If you want to understand the platform vs best-of-breed debate, look no further than England’s football team: 11 world-class players, but a crap team.
The most pernicious hangover from the best-of-breed era is the idea that if you can just align all the right security controls, you will have an effective end-to-end security programme. That is absolutely not true—but it often takes a breach (and/or new leadership) for security organisations to wake up from this spell.
Security capability is systemic—it’s more than just the sum of its parts. The interaction between the parts matters just as much, if not more, than the individual parts themselves. For 20+ years the best-of-breed approach has actively undermined systemic thinking about security, with downstream consequences like highly siloed org charts, architectures, and data islands built around specific tools. Many organisations now find themselves painted into corners they can’t get out of.
Conway’s Law tells us that organisations produce services which mirror the org’s own complexity and communication. The classic example is if you have 4 teams of developers, you will end up with a 4-pass compiler. Not because 4-pass compilers are the best way to compile code, but because the org doesn’t know how to interact in any other way. Best-of-breed thinking has a lot to answer for, with regard to the complex patchwork of dysfunction that exists in many technology and security organisations.
And lest you think this is just a convenient sales play for a platform vendor, look at the data—studies consistently show two things: 1.) there is an inverse relationship between the number of security tools and security effectiveness, and 2.) the things which most improve (or degrade) security resilience have almost nothing to do with security tooling. I refer to IBM’s Cyber Resilient Organisation study often in these areas.
I would argue that you can more efficiently and effectively manage security risk, and produce better security outcomes, using a comprehensive security platform—even if the capabilities of an individual component are less capable than its best-of-breed competitor. Optimising the whole instead of the components is exactly the way neural networks are optimised through backpropagation; the focus is not on optimizing each layer but on optimising how the layers work together to produce more accurate predictions.
So maybe what we should be focusing on in security is defining clearer outcomes. If some new email security gadget blocks more phishing links, but the number and impact of security incidents is the same at the end of the year, who cares? Certainly not the rest of the organisation, who are investing in the impact reduction and frequency of material cyber events, not technology widgets.
So this weekend, as you watch a team of £100K+ per-week players barely get the job done against a (supposedly) less capable team, spare a thought for poor Gareth Southgate—he only gets 90 minutes to fix his best-of-breed problem.