When it comes to buying cybersecurity solutions, we’re often told the choice comes down to buying the best single tool available or buying into a wider platform of tools for better integration. But is there a way to have your cybersecurity cake and eat it too?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap). Joining us is Elad Koren, vp, product management, Cortex Cloud, Palo Alto Networks.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Palo Alto Networks
Full Transcript
Intro
0:00.000
[David Spark] We’ve all heard the platformization versus best of breed debate. It’s been sold to us as a simple either/or decision as you’re building out your security program. But nothing in security is that simple. Have we been sold a false dichotomy for far too long?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series, and joining me for this very episode, he’s one of your favorites, it’s Geoff Belknap. Say hello to everybody, Geoff.
[Geoff Belknap] That’s right, everybody. Top three right here.
[David Spark] Top three.
[Geoff Belknap] Sometimes top 5 and more often top 10, but definitely top – top of all the co-hosts.
[David Spark] The irony is technically we only have two co-hosts of the show. I bring in guest co-hosts. [Laughter]
[Geoff Belknap] Still feels like top three, is what I was told, but that’s great. Good, I can shoot for the stars.
[David Spark] Our sponsor for today’s episode is Palo Alto Networks. We all know Palo Alto, but you may not know their brand-new Cortex Cloud, defining the code-to-cloud-to-SOC future through real-time security. We’re going to have more about this, it’s pretty darn cool, a little bit later in the show.
Geoff, we’ve heard the platformization and best of breed debate before. In fact, for years, we’ve heard it, and I’m going to just kind of set it out how we’ve all heard it. I don’t want people to say, “That’s wrong!” because that’s kind of like what all of our arguments are going to be here but let me just set it up the classic ways just to get everyone up to speed.
With platformization, you get all the products integrated, working simultaneously for you, although all the products are subpar. Yet with best of breed, you get the best products, although you’re going to be spending a lot of hours and money dealing with integration. Okay. We published an article on this very issue and the simple answer is that dichotomy we’ve been led to believe is not so simple, nor is it true.
I’ll ask you, Geoff, is that what you’ve experienced?
[Geoff Belknap] Absolutely. I think, we were sort of joking about this before the show, I feel like the most common place that I hear this argument, or this advocation for one or the other here, is if you’ve got a platform to sell, you seem to be really adamant a good platform is the thing to do, and if you don’t have a platform, you seem to be really adamant that best of breed is the right solution.
[David Spark] It’s bizarre how that works. [Laughter]
[Geoff Belknap] Shocking, I know, but the good news is, everybody, we’re going to solve it.
[David Spark] We are! By the way, in the next 30 minutes, it will be solved perfectly.
[Elad Koren] Yes.
[David Spark] In fact, that voice you just heard right there, that is the VP of product management for Palo Alto Networks, our sponsor guest, none other than Elad Koren. Elad, thank you for joining us in this conversation.
[Elad Koren] Oh, hi, David, Geoff. Really happy to be here, and yeah, it’s going to be fun.
What are the elements that make a great solution?
2:43.633
[David Spark] Jonathan Waldrop of The Weather Company said, “If you’re building a new security team, then go the platform approach and supplement as needed with a point solution where you have areas of specific risk. The benefits here are several – more leverage for deeper discounts based on the volume of spend, one vendor that you get to know really well, assuming they’re halfway decent, and they listen to this show.” I like that, Jonathan.
“And then there will be built-in integration. At some point, your security team should outgrow the one-size-fits-some security technologies. By then, you’ll have developed unique requirements that fit your business. That’s great because now you know exactly what you need and the bells and whistles you don’t care about, so you can go purchase exactly the right best-of-breed tool.”
Now, Priya Ranjani Mohan of KPMG said, “Most companies tend to lean toward the best-of-platform approach, seeking the simplicity and cost efficiency of integrated solutions. While this can streamline management and reduce friction, it often comes at the expense of specialized capabilities. However, in some cases, the flexibility of best-of-breed tools is worth the extra integration effort.
