Chief Security Officer at BeyondTrust, overseeing the company’s security and governance for corporate and cloud-based solutions.
As a chief security officer for a leading cybersecurity company, I am frequently asked by my vendors what it will take to replace an incumbent vendor. Although my peers and I typically field at least five cold calls a day and dozens of solicitation emails, it is a hard truth for vendors that they can rarely get C-level executives to respond to a cold call or spam message. When you add social media messages and the volume of inbound requests to review a new technology, consider another product as a replacement or watch a demo to get a free gift, it becomes truly mind-boggling.
The honest answer from myself and my peers regarding any of these solutions as a replacement is based solely on the reasons to consider a new solution and not that an email was cheeky enough for me to want to reply. So, what reasons would a CISO need to even consider replacing an existing solution?
A Security Breach
When a vendor has a cybersecurity breach that affects your organization, the immediate response is, “Should we continue to license their solution?” This is an obvious knee-jerk reaction but often the gut check by CISOs is correct. The vendor should be considered at a high risk of replacement even in the middle of an existing contract to mitigate future risks. Depending on the severity of the breach, a replacement may be required to maintain business continuity or continue to obtain cyber insurance.
As the world has shifted from perpetual licensing to subscription and term structures, annual costs can easily increase in whole number multiples if your contract does not have any restrictions. Vendors believe that their solutions are so “sticky” that a rate increase of two to three times the original cost will be absorbed because the cost to replace would be even higher. That is an incorrect assumption. Burning your clients by excessively increasing annual costs will never end well and at some point shortly, they will replace you. You may be able to get away with a cost increase like this once, but odds are if the stunt is pulled again, you will lose that client.
Incompatibility In Strategic Direction
Some cybersecurity vendors will be very open about their strategic direction and roadmaps. Their strategic direction may be open to feedback and minor adjustments but major changes in the cloud or support of on-premise technology may be incompatible with your business direction. If the deviations are drastic enough, your organization may be forced to look for new technology to stay relevant. Although this consideration is rare, when it does happen, it can be a significant event that uproots foundation technologies used to support the business.
Lack Of Coverage Or Support
The life cycle of any cybersecurity solution includes operating support, data retention and integrations that are compatible with the technology stacks your organization licenses. In addition, the end of life of some technology may be negatively impacted when a vendor drops support for a legacy technology stack that you are dependent upon. This could include older desktop operating systems and legacy server platforms that function perfectly and have a longer life cycle than originally planned. When these changes occur, cybersecurity coverage for your technology could falter and warrant a vendor change that still provides support.
Technical Support Issues
Every cybersecurity solution needs technical support. After all, it is based on software that humans write and humans make mistakes. If the technical support provided by any vendor fails to correct a problem promptly or if a solution requires excessive technical support just to operate, it is ripe for replacement. Make no mistake about it—high-maintenance solutions with a lot of external support requirements tend to fail over time and become strong candidates for replacement.
Saving money, minimizing the number of negotiated contracts and having a single “neck to choke” is a common theme for cybersecurity solutions. Although having best-of-breed technology is always desirable for the best protection, many technology stacks can be “good enough” to meet vendor consolidation initiatives. Therefore, if you are a vendor with a point solution to solve a single use case, you are ripe for vendor consolidation when someone else offers similar features and reduces costs.
Although there are obviously other business reasons to replace a solution, the reasons above are the most common. Random inbound correspondence that “sticks” is opportunistic and strictly based on luck and timing. Vendors that have an inside scope or target an event that has been published tend to have a better chance of succeeding as long as they are not perceived as ambulance chasers.
So, for all my peer companies peddling cybersecurity solutions, remember that change typically occurs when change is needed, and brand awareness is key. Flooding my inbox with solicitations is not brand awareness but rather an annoyance. Focusing on who you are versus what you are selling is always a better approach to help any CISO decide when they should replace a solution and who they should look at.