It’s an ongoing conundrum for cybersecurity professionals. Should your security program be stitched together from hand-picked best-of-breed components, or should you rely on the foresight of a larger organization’s one-stop-shop platform? One way to look at it is platform companies have done all the legwork for you. But you may argue they don’t have what you need – for now or the future. Even if it is a great platform of solutions, how could it work for everyone? It’s not a decision to be made lightly. We asked our community of experts for some insight on the platformization vs. best-of-breed debate. Here’s what some of your colleagues say.
Got feedback? Join the conversation on LinkedIn.
The myth that best-of-breed is “best”
The à la carte selection process of building a security program holds the belief that each of the components in a best-of-breed approach excels in its own area of specialty and that these can be managed independently like the parts of an engine.
1. Shiny new tool syndrome can be costly
“Best-of-breed can foster a culture where security engineers flex their knowledge on what best is, by researching and running bake-offs between vendors. This can result in elevated overhead and limited security,” said Steve Giguere, co-author, Cloud Native Application Protection Platforms.
Samantha Jacques, vp, clinical engineering, McLaren Healthcare, added, this is often because “we are drawn to the new shiny tool without understanding how it meets a need or solves a problem. When organizations start with the need or the problem and then find technology to help them solve it – they are much more successful.”
“The main question that needs to come to mind is what is it for? Are we looking to save money? Is this easier for us to procure or does this genuinely help us to improve corporate security and mitigate risks,” asked Shirley Salzman, CEO and co-founder, SeeMetrics.
The myth that platformization solves the integration issue
In reality, nothing in cyber is easy. A commonly held argument for why you should go platform is that the platform owners will integrate all the tools and those tools will become part of a fluid, contiguous system. It sounds like it’ll work, but it doesn’t necessarily play out that way.
2. Get ready for disappointment
“Buying tools first on the basis of an imagined virtuous integration is at best a risk and at worst a path to disappointment,” said David Emerson, CIO, SolCyber.
3. The evolution of platforms doesn’t match the synergy of curated best-of-breed modules
“Many platform offerings are built through acquisition, which makes it a work in progress,” said Dave Stirling, CISO, Zions Bancorporation. “If you already have best-of-breed from different manufacturers talking well together, don’t assume that it will automatically be the case for modules in the same platform.”
4. An all-in-one platform solution might not stand the test of time
“It’s a myth that this is a decision you make once, and you’re done,” said McLaren Healthcare’s Jacques. “As your organization matures and technologies change, and as the threat landscape continues to morph, the tools used are in a constant state of reassessment.”
5. Platformization: a “jack-of-all-trades or master of none?”
Most CISOs rightfully get skeptical when a vendor says their platform can “do it all.” If it can do it all, is that any better?
“Platformization offers a solution to the problem of too many tools and too many integrations. However, when vendors pack too many capabilities into a single platform, they risk diluting the quality of each,” said Yabing Wang, vp, CISO, Justworks. “As the saying goes, ‘if you’re good at everything, you’re likely not great at anything,’”
6. A big platform might mean you’ll get roped into a lot of stuff you don’t need
“If you don’t use enough of the platform to justify its purchase, you’ll find yourself shackled to an incoherent and inefficient stack,” said SolCyber’s Emerson.
“If you use best-of-breed to solve a pain point, don’t feel compelled to move everything else to the same platform for aesthetic reasons or vendor pressure,” said Zions Bancorporation’s Stirling.
“Platforming costs can easily run away, you could add more integration needs than you are prepared to support, and you may put your team past their skis,” offered Howard Holton, CTO and industry analyst, GigaOm.
7. To avoid getting caught in platform scope creep, make a concerted effort to focus on your priorities
Solutions to your organizational problems rarely come in a box.
“The more important things to focus on are the atomic value chains of risk mitigation driven by people, process, and technology in that order,” offered Cyrus Tibbs, CISO, PennyMac.