It truly depends on the use case, risk appetite, and budget.” And I’m going to double down on the very last words of that – it truly depends on use case, risk appetite, and budget. I’m going to say that’s pretty much the story there, Geoff. Yes?
[Geoff Belknap] That’s pretty much it. The only thing I would add to this, otherwise no notes, is it comes down to need. What does your team need? Jonathan and I think about this very similarly. If you’re starting new or you’ve got sort of a low-maturity team, a platform is not a bad idea, right? You’ve got less to figure out.
Things already sort of inherently work together, usually very easy to figure out how the features work and to find help if you need help or have questions to ask. It’s very easy to sort of close that gap of what I like to call time to value. You can get started; you can get value right away.
Now, I think Priya makes the great point that is the other side of that coin, which is at some point you’re going to start to understand your needs, what are the certain threats that your organization deals with, and there’s going to be areas that you need to go deeper, that you need to specialize. You might need extra features.
And generally, the best platform might not cover the depth that you need in every single area, and you’re going to want to bring in something specialized, and I think that is where people start to look at those things. But I think the trick here is just it’s not one answer. It’s just a combination of what are all the variables that you’re dealing with at the time.
[David Spark] That, I think, and we’re going to hear this again and again, is that it’s a combination of your own variables and the combination that the tech stack can deliver for you, and often, a platform with point solutions works pretty darn well, is – again, I’m hyper simplifying – is generally kind of the story we’re hearing.
Elad, I throw it to you.
[Elad Koren] Yeah, I think I agree with both of you and both quotes. I think there’s one thing I would add there. Many times, people tend to forget that a platform is also a product of its own, right? And if you’re not buying that from somewhere or from someone, you’re actually required to build that yourself.
And I think that also ties into that, right, because if you have a bunch of point products without any leading platform, which I think any organization should have that leading platform or leading set of solutions, any organization would have to build that themselves, right? That means effort, that means resources, that means time, that means less focus on whatever the business that they have.
And I think that is a key. This is why I really liked what Jonathan was saying, and it really resonated. I really support it, right? There should be something that you start with, and then on top of that, you add whatever it is that you need to also have playing around.
[David Spark] Let me pause you though, on one thing, the platform itself being a product, could you just go one level deeper on that and say what does that constitute?
[Elad Koren] Unless an organization wants to have 10 different teams working on 10 different point products, they need to build that mesh or connective tissue. You’ve all been around for decades, and we’ve seen that. When you need a complete set of solutions playing nicely together, you need to build that mesh yourself, unless you have something else built in or bought that would provide that connective tissue.
I’ve seen that going really well. I also saw that going really bad when an organization was trying to do that themselves. That was the point where even if you have the best set of point products, if you do not connect them properly, the outcome is going to be really bad unless you really have, like, tens of thousands of people working each and every product, right?
How do we determine what’s most important?
7:38.593
[David Spark] Sean Campbell of Cyera said, “Best in breed or best of platform should also be viewed, or at least considered, from the lens of best of delivery, fully realized implementation, or best of operationalization, fully using for why purchased.” And Jonathan Waldrop, again from The Weather Company, he’s so darn quotable, said, “Available time is a factor.
If you’re building a security team, you probably don’t have too many extra people to throw at a problem. Well-integrated platforms will typically require less implementation, so you get to ‘something’ faster.” That’s interesting. We kind of heard versions of that before when we were doing the article as well.
“I too have seen the integration selling point fall flat in practice, but if you can’t even implement it to 50%, what’s the point?” Elad, that right there is interesting. It’s like if you can’t get up and running and see some value out of it, like pretty darn fast, you’re just kind of shooting yourself in the foot, aren’t you?
[Elad Koren] I agree, and I think it goes both sides, both the point products and the platform. Before, Palo Alto Networks have been in a set of startups, and one of our major challenges there was getting to a point where a potential customer or prospect would say, “Yeah, I have the time and the people to invest in integrating your solution,” right?
