Security platformization vs. best-of-breed: Risks and benefits

The case for platformizaton

IDC describes security platforms as unified systems, comprised of several structural elements that make them more than just a collection of loosely integrated standalone products. At their core, security platforms should aggregate telemetry from endpoints, networks, the cloud, identity, workloads and applications, and provide automatic normalization, enrichment and cross-domain correlation. They should support centralized policy management so teams can define and enforce consistent security policies across on-premises, cloud and hybrid domains while also reducing the risk of configuration drift.

In addition to data and policy, a true security platform also embeds integrated analytics and threat intelligence, automation and orchestration capabilities, and coordinated controls spanning identity, endpoints, networks, cloud workloads and data security.

While platforms don't have to come from a single vendor, most do. The key is how seamlessly they integrate different cross-domain security capabilities to improve outcomes.

Reducing tool sprawl -- and its associated costs and exposures -- is one of the most frequently cited justifications for platformization. An IBM and Palo Alto Networks study found that the average organization uses 83 different security products from 29 vendors, with 52% of respondents citing complexity as the biggest roadblock to better security. Those organizations that migrated their security functions to a unified platform needed 72 days fewer, on average, to detect a security incident and 84 fewer days to mitigate those incidents than companies running best-of-breed tools.

"There's a limit to how far you can get by adding more security solutions," the study reported. "That strategy gradually dilutes the benefits of each new solution and ultimately reduces security effectiveness."

An increasingly compelling argument?

Consolidating onto a single security platform is an increasingly compelling choice in today's environment, with simplification and efficiency primary advantages, according to IDC analyst Frank Dickson. A unified platform, he said, increases uptime and makes integration, communication and maintenance easier. It also lessens the burden on resource-strapped security teams, enabling them to focus on more urgent tasks.

In addition, by tapping data generated across diverse systems, teams can correlate information more quickly, orchestrate more efficiently and isolate threats more rapidly. Unified platforms eliminate or significantly reduce the need to painstakingly normalize heterogeneous data sets from multiple tools -- such as reconciling time zones and date formats from devices deployed across different geographies. Importantly, a platform shifts much of the heavy lifting associated with integration to the vendor, Dickson said. "First of all, it's simplification," he said. "Security platforms make everything easier: easier to integrate, easier to communicate, easier to maintain and easier for uptime."

Platformization, Dickson added, is especially valuable for smaller organizations with limited security staff who might lack the specialized skills required to manage multiple best-of-breed tools. Larger enterprises, with hundreds of security professionals and deeper specialization, are better positioned to make a best-of-breed strategy work.

A nontrivial effort

Organizations moving from a best-of-breed environment to a platform can face significant challenges, Dickson said, often involving a substantial cultural and operational transformation. It's a shift that requires organizations to rationalize policies, procedures and existing tools. Resistance can surface from a variety of sources, including security professionals who have invested heavily in certifications and training for specific best-of-breed tools.

To that end, Dickson said, for organizations anticipating making the switch, it's better to consolidate by domains rather than attempt to shift an entire security stack onto a single platform right away. For example, a company can consolidate endpoint security capabilities to a platform first because that's likely to offer the quickest win. Once that's done, it can expand to the network and other domains, he said.

Rik Turner, an analyst with Omdia, a division of Informa TechTarget, said the mileage an organization might get from a security platform depends entirely on how finely integrated its different capabilities are, especially if the platform is assembled from multiple acquisitions. Consider the benefits of feeding telemetry back to a common back end, for example. "The platform vendor should then be able run AI algorithms over all this collective telemetry and derive insights about your overall security posture and threat landscape," Turner said. It should "then reach conclusions about remedial actions to be sent back to the individual tools to make changes to endpoint, network, cloud or other areas within your infrastructure."

Other factors to consider when evaluating a platform include the size of the organization's security team, the company's investment in a major security vendor's portfolio, and the risk of introducing a single point of failure by consolidating all security capabilities into a single platform.

The argument for best-of-breed

The fundamental appeal in using a best-of-breed strategy is that it enables organizations to select the top-performing, most specialized tools available for individual security functions. Rather than relying on a single vendor, a best-of-breed model lets security teams handpick best-in-class products for each domain. The approach emphasizes depth over breadth, which can be especially useful when dealing with new risks and threats.

Best-of-breed makes the most sense in cybersecurity segments evolving the most rapidly, Turner said. "Right now, there's a lot of interesting startup activity around security for AI, particularly agentic AI and [Model Context Protocol]," he said. Typically, the organizations most interested in these technologies are financial services institutions, especially large Wall Street banks with deep pockets and organizations with security teams large enough to be able to use these products effectively.

Dickson at IDC said in the platform vs. best-of-breed debate, best-of-breed is best suited for emerging technology use cases and in operational technology environments that often involve highly specific security controls and requirements.

Morey Haber, chief security advisor at identity and access software provider BeyondTrust, said cybersecurity marketing has long promoted the idea that consolidation and platformization is the best way to reduce complexity, lower operational costs and place security controls under a single strategic provider. While at first glance the argument sounds rational and solid, it looks less so when scrutinized under the lens of operational resilience and regulatory frameworks such as the EU's updated security initiative, NIS2.

"In cybersecurity, one of the oldest principles is eliminating single points of failure," he said. "Organizations have embraced network segmentation, MFA, infrastructure distributed across availability zones and layers of solutions to mitigate risk. These design patterns exist because resilience requires diversity and multiple perspectives into a potential issue."

When an organization relies on a single vendor to provide a broad range of security functions, it's exposed to potentially dangerous risks, Haber said. "If that vendor experiences a breach, service outage, supply chain compromise or catastrophic software vulnerability, the impact extends across the entire defensive stack and everything needs to be called into question," he said.

In cybersecurity, vendor lock-in is not simply about procurement, Haber pointed out. "It is an architectural dependency that can undermine resilience, weaken governance, pose unnecessary supply chain risk and potentially place organizations in conflict with regulatory expectations."

When organizations lock themselves into a single vendor ecosystem, they restrict their ability to adopt emerging defensive technologies from best-of-breed or best-of-discipline technologies. With platforms, new integrations become difficult, data portability can become constrained and replacing a failing capability becomes operationally impractical.

Jaikumar Vijayan is a freelance technology journalist with more than 20 years of award-winning experience in IT trade journalism, specializing in information security, data privacy and cybersecurity topics.