a lot about resources. Basically, most people, whether they’re big or small, do everything they can with the resources they have.” For Centre, that’s best of breed.

Cook says, “It goes back to core competency and what is your business. Anything that’s rather fungible, my personal belief is you can probably outsource it, use an application for it. If you’re running a company — if you’re running Centre College — you don’t need [to build out all-in-one to protect] an HR app system, you don’t need [to for] a payroll system.” What you need is to manage data in a safe and effective manner.

To make this happen, Wilson says, “I have to look for technologies that help with heavy lifting so it doesn’t take as many person hours. A lot of times, I can buy technologies or I can buy services, but I can’t get additional people. So I need technologies that do a lot of the correlation for me before a human has to look at it and go, ‘Yes, that’s odd’ based on their experience and education. The technology can only take you so far.”