In security, platform consolidation efforts often land organizations between a rock and a hard place.
Many organizations want to move their security services onto fewer platforms. With too many vendors’ tools in a single security stack, managing all of the integrations, tickets, and dashboards becomes dangerously inefficient — and thus dangerously risky and expensive.
But consolidation causes inefficiencies of its own. A major reason is switching costs — the costs an organization incurs moving from one service to another. With security services, switching costs can become extremely steep, ultimately diminishing the benefits that made the organization want to consolidate in the first place.
How can organizations escape from this bind and reduce switching costs as much as possible?
To start, it’s important to understand the factors — both overt and hidden — that can make onboarding a new service costlier than it needs to be. From there, organizations should prioritize the most adaptable, composable security platforms when scoping out their consolidation journey.
When pursuing platform consolidation, organizations generally face three types of switching cost, all of which have a direct or indirect financial impact:
1. Implementation-based costs: These capture the time and effort required to turn an old service off and the new one on.
IT and security teams are often responsible for managing far more services than other departments. For example, the average enterprise can have as many as 76 security tools, many of which have been made to integrate with each other. Replacing just one tool also means re-doing all of this interconnection — whether via built-in integrations or APIs.
What’s more, finding the time to do all of this work is uniquely difficult in security and IT. Over half of security teams say they are understaffed, and yet the IT field overall sees an extremely low unemployment rate of roughly three percent — a sign that it’s hard to hire new people. All of this forces consolidating organizations to either hire expensive contractors or make hard choices about what other work to deprioritize.
2. Learning-based costs: These capture the time and effort required for teams to learn how to use the new services.
IT and security services are inherently technically complex by usual business software standards, often requiring specialized training and certifications to use effectively. This process can be particularly expensive if the learning requires third-party support.
What’s more, these costs can persist in the future as new team members join and have to familiarize themselves with vendors’ dashboards, reports, and interfaces.
3. Disruption-based costs: These capture costs imposed by implementation failures — which can be quite common — or by the new service’s inability to meet critical business needs.
Should a new security service not be implemented properly, the security consequences can be significant. At best, teams need more time to gain visibility into inbound traffic and threats. And, should a misconfiguration or gap lead to an actual attack, the impacts can range from site outages to service unavailability to actual data loss, all of which come with severe financial costs.
Security service disruptions can also affect productivity. If an access management service is misconfigured, for example, employees may not be able to access required tools — and could even resort to risky shadow IT as a workaround.
In theory, security platform consolidation should incur fewer switching costs than bringing on a new service from a new vendor. If a vendor’s security services are all effectively integrated, they should be comparatively easier to set up with one another and cause fewer dangerous misconfigurations. And if teams are used to a vendor’s products, another one from the same vendor should be easier to learn.
Unfortunately, this theory doesn’t always hold up in practice.
Despite their marketing, many security ‘platforms’ don’t fully live up to their name. They may claim to be a suite of integrated services. But in reality, services for different use cases may be built on different underlying infrastructure, may not work composably together, and may not integrate with other vendors remaining in the stack. They may even have different user interfaces (e.g. having different UIs for cloud app security and network security). This means organizations consolidating onto these ‘platforms’ could still face considerable switching costs:
Integration: If the platform’s services need manual integration and/or extra unifying services in order to work together, teams will still have to spend more time setting everything up.
Learning: If the platform has multiple UIs, it might still take more time for teams to learn to use its various services.
Disruption: More manual integration increases the risk of misconfiguration and gaps — all of which increase the risk of larger and more frequent attacks. This consequence may compound if the platform doesn’t integrate with other existing vendors. And if services live on different infrastructure, traffic may experience poor performance as it ‘trombones’ between different data centers, resulting in a bad user experience and (likely) more support tickets.
If organizations aren’t careful in which platforms they consolidate onto, they might find themselves with more of the same problems they were trying to avoid in the first place. So what’s the best way forward?
Security leaders won’t be surprised to hear that choosing the right platform to consolidate onto matters. So what type of platform helps address the challenges above?
Security and IT leaders should prioritize the following 4 qualities when evaluating platforms:
1. Composable, programmable architecture: The platform should be highly adaptable with minimal effort.
Every security service should be interoperable with each other, and fully API programmable, in every network location. In addition, every service should be decoupled from tech stack and location, and ideally it should be easy to customize everything via serverless functions.
These qualities reduce (though may not eliminate) integration-based costs that come from adapting service functionality to organization-specific compliance and privacy needs, for example. In addition, since some security teams may not want to fully consolidate everything onto one platform, the API programmability makes it simpler to create integrations between your main platform and other vendor services.
2. Global, ubiquitous reach: The platform should have infrastructure sitting in many global cities and IXPs, and offer complete control of a request from source to destination (rather than via a software-defined overlay or underlay).
As a result, network connectivity should scale infinitely on demand across every location, with no configuration during setup or operation. And, services should be available from every server, rather than living on specialized infrastructure — and be agnostic to cloud providers and geo-locations across every origin.
These qualities nearly eliminate implementation-based switching costs that organizations might otherwise incur when creating integrations between different services in a ‘platform.’ And since every service runs everywhere, users see better performance, resulting in less disruption for IT teams.
3. Cross-functional intelligence: The platform’s services should span security use cases, covering hybrid workforce security, network and cloud security, and web application and API security (including third-party code).
This results in cross-functional threat intelligence that sees most existing attacks, and what you’re trying to protect.
Similarly to global reach, these qualities drastically reduce integration-based costs. And the unified threat intelligence reduces disruption by simplifying threat visibility and improving the depth of that visibility as well.
4. Unified, simplified interface: The platform should offer all of its security and logging services via a single user interface out of the box.
This quality helps reduce implementation-based switching costs that might otherwise stem from installing an additional visibility layer to unite disparate services. It also reduces the time required for employees to familiarize themselves with new services, and reduces disruption by simplifying visibility into threat data.
Cloudflare was built to meet all 4 of the qualities listed above. The connectivity cloud — a unified platform of cloud-native services built to help organizations regain control of their IT environment — offers:
Composable, programmable architecture: All Cloudflare services can run on every server in the network, and are fully abstracted from specific hardware. In addition, you can customize access policies and integrations with the serverless development service.
Global, ubiquitous reach: Cloudflare’s network spans over 330 global cities and interconnects with over 12,500 ISPs, cloud services, and enterprises.
Cross-functional intelligence: Cloudflare serves ~20% of all web traffic and stops ~165 billion threats per day. This threat intelligence powers our entire portfolio of security services.
A unified, simplified interface: Which lets you manage every security service (including logging) through a single pane of glass, or easily integrate with any cloud log storage and analytics platform.
Thanks to these qualities, organizations using Cloudflare have more freedom to pursue security platform consolidation — and actually gain the benefits they set out to achieve.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Check out the ROI calculator to understand specific cost savings you can gain from Cloudflare. And, learn more about how connectivity clouds enable digital transformation in the Connectivity Cloud Explained executive guide.
After reading this article you will be able to understand:
The 3 different types of switching costs and how they manifest in a security context
4 qualities that CISO's can use to evaluate platforms for consolidation
How a connectivity cloud enables organizations to gain cost benefits