And the time to value was the most critical thing. Naturally, when you’re looking to get that top value from whatever it is that you have, the time to get that is crucial. Now, let’s assume that you have a platform. That platform, once integrated, any additional solution that you push on top of it, it goes back to all the points that we’ve discussed.
It’s there. Now, compared to point solutions… By the way, I think that is part of how you should select which point solution you have in your organization. I think one of the key things we all understand now in security is that the ease of deployment and the time to value is crucial. So, I think in both cases, that is 100% correct.
I fully agree with that.
[David Spark] Geoff, let’s also reference Sean Campbell’s comment from Cyera. This idea of best of delivery and best of operationalization, it’s referencing the fact of who can get me working in a more full capacity, is probably the most attractive solution.
[Geoff Belknap] And I think this is what Elad was saying a little bit too. Sometimes the problem you have to solve is that you have nothing, right, and you need to get there as quickly as possible. I sort of said this before, time to value. I want to get that value as quick as possible. And there are plenty of products that you know what you’re going to get right out of the box, and you know what your skills are and how fast you can deploy them.
I think if you can’t deploy it quickly and get the solution or the protection or the detection or the visibility that you need right away… Most of these things you pay for right out of the gate. If you pay for them for 12 months or you’re paying for a long-term license and it takes you six months to get any value out of it, that’s six months you’re not protected, right?
That’s six months you’re not doing your job because you spent all this time trying to figure out this product. At the same time, I think there are plenty of shops that I’ve worked for, especially in smaller startups, that were phenomenal at integration. They just didn’t need the platform value. Like that was not as much a value-add for them.
And if you’ve got that skill set on your team, it puts you in a different category of the kind of product you’re looking for.
[David Spark] But I got to assume every CISO who is buying products is like every time they make that decision, they’re sitting with the, am I going to have buyer’s remorse? And that’s got to like hit you pretty darn hard. Geoff, hey, let me ask you, have you ever had buyer’s remorse?
[Geoff Belknap] Yes. And I think the reality is you’re sitting there going like, “How long until I regret buying this?”
[Laughter]
[Geoff Belknap] “Is it before or after the first renewal?” But I think that is part of the sort of je ne sais quoi of being a CISO. It really comes down to this. Like, are you going to be able to get what you need out of this, or are you going to end up going back and asking for more money or starting from scratch?
It is just the life in this place. So time is money here. I can’t believe I’m saying this cliche, but like time is money. If I’m going to spend three months deploying something, that is way more expensive than something that is a dollar amount more expensive but is going to provide value immediately.
[Elad Koren] I think we’re talking a lot about time to value in terms of deployment and realizing that value but think about a few other factors. Think about training new people coming into the org, right?
[David Spark] Yes. We’ve heard this one a lot. Yes.
[Elad Koren] Yeah. Okay. If we have that going, so definitely for sure.
[David Spark] Just briefly, I’ve heard from multiple CISOs, “I don’t have the time or the money to train my people on 12 different products. Period. Just can’t do it.”
[Elad Koren] Even more so, when you have a leading platform, and you have a point product that understand the importance of playing nicely with that platform, and by the way, you get that even when you have a platform and some customers use some other platform, right? One of the things that you keep on getting is, “Hey, I don’t want to get to 12 different screens.
Hell, I don’t want to get to five different screens. I want one. Can you really deliver everything that I need over there?” This is part of realizing that value, not just at the beginning, but actually throughout the way.
Sponsor – Palo Alto Networks
12:59.339
[David Spark] Before I go on any further, let me tell you about Palo Alto Networks and their brand-new solution, Cortex Cloud. Now, first, to play your best cyber defense, you need enterprise and cloud data within a single unified platform. Yes, you do. But without AI-powered detections, rapid investigations, and the ability to respond and remediate at speed, security teams are left reacting to threats rather than outmaneuvering them.
So, Cortex Cloud by Palo Alto Networks rewrites the rules of engagement. As the world’s only code-to-cloud-to-SOC platform, it prevents cloud threats in real time with industry-leading runtime protection.