If best-of-breed and platformization superiority are both myths, where does that leave us?
These are the types of decisions that CISOs must wrestle with and though it means facing a dilemma, there’s lots of evidence from both sides to help make a smart decision.
8. Let’s reconsider: maybe best-of-breed is best overall
“A handful of excellent, specialized systems working together often outperforms a monolithic all-in-one solution that underdelivers across the board,” stated Andrew Storms, vp security, Replicated.
9. Then again, maybe best-of-breed is not best overall
Best-of-breed comes with hidden costs. Pulling together smaller components may appear to cost less at first but will soon require more hands-on maintenance.
“Most companies have limited headcounts, meaning dealing with twenty or more products and vendors is untenable. Platformization allows companies to focus on the four or five platforms that can be maintained with available staffing levels,” said Patrick Benoit, global CISO, Brinks.
10. So, maybe that means platformization is best overall for security
“A platform can deliver centralized data, giving the ability to make better decisions on threats,” said Danny Jenkins, CEO and co-founder, ThreatLocker.
“In cloud security alone, overtooling creates complexity, drives up costs, and diminishes value, since organizations must either hire skilled personnel to address gaps or invest significant engineering effort to build the connective tissue between tools,” said Elad Koren, vp, product management, Palo Alto Networks. “Platformization achieves better security without the operational strain of manual integration.”
11. Also, platformization might be best overall financially
While no one size fits all, many platforms can play well with the full scope of your organization’s needs.
“You may not need the best-of-breed to manage that risk portfolio; you may want a platform, or you may just need a competent player. This is what I call best of wallet,” added GigaOm’s Holton.
“I don’t need the ‘best-of-breed’ and its significant price tag,” said Gary Hayslip, CISO, Softbank Investment Advisers. “I need ‘good enough, ‘integrates well,’ and ‘user friendly for my team.’”
“It’s more cost effective to go with best of suite (platformization) vs. best-of-breed (point solutions), and with shrinking security teams, one platform that provides multiple capabilities makes it easy to manage,” said Al Ghous, CISO, Snapdocs.
12. Platformization is also easier to manage because there’s just one vendor
“One key benefit of platformization is that it gives you just ‘one throat to choke,’” offered Mark Eggleston, CISO, CSC Global. He added that this allows organizations to “concentrate their available resources and deal with singular accountability when things do go wrong. Best-of-breed simply means more time and complexity in training staff.”
13. But platformization also means putting all your eggs in one basket
“If you only have one vendor to manage, you put all of your eggs in that basket. You have to hope you don’t drop the basket,” cautioned Jonathan Waldrop, CISO, The Weather Company.
“Serious buyers are not fooled and are leery of depending on a single supplier,” warned Richard Stiennon, chief research analyst, IT-Harvest.
14. It might turn out to be an overly expensive basket
“Long-term cost of ownership is often unknown during the procurement cycle. Costs go up when usage is underestimated and the vendor raises prices after you are already locked into the platform,” warned Mical Solomon, CISO, Port Authority of New York and New Jersey.
15. Platformization does not mean “one size fits all”
Not everyone can buy a suit off-the-rack. The same challenge comes with platformization solutions. Some of us might be “bigger-and-taller” than we want to be.
“Adopting a single platform assumes your business model aligns perfectly with the platform’s design. This might require you to change your working model, which may be beyond the control of the security team,” warned John Scrimsher, CISO, Kontoor Brands.
“I’ve not seen an instance where a given platform covers all needs,” said Elliot Lewis, CEO, Movia. “The best models are where the CISO works with the CIO/CTO to come up with how to cover their risk posture with a comprehensive solution set.”
Platformization/best-of-breed is a false dichotomy
Most experts suggested this should never be an either/or situation and recommended searching for a hybrid, custom-tailored solution.
16. Not only is it a false dichotomy, it’s a moot point
“Each organization should find their own sweet spot for how to leverage a premier platform while simultaneously filling in critically important platform gaps with a handful of best-of-breed solutions,” said Jay Wilson, CISO, Insurity.
