This is one in a collection of seven pieces on Burning Security Questions. Read the rest here.
A huge debate these days is whether to select a strategic security vendor to provide the majority of security products and services the enterprise might require, or opt to evaluate point products, including those from start-ups, with an eye toward best of breed.
"My tendency is to lean toward a strategic vendor if we can," says Rick Haverty, director of IS infrastructure at the University of Rochester Medical Center, which includes hospitals and medical research centers. Cisco is the strategic networking vendor for URMC, and using IronPort, Cisco's Web-filtering appliance, solidifies URMC's business clout with Cisco, Haverty says.
But he adds he doesn't yet see the benefit of product integration that choosing a strategic security vendor is supposed to bring, such as a common management console, in Cisco networking and security products.
"They're just not there yet," he says.
In any event, URMC also looks for point products to meet the organization's needs, turning to security vendors such as Voltage for e-mail encryption with business partners and Check Point for its PointSec whole-disk encryption for the desktop. Haverty says he knows he simply has to be pragmatic in making choices about enterprise security.
Brad Blake, director of IT at Boston Medical Center, says the outlook at the healthcare provider he works for is to buy best of breed for clinical applications but focus on a strategic vendor -- or two -- for security.
The main reason is the strategic security vendor approach can help stretch a budget and gain the advantage of a common management platform, he says.
Boston Medical Center considers McAfee a strategic vendor because it makes use of McAfee's large portfolio of security products and its ePolicy Orchestrator console to manage them. ArcSight is also considered a critical vendor because its security information management platform can combine log data from many sources for analysis.
Although Boston Medical Center is a "Cisco shop," the healthcare provider so far hasn't been impressed enough with Cisco's service to warrant expanding into Cisco security products.
George Japak, head of ICSA Labs, which tests a wide variety of security products, says Cisco is layering security like antivirus and firewalls into switches and routers. Increasingly, the larger Fortune 2000 companies reliant on Cisco gear are choosing Cisco as its strategic security vendor as well as a way to reduce complexity in their networks.
But he argues that strategic security vendors can't be given an easy pass and "have to be held accountable" on every security function they're given.
"You can have a primary security vendor but keep other vendors in play, don't preclude other vendors," Japak says.
Gaby Dowling, manager of IT security at international law firm Proskauer Rose, believes it isn't logical to consider anything "strategic" if the vendor and the product can't rapidly adapt to a changing threatscape. "Just because different products come from the same vendor doesn't mean they integrate well in my experience," she adds.