The rise of AI has accelerated cloud adoption, as we know, creating complexity that bogs down security teams. Cortex Cloud cuts through the noise by unifying data, automating workflows, and delivering AI-driven insights that let you see, stop, and shut down attacks before they become headlines. Now, security shouldn’t be a patchwork of disconnected tools.
So, built as an open platform – you’re going to like this – Cortex Cloud is designed to integrate data with third-party tools to provide centralized visibility, full-context intelligence, and end-to-end remediation across the entire cloud ecosystem. To learn more about Cortex Cloud and how Palo Alto Networks is defining the code-to-cloud-to-SOC future through real-time security, you got to go to this website.
It’s paloaltonetworks.com/cortex/cloud. Go check them out.
Does it play nicely with others?
14:44.475
[David Spark] Terence Jackson of Microsoft said, “I choose platform due to the size of my team primarily. My team wasn’t supposed to be full-time system integrators.” What we were just talking about. Robert Wood of Sidekick Security said, “What about integration/compatibility with existing tooling and environment?” Ah, very key.
“I think this is a wildly undervalued thing, especially as it correlates to how well you can deploy a given tool.” And Andrew Hay of Damovo said, “How about best in budget?” And I love this. “Some of us aren’t blessed with Scrooge McDuckian wealth.”
[Laughter]
[David Spark] So, I mean, you know what this is? I call this the reality segment of, “Yeah, I got all the money, I got all the people. I’m all about best in breed, integrated. Like, let’s do it up.” But geez, life doesn’t work that way, does it, Elad?
[Elad Koren] No, no, it doesn’t. What I really liked is Terence’s quote, where he took it to the organization’s specific and unique needs, right? And it ties back to, Geoff, what you said at the beginning, where at the end, it depends on what you’re really looking to solve that is tied to your organization, the structure, and the things that you really care about, and your needs, your goals, objectives, and the different constraints throughout your org.
[David Spark] All right, Geoff. Again, this just seems like, “And now the practical advice.”
[Laughter]
[David Spark] Doesn’t it just come off like that? Yeah, we could all debate theoretically here, but when it comes to actually running your security program, this is what you got to look at.
[Geoff Belknap] Turns out not all of us have infinite pools of money, or what did my friend Andrew say?
[David Spark] Scrooge McDuckian wealth, I like that.
[Laughter]
[Geoff Belknap] Yeah, there’s a couple of us that are blessed with large budgets, and then there’s everybody else that has the same problems. And I think, let’s just be really fair and practical about this, it is perfectly reasonable if you’re running a security team to be buying on cost, to be deciding on cost.
There are some things where you want to optimize for like I want the best of spam or phishing or some other detection. And then there’s other stuff that maybe in your world, you just need it because you’re checking a compliance box, or it’s a regulatory requirement, or whatever. It’s perfectly valid to buy on cost.
And really, I think Elad said it, well, it just really comes down to what your needs are. Here’s the secret. There is no perfect security solution. There are a lot of bad ones, but there’s no perfect one. And so, a lot of times, just doing anything a little bit better, even if it’s not the very best one that somebody else thought you should buy, is still moving the ball forward, it’s still managing risk for your organization, and it is still doing your job.
At the end of the day, like, what else can people hope for? You’re just making it better.
[Elad Koren] And if I can add one more thing on this one, I think when you see language, legal language like compliance standards, or compliance and regulations that say, “You need to apply the solution that is the best available solution, or considering the constraints, or considering the associated cost,” it’s very clear that it’s not just the CISO’s concern there.
It’s actually also something that the industry understands in general, right? You can never get to that perfect, just like Geoff said, and I think this is part of the broader picture.
[Geoff Belknap] Yeah. What’s the perfect car? What’s the perfect breakfast? Like, it’s the same kind of things, but I’m glad we’re going to decide right now.
[David Spark] I told you we were going to answer this problem in 30 minutes.
[Geoff Belknap] That’s right.
What are we going to do now?