“A solid, diverse platform can be a good foundation, while using best-of-breed tools to fill gaps or supplement higher-risk environments is necessary,” added Port Authority of New York and New Jersey’s Solomon.
“The platformization/best-of-breed dichotomy is a false choice. We need to make sure our requirements are met, complexity is managed, and our technology works as seamlessly as possible,” said Bethany De Lude, former CISO, The Carlyle Group.
17. And don’t forget why you are making this decision in the first place
Most businesses are far too complex to settle for simple “black or white” decisions.
“The question is not whether to go platform or best-of-breed, but to validate that control investments are actually working as expected,” offered Spencer Thompson, CEO, Prelude Security.
“Stop thinking about platformization or best-of-breed,” added Bozidar Spirovski, CISO, Blue dot, “And start thinking about what really hurts you most. Fix one thing, then another. As you get more situational awareness, you’ll know whether you need a platform or a tool. And always try to be flexible and nimble. Be ready to walk away.”
18. There are also regulatory issues to consider
“While platforms serve their purpose, security leaders must be mindful before dismissing point solutions. We see customers opting for platforms for well-established and stable systems, whereas best-of-breed solutions are favored to cover specific regulatory or business enablement requirements,” noted Ben Kliger, CEO, Zenity.”
“If your company is highly regulated or highly scrutinized by your customers for risk, you must show robust security capabilities around specific areas of interest, which would involve a point solution that can provide deep security capabilities, whereas a platform may only provide some basic capabilities insufficient for the job,” said Snapdocs’ Ghous.
19. Many platforms can actually be malleable to an organization’s needs
Some platforms do match the synergy of curated best-of-breed modules, contrary to the aforementioned myth. You may not see it right away. And if that’s the case, just ask. You may be pleasantly surprised that vendors will be flexible to your unique needs.
“What’s important to me is whether they offer a beta program or have a Customer Advisory Board (CAB). If they do, I request to join. It’s a great opportunity to collaborate with vendors to get the solutions I need, even if they don’t initially address my immediate challenges. It’s rare for either to outright deny adding a feature or customization regardless,” said Mathew Biby, CISO, Satcom Direct.
“Today’s platforms typically offer significant customization and integration options, including modular pricing, that will allow you to leverage and pay a platform for as much as you want, and integrate additional individual tools as needed,” said Dennis Pickett, vp, CISO, Westat. “Your requirements should determine your overall best solution, but be sure to include requirements like ease of operability and maintenance that will factor in some of the single platform advantages.”
20. Consider how it impacts your culture
In addition to the details of your operation, there are people involved, and human nature is what it is. Think about the acronym THWADI (that’s how we’ve always done it). There’s often great resistance to changing from an existing comfortable process, even when it is for the best.
“If you are an Apple shop you probably won’t switch elsewhere unless there are good reasons. This resistance is ten times stronger if you are well invested, configured and the team is mastering the current stack,” added SeeMetrics’ Salzman.
If the system is failing, being familiar with a product or platform doesn’t benefit anyone. You’ll need to make a shift, requiring a strategy to win over a potentially reluctant or resistant team.
“Holding onto an underperforming solution does no one any favors; not you, not your team, and not the vendor. It’s better to pivot than to continue forcing an ill-fit. Innovation moves fast in security, and flexibility is key,” counseled Replicated’s Storms.
21. Start by defining what a “platform” actually is for you
People use terms like platform to describe a system, but it might not mean the same to all people, including all the people in your organization. So, start by defining it.
Jerich Beason, CISO, WM, said, “You’re not a platform if I need multiple logins to access your different products or if I have to integrate them manually. Offering out-of-the-box integration doesn’t make you a platform either. That’s simply a vendor with multiple products. Don’t be misled.”
