Deal or No Deal: The Double-edged Sword of the IT Security Bundle

The concept of “bundling” has become very popular among large IT vendors over the past decade as it promises a number of benefits. 

But, does the bundle really deliver everything promised? Well, as usual, it depends.

What Is Bundling Exactly?

Let’s first start by having a closer look at bundling. It is a sales tactic that large IT and cybersecurity vendors use to grow their “footprint” within a customer account. 

Essentially, it works like a value meal at your favorite fast food joint: Why have just a burger and drink when you can have fries too for just a little bit more? 

Sounds like a great deal and sometimes it is, particularly when the fries are actually spicy curly fries (I’m looking at you, Jack in the Box). 

But what if those fries are not so great? Have you ever had bad fries that just make you really want the good ones? Without doing some homework, your great cybersecurity bundle may come with some soggy fries.

Deal or No Deal

Seriously, a good bundle can be a great thing. But only if all of the products and services included by the vendor are best-in-class (equivalent to best-of-breed), and you are getting a significant discount on everything you need. In that case it makes a lot of sense. 

Some of the benefits of bundling are beyond the product themselves. Let's take a look at a couple of those perceived benefits: streamlined procurement and the “one throat to choke” single vendor concept.

Streamlined Procurement

We all know that procurement is a tedious and expensive process. The legal reviews of multiple vendor contracts can eat up cycles and are sometimes frustrating. And for non-mission critical purchases, it might be worth compromising on quality to simply reduce the procurement burden on the team.

But consider some questions to ask yourself:

• Will the one-vendor concept equate to greater success in my core objective (employee risk reduction) for major cybersecurity components?
• When a bundle is offered, are you able to complete the due diligence on each critical product as you would in a stand-alone transaction? 

You might notice that these great bundle deals often come with a short deadline. Bundling can mean that “somebody's” project is going to be compromised or cause an excessive amount of admin overhead because the bundled product is likely not what their team would have chosen in a head-to-head evaluation.  

There are other considerations as well. A single procurement cycle is efficient the first time you go through it, but what about following years? These vendors aren’t foolish and they don’t stay in business by giving great products away for free. You should consider the power dynamic that you’re creating for your vendor every renewal cycle.

Single Vendor Dynamics or the “One Throat to Choke” Analogy

When a vendor relationship works great, then it’s a wonderful thing to behold. 

However, when there are missed expectations, promises unfulfilled or simply poor delivery from a large vendor, it can feel like that single throat being choked is yours.

Let’s be honest, even the biggest cybersecurity vendors with a myriad of product offerings typically “specialize” in just a few. Yes, over the years they have expanded their portfolio, usually by acquisition, but at their core they often do only one or two primary things exceptionally well.  

Whether that focus is on endpoint security, the firewall or an email gateway is dependent on the vendor, but each one has their “golden goose” solution. That’s the product that you’re really paying for; that’s where they truly make their profit and, generally, that’s where they put their resources.  

Secondary products included in a bundle may, in many cases, be “good enough” and sometimes not even that. Unfortunately, that’s often only discovered after the fact. 

What you may also find is that it’s not just the product that’s substandard. Support resources are commonly metered based on the profitability of the product. That golden goose sucks up a lot of resources!  

It’s not uncommon to find that the "one throat to choke" strategy doesn't necessarily mean that you'll always have access to subject matter experts and that tech support and customer service for the vendor's non-core products is often woefully lacking.

The Integration Perception

One of the favorite terms that are batted around in hallways of vendors’ offices is “markitecture.” 

It’s a slick way of putting various products together on a slide or graphic that makes the product portfolio look as if it fits together as cleanly as new Legos. The reality is that these diagrams are for illustration purposes only and often do not have any connection to the reality of whether there is actual integration of data, processes or administration between those products.

It’s the same (often literally) with the bundle. There’s lip service to a “fully integrated solution” during the sales and procurement cycle, but once the sales reps have all gone home it’s not uncommon to find multiple management consoles, non-compliant data structures and unmet expectations. 

Combine that with a subpar product and you’ve got….frustration (to say the least). Don’t worry though, the vendor may offer to help you solve these problems – all you need is to purchase their professional services.

In the end, it’s important to ask a few very important questions of your vendor: 

• How many consoles will we need to access to perform the expected task? 
• Can you show me how that works live? 
• What about importing users, admin privileges, and granular control? 

These would likely set you down the path to find out just how “integrated” this bundle is.

Cybersecurity: Best of Breed vs. the Bundle 

So the bundle can have some advantages, but there are just as many pitfalls that you have to watch out for, and that really applies to any type of large IT purchase. 

However, evaluating and purchasing your mission-critical cybersecurity infrastructure is not the same as purchasing other important, but less critical solutions for the back office, for example.

We are under attack from highly sophisticated, dynamic and relentless criminal organizations. As security professionals it’s our job to prevent downtime and keep the company jewels safe, along with the private information of our customers and employees. 

“Good enough” does not cut it in this environment, particularly when you’re talking about your single largest organizational vulnerability: your users.  

Let's face it – sometimes security awareness is thrown in as an extra incentive on an email gateway or other large cybersecurity purchase. Vendors offering bundles are almost always bundling in me-too products that are not nearly as fully featured as their best of breed competitors. So, the only way they can compete is by giving these non-optimal products away to help "seal the deal" for their main product. You get what you pay for.

With human error being responsible for the majority of data breaches, security awareness is your last line of defense. Having highly engaged, trained and security-aware users is a very powerful human firewall to the threat actors that are continuously testing your vulnerabilities. We’ve all seen the statistics, phishing is one of the most common penetration points for ransomware.

While bundles can seem to be a good way to save some money and lessen the procurement headache, you absolutely cannot skimp on your security awareness training. You need the best... not a bundle blunder. Get the full whitepaper: Stand-Alone Product versus Product Suite for all the key points you need to know before choosing Best of Breed vs. “Integrated Solution”.