18:19.410
[David Spark] Drew Simonis, the CISO over at Juniper Networks, says, “With all platforms, the risk is they grow into areas you don’t value, underinvest in areas you do, and lock you in and make you fall behind. Managing the relationship to maximize influence and hence value is important. So is making sure your operations are structured to minimize switching costs.” Really, really good forward-thinking practical advice.
Neil Saltman of AHEAD said, “Consolidation has been a goal of most companies for so long that platforms will always have value, but the constant emerging of technology always create opportunities for best of breed to fill in gaps.” And Allyn Stott of Airbnb said, “A solution that covers the must-haves, like dark mode, but a vendor that is still innovating.
Even better if I can partner and guide that innovation.” This we hear a lot too. “The solution I need today is probably not the exact solution I’ll need in four years. The real win is when the vendor and product can keep up with the landscape and I don’t have to rip and replace yet again.”
All right. I want to lean on Allyn’s last quote. All three of these are great, but this is a really good, important thing. We begin with Jonathan Waldrop saying, “You just got to get started,” but then Allyn closes here and says, “Hey, yeah, you got to get started, but whatever my needs are today, I know they’re going to change in four years.” Look back four years ago and today, Geoff.
Have they changed?
[Geoff Belknap] Yeah, they changed in about four seconds. They change all the time. I actually, I think about – and hey, Allyn, because we used to work together many moons ago – I think he’s bringing up something that’s a really important value proposition with some of the choices you can make. Sometimes when you pick newer vendors, vendors that don’t quite have it all together yet, they’re a little rough around the edges, you get to also participate in shaping how they solve that problem and shaping what their product looked like.
I was fortunate enough that I was there. I remember when Palo Alto was very new. I remember when a lot of these other companies were very new. When you’re buying as an early customer, you’re also investing and investing your time and energy in helping shape the product. Now, they’re not going to just build it custom to whatever you need, but a lot of times you get a lot of early input, and so if you have a specific opinionated way about how you want to solve a problem, going with an early vendor or going with a small startup can pay a lot of dividends.
[David Spark] We have done a whole episode about what you’re saying on this very show, Defense in Depth.
[Geoff Belknap] Yeah, absolutely. I think a lot of times though, the rest of this, I can’t wait to hear what Elad says about this, but this is also the reminder that you can’t over-pivot into just buying the cheapest thing always, or just always buying the platform. There are downsides. There is no good choice.
There are only choices.
[David Spark] So, Elad, I want to take this to you. I think we’re kind of going the full journey here of beginning with, “Please get started,” and then we’re at the end of, “Okay, now you’re on this journey. Be aware that your intentions may not match the intentions of whatever vendor platform or not that you’ve chosen because your journey is going to change.
Be aware of that.” Let me ask you, as a vendor, you’ve got to recognize that in your customers. What do you do to sort of keep that communication flow with them?
[Elad Koren] I love this. I love this segment, I love this section, I love this question. Before I answer this specific question you asked, David, let me take one step back. I’ve been in product for probably more than 15 years now, right? Mostly in security. And one of the people, one of my mentors that I really appreciate, told me once, “We’re not in the business of selling something to customers just for the specific deal.
We’re in for the strategy.” So, we start off by going with the customers that buy into your strategy. For them to buy into your strategy, they need to know your strategy. So, it’s all about starting with communicating the strategy, the vision, how it manifests in whatever you’re building. And through that, this is by design, ensuring that the customers that buy into a platform or a product… By the way, I think it’s true for both.
Interestingly enough, many of the things we covered today here are true for both solutions.
I think if you get to a point where you are really good at communicating your strategy and direction, and you can show that you’re a forward thinker from a vendor standpoint, then your customers, they sure know that they’re signing in for something that in two years, three years, four years, it’s going to be relevant.
Because as Geoff said, things change every four seconds, and by the way, they also change by the person that thinks of that solution, right? In the organization itself because they all have slightly different needs, especially if you’re coming from the platform angle. To sum it up, I think… And by the way, I really agree with if you’re a very small vendor and an organization is buying into the solution, being part of small startups in the past as well, having such an investor in your company and having the point where you can definitely help grow smaller vendors as a customer, this is the point where you can benefit from both.
