One of the most common questions we get from CISOs — and CIOs — is whether they should accept vendor consolidation and add more Microsoft to their security stack or do everything in their power to fight against it. For the last few months, we’ve spoken to those leaders via inquiries, guidance sessions, and research interviews to discuss this exact issue. This research culminated in the release of our report, The CISO’s Guide To Microsoft Investments.

This report delves deep into CISO and CIO sentiment about Microsoft as a vendor and, most importantly, how those leaders manage vendors with product lines and reach as vast as Microsoft’s.

Some of the key takeaways from the report (