Blue dot’s Spirovski described how his organization chose a very different approach to building its platform. “We are the integrators, and the platform is what we choose it to be, with an ability to switch in about a month with zero loss. Our platform is a dashboard, and all records are simple tickets, so we can move quickly to another tool as we choose.”
Consider the other hazards just under the surface
Whichever solution you choose—platform, best-of-breed, or hybrid—make sure to consider additional possible hazards or threats. Ask your team, “What do we not know?” and then find a way to find out.
22. Mama, don’t let your best-of-breeds grow up to be platforms
Often, the best features of a best-of-breed application get diluted and forgotten when the application gets acquired by a larger platform player.
Replicated’s Storms warned how “giant platforms often struggle to innovate at the pace of niche providers, meaning that when a beloved, cutting-edge tool gets acquired by a platform, innovation stalls, pricing models shift, and lackluster integration efforts stop adding value.”
“Big platforms tend to acquire niche companies with a single capability and attempt to integrate their offerings into the larger platform,” offered Adam Arellano, field CTO, Traceable AI. “Often, those individual offerings stop becoming as effective as they were when first purchased, and as a result, customers go out and find a best-of-breed solution to replace the failing component.”
23. When choosing your path, ask yourself, who is truly benefiting? You, the vendor, or the back office?
As Adam Koblentz, field CTO, Reveal Security, suggested, “Platformization can easily lead to a false sense of efficacy. Many platforms are from large companies that have acquired startups and are trying to glue them together. This only simplifies things on the procurement and legal side of things.”
It’s a fact – vendors might be a little biased toward their product, despite you telling them what you actually need.
“They often underestimate how easy it is to implement any technology solution, either platform or a best-of-breed,” said McLaren Healthcare’s Jacques.
We’ve heard the boasts of installations only taking minutes.
“They might gloss over the finer points of how to optimize the tool to bring the most value to the organization. That work has to be done regardless of what is chosen, and is not a step I’d skip lightly,” she added.
“Once they have you in their platform, your ability to adopt newer more innovative solutions suffers when you are pigeon-holed into patiently waiting for the newest release,” added Patricia Titus, CISO, Booking Holdings.
24. The customer is in charge. Don’t be beholden to the vendor
Proactively manage vendors, rather than follow their lead.
“Write a strong contract that you can hold the solution provider to. This means serious SLAs (service level agreements), serious focus on their innovation capability, and a commitment to holding quarterly business reviews on how they’re doing as compared to expectations,” suggested Booking Holdings’ Titus.
Adam Arellano of Traceable interpreted the false dichotomy as being built up solely for large organizations to retain healthy market share, seeing it as “a big player wanting to consolidate as much customer spend as possible, which means smaller companies find it hard to break in when this happens.”
“If a vendor pitches additional features, ask yourself: ‘Is this really what we want, or are we being upsold?’ Stay laser-focused on what delivers value to your organization today and in the near future,” offered Replicated’s Storms.
25. Ask, will the vendor be available in five years? Or even next week?
Most organizations worry about vendor lock-in, but Ron Gula, president and cofounder, Gula Tech Adventures stated, “A platform company can also change their customer focus or get acquired or worse – go out of business.”
McLaren Healthcare’s Jacques added, “The benefit of using multiple technologies is that if one vendor loses capabilities due to a cyberattack, for example, you are not single-threaded—you can continue business as usual.”
26. The pressure isn’t always from outside vendors. Sometimes, the call comes from inside the house
“Flat security budgets will push security leaders toward all-in-one platforms. They will feel pressure from CFOs to cut costs, and many will do so by adopting platforms instead of point solutions. They will also reconsider their licensing deals and negotiate with SaaS vendors to optimize the number of users and assets covered,” stated Richard Marcus, CISO, Auditboard.
27. Wrestling the 800-pound gorilla that is Microsoft
Many of our experts singled out Microsoft as a platform provider that cannot be ignored. Its size, multi-decade history, and global reach make it a unique example of a platform that is seemingly hard to beat.