And I think that ties it back to one of our original points. You can benefit from both a platform and point solutions, where you have that platform that you are really buying into that strategy of where it’s heading. But you can also have those point solutions that play nicely with all that platform approach that the large players that we all know are out there and eventually get the benefit of both and invest in small companies that you really care about whatever they deliver in one year, two years, three years.
I think that is the key to getting it right.
[David Spark] And I want to just double down on something you said at the very beginning, what your mentor said to you about this idea of knowing the strategy and that if you know that, A, as a vendor, you’ll be able to sell more. We hear this from CISOs all the time, I don’t want someone selling me a product.
I want a partner. That philosophy, if both know that’s a philosophy, it becomes a much better relationship for everybody involved. So, thank you for that.
Closing
24:32.795
[David Spark] All right. We have come to the portion of the show, and I’m going to start with you, Elad. And man, I loved all the quotes on today’s episode, but I’m going to ask you to just pick one. Pick one quote. Why is it your favorite?
[Elad Koren] The first quote that we’ve had from Jonathan Waldrop because I think it’s practical. It’s a practical way of thinking. I’m a true believer in just start, start somewhere, improve later. The best way to build products is the best way to build any organization that you want. Just start and fix.
Be very quick on adjusting and adding and this is key. And I think having that, this is why this was my favorite quote.
[David Spark] Awesome. All right, Geoff, your favorite quote and why?
[Geoff Belknap] I’m going to go with my friend Andrew Hay from Damovo, who reminds us that, like, look, some of us in the security game are working for companies where we’re lucky they even funded a security team and that they’re willing to give us a nickel. And so, if we want to make progress, we have to not feel shame and just hunt for the best option that will solve the problem that fits in our budget.
[David Spark] Yeah, I liked it too as well. Well, I want to thank your company, Palo Alto Networks, for sponsoring this very show. Elad, thank you so much for coming today. And this is actually quite big for you because this is literally a week after you’ve made the big announcement of Cortex Cloud.
I mentioned it in the middle of the show. Give us a little more context because you’ve been working on this. What is it?
[Elad Koren] Yes, yes. This was a very important moment for us, very exciting moment for us, sharing that the fact that something we’ve been working on for a few months now and really bringing together everything that has to do with the CDR from the runtime and the CNAPP from Prisma Cloud and combining that together to form what we call that open platform notion of bringing in third parties as well.
And for us to be that platform of choice, bringing in together all those pieces, stitching the information together to be able to then bring that holy grail of security, that best outcomes of each and every one of the pillars that we have as part of our code to cloud to runtime to SOC. I think that is what is really going to change the way security is done for organizations.
[David Spark] Well, I want to ask you a question. You worked on this for a while, and it seems quite unique what you’re doing here. What has been like the big eye-opening moment of this platform that you saw? Like, “Oh, this is what everyone really needs to know.” Like once this is in place, you can start doing this.
What is that thing that you saw?
[Elad Koren] There’s a huge aha moment when you understand the things you’ve been doing for a very long time, either in cloud posture or cloud runtime, and you’ve done them separately, siloed. You thought you did the best job that you could. The big aha moment is when you first realize that that power of the platform, bringing in so many data sources, being able to fully stitch them together, that is where you can have a super synergetic motion where runtime is 10 times more efficient and more quick to respond.
Posture is 20 times more efficient and you’re able to actually address more issues and cover more things. So you’re much more secure and your risk level is so, so much lower. That is the power of the platform. That is the aha moment. That is how organizations need to start doing things.
[David Spark] All right. So, our audience, please go check it out. We’ll have a link to it on our blog post. Remember, paloaltonetworks.com/cortex/cloud, and you can find it. Please, please go check it out. It does sound pretty darn cool. Thank you very much, Elad. Thank you very much to our audience as well.
We greatly appreciate you contributing to our show and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.