In Cybersecurity, is Bigger Better?

You’ve been driving all day and could use a meal. You exit the highway and end up in a small town with just one main road. Along the road there’s a Wendy’s, and what appears to be a small restaurant. These seem to be your only two options. Which will you choose?

On one hand, Wendy’s is a trusted entity, with quality control and name recognition. The small restaurant is riskier–you won’t really know what you’re getting until you get it. However, the restaurant staff are more likely to cook you better, fresher food than what’s available at a fast food chain.

(Image source: Michelangelo’s “David and Goliath”;

Are you the type of person who values certainty, or care?

Palo Alto Networks is a corporation that sells firewall and cloud-based cybersecurity solutions. But that’s hardly a comprehensive description. They serve over 60,000 clients in over 150 countries, including 85 Fortune 100 companies. Last year, Forbes ranked them as the eighth biggest tech company worldwide, above the likes of Adobe and Tencent.

In short, Palo Alto is a hugely successful, trusted name brand. It’s why even the smallest breach of their security last week constituted a major public relations incident.

It began with a former employee, who leaked to the press that personal information from seven past and present Palo Alto employees had been exposed online. The company then confirmed the story to Business Insider. According to the report, it was a third-party vendor that was responsible for the incident. Palo Alto chose not to expose the identity of that vendor, but they did cut ties.

All things considered, the damage done in this one leak was miniscule. And one can hardly blame Palo Alto itself for a security breach of one of its many smaller vendors. But the incident does demonstrate one of the natural pitfalls in large-scale cybersecurity, and raises the question:

Is a bigger cybersecurity company necessarily better?

The advantages of having an international corporation handle your security are clear. Big companies have brand recognition, and reputations to uphold–an organic incentive to do right by their customers. Big companies also tend to have well-established products, effective quality control, and long histories of good service that led them to becoming industry leaders in the first place. If you’re dealing with a company that services 85 of the world’s 100 biggest companies, you can be pretty certain that you’re in good hands.

However, there is one distinct disadvantage to being a large organization in cyberspace. Palo Alto is like a giant cobweb, with tens of thousands of clients, thousands of employees and dozens of partners. Each of these entities represents a means for information to get in and out of the company’s systems, and therefore, each of these entities represents a potential security liability. As the saying goes, you’re only as strong as your weakest link–a company is only as secure as the weakest entity with access to its sensitive systems. Even the largest, most well-resourced companies may not have the time or money to diligently, uniformly secure all of their smaller partners.

The underdogs don’t have this problem. Fewer clients and fewer employees means fewer potential paths for something bad to enter, or something important to leak out of company systems. One might argue, too, that by having fewer clients, a smaller firm must put more stock in each individual client. The contractor responsible for Palo Alto Networks’ breach probably played some tiny role in the company’s expansive, multinational business. A vendor for a small cybersecurity firm will represent a much bigger and more valuable slice of that firm’s business. Therefore, the firm will be inclined to spend more time and attention on that relationship–by offering a more personalized service, being faster to respond to any problems that may arise, and so on.

The downside to smaller security firms is that they possess less of a track record, and therefore offer less certainty to new clients. Just about every company on the market is safe, but not all of them are equally good at what they do. It requires a bit of extra research on the part of any potential client, to ensure that they’re doing business with a solid brand.

Ultimately, there is no single answer as to whether bigger or smaller cybersecurity firms are superior, because each offers its own advantages and drawbacks, and different clients will have different priorities. For some, seeing a logo you recognize in a town you’re unfamiliar with is a source of great comfort. For others, it’s that personal touch that’ll get you going.


About the author: 
Nathaniel Nelson writes the internationally top-ranked “Malicious Life” podcast on iTunes, hosts programs on blockchain and SCADA security, and contributes to AI and emerging tech blogs.