“Microsoft’s advances in security have led to many cyber teams lobbying for Microsoft security products versus purchasing a non-Microsoft flavor of software. The cost savings of staying within the Microsoft ecosystem are palpable and hard to ignore,” said Nick Ryan, CISO, RSM.
This has led to two outcomes for smaller vendors, Ryan added, “I’ve been seeing more vendors either going more intensely in a singular direction – a mile deep instead of a mile wide in their offerings to capitalize on their niche – or they build their tools around the Microsoft platform.”
“Microsoft is the quintessential platform provider, and they have come a long way on several fronts,” noted The Weather Company’s Waldrop.
Been there, done that, bought the T-shirt
One of the advantages of communicating with colleagues and mentors is that many of them will have seen this same phenomenon before.
28. Watch for the perpetual motion marketing machine
“There are two never-ending cycles in technology, bundling and unbundling. Novel concepts, problems, and technologies lead to the creation of new companies, which over time grow into platforms and then get disintermediated by new startups with aspirations to build platforms of their own. It’s a trend as old as technology itself,” explained Ross Haleliuk, author, blogger, Venture in Security.
What to do
Clearly the choice of how to build your security program is difficult. It’s right on par with cloud versus on-prem, internal systems versus third-party, even hiring staff versus outsourcing. Where do you go when the ground we stand on continues to shift?
29. Decide which one makes life simpler
Complexity is the enemy of security, stability, scalability, and supportability. Adding new best-of-breed items might further complicate things.
“When I can solve capability needs with a platform rather than stitching together bespoke integrations, I’ll take the platform approach,” said Jason Elrod, CISO, MultiCare Health System.
Elrod compared a platform to using Microsoft Excel: “It’s powerful enough to run an entire business, yet most users barely scratch the surface of its potential. Platforms can meet most organizational needs, even if they don’t cover every niche requirement.”
And this underuse is not exclusive to platforms.
“Most organizations don’t use 100 percent of the features they buy, regardless if it’s best-of-breed or a platform,” offered Gula Tech Adventures’ Gula.
“I think we can’t get away from platformization in some cases for costs or complexity reasons,” said Joe Lewis, CISO, Centers for Disease Control and Prevention. “Having too many tools that operate in similar spaces as each other creates additional burdens on security teams who operate and manage the tooling.”
“Platformization is valuable in an age of tool sprawl. With over 3,000 security vendors in the market and security leaders of enterprises managing upwards of 60 tools, consolidation and ensuring that your security stack is delivering maximum ROI is often a necessary step in promoting the efficiency of your cybersecurity program,” suggested Sivan Tehila, CEO and founder, Onyxia Cyber.
30. Find a vendor who listens more than they talk
Part of your solution might involve sticking with a trusted vendor over a specific technology or approach.
“I prioritize finding a vendor who may not offer the absolute best solution but can act as a true partner – one who listens to our pain points and collaborates with us to address both current and future challenges,” offered Justworks’ Wang.
31. Buy for your business and its current (and future) stages
“Platformization is awesome for small and medium businesses, but logistically almost impossible for large enterprises to replace and implement an already integrated stack. Most enterprises love best-of-breed and are able to integrate them as needed,” stated David B. Cross, svp and CISO, Oracle.
Caleb Sima, builder, WhiteRabbit, summarized the thoughts of many of our respondents: “Many successful companies start as best-of-breed and expand into platforms as they grow.”
Conclusion: diversify and keep watch
Diversification, vigilance, and self-awareness seem to be the watchwords of our experts. The convenience of a turnkey solution must be carefully weighed against your organization’s specific needs, with one eye on the present and one on the future.
“The most successful strategies will use platform for commodity services to help reduce cost and streamline operations in order to allow organizations to invest in best-of-breed,” said George Finney, CISO, University of Texas System.
“New technology will bring new threat models – and no company stays with the same tech forever,” added Movia’s Lewis.