How many security providers do you really need?

A graphic of dozens of locked, gold padlocks on a pale yellow background, lined up in rows and viewed with an isometric view to represent cyber security. To the right of the frame there is one especially large, unlocked padlock. They are set against a pale yellow background.
(Image credit: Getty Images)

Organizations need to have adequate security for their technology estate. Some will be large enough to do all of this in-house, but many will only be able to assign their skilled security teams to cover some of their protection. Security providers fill the remaining gaps with software, tools, and expertise.

Most businesses aim to achieve the ‘Goldilocks’ scenario, in which they invest in just the right amount of security through channels such as managed security service providers (MSSPs).

But finding the “just about right” amount of security can be trickier than it seems. While there is much discussion around ensuring you have solid security backing, it is also easy to overspend on security.

Determining the correct level of security investment

While an organization might legitimately need more than one security provider, it is also possible that it has too many for its needs. Among the pitfalls of using too many security providers are unnecessary expense, confused reporting, and lack of control.

In 2023, businesses use an average of eight security platforms according to research from Kroll. The study took in responses from 1,000 senior information security decision-makers at organizations with revenues between $50 million and $10 billion based in North and South America, APAC, and EMEA.

“Our research shows that the more cybersecurity platforms are used within an organization, the more cyber security incidents are reported,” Scott Downie, assistant managing director of cyber risk at Kroll, tells ITPro.

This could mean that more incidents are discovered, but could also be a sign of ‘double counting’ cyber security threats.

Nick Truman, chief information security officer (CISO) at Nasstar explains the pitfalls of using multiple providers doing essentially the same work. “Duplicate incident reports can overload security teams with unnecessary work, leading to decreased efficiency and delayed response times. 

“Excessive reporting can distract the security team from identifying and addressing genuine threats, leading to oversight and reduced incident response effectiveness.”


Red whitepaper cover with image of office building from the ground up

(Image credit: Trend Micro)

Modernize security operations for greater effectiveness


Software bugs already lead to incidents in which security teams are overwhelmed by false threat flags, such as Microsoft Defender erroneously identifying reused passwords.

It can also mean redundant spending on multiple providers, which could be better spent ensuring any in-house teams are well-supported. The burden placed on security teams from excessive threat reports could add to the already high level of security staff burnout.

In 2022, 75% of organizations surveyed by Gartner were looking to drop cyber security vendors to improve their security posture, citing the operational inefficiencies that can arise from tracking a mix of complex security solutions. Many (41.5%) of those surveyed were investing in secure access service edge (SASE) products to consolidate their security controls.

Getting clarity on security provision

There are three main steps IT leaders can take to get a hold of their security providers: conduct a review, remove the excess provision, and produce a risk strategy so the situation can be avoided in the future. Considering the main threats they face and their attack surface is key.

“Many organizations do not understand exactly what they are protecting against and can often overcompensate by using multiple platforms for cyber security protection,” says Downie.

Keeping one eye on the threat landscape is also key here. MSSPs can provide dark web insights, which can help businesses find out if they are being actively targeted by dark web entities such as ransomware gangs. 

Small and medium-sized businesses (SMBs) with small or no security teams to their name can particularly benefit from this access, especially as ransomware groups have begun to target smaller businesses once again.

Internal reports can also guide investment decisions on specific security tools: finding out your organization is being targeted with identity-based attacks or as part of a phishing campaign could drive greater spending on identity management services, for example.

“Clients often approach us not knowing which of their providers are really covering which risks,” Joe Hubback, managing director EMEA at Istari, tells ITPro. “It’s almost always due to very mundane reasons such as the churn of staff in security functions and the way businesses evolve.” 

External support may be well worth the cost and could eventually pay for itself as unneeded provision and associated workload is canceled. But gaps in oversight must always be addressed, especially if these are behind unnecessary spending.

With a strong strategy in place, the review process can be made easier and be carried out more regularly. The strategy should be built on both defining what necessitates protection and one’s appetite for risk. 

Finding the optimum number for security

The optimum number of security providers is likely more than one, as a single provider is often unable to cover every security requirement.

“There is a theoretical issue with having a single provider in that it reduces your security resilience. If that single vendor suffers a failure, you will not have a backup solution to protect you.”

In addition, Hubback points out that “for some enterprises, it is part of their security strategy to have vendors provide overlapping capabilities in critical areas”. This increases the chances that if one provider has not yet patched a widely-exploited vulnerability, the other in use may already have extended its cover to protect against it. It’s a “belt and braces” style approach and one which, while undoubtedly expensive, may be needed to satisfy the risk appetite of the organization. 


Developing a more effective risk report for the board whitepaper

(Image credit: ServiceNow)

Streamline your organization with business continuity management


Aside from duplication for self-protection, “Different providers might excel in specific areas of cyber security. Utilizing multiple specialized providers can ensure comprehensive coverage,” says Nick Truman. 

The key to identifying the optimum number of providers lies in getting a full and comprehensive understanding of the technology estate of one’s organization, across both legacy and modern systems as well as knowing in detail what needs protecting.

Ultimately, providing adequate security is, as so many aspects of business are, all about strategy. Get the strategy right, and your organization can ensure adequate security provision, from however many providers are needed. The Goldilocks scenario will be in place.

Sandra Vogel
Freelance journalist

Sandra Vogel is a freelance journalist with decades of experience in long-form and explainer content, research papers, case studies, white papers, blogs, books, and hardware reviews. She has contributed to ZDNet, national newspapers and many of the best known technology web sites.

At ITPro, Sandra has contributed articles on artificial intelligence (AI), measures that can be taken to cope with inflation, the telecoms industry, risk management, and C-suite strategies. In the past, Sandra also contributed handset reviews for ITPro and has written for the brand for more than 13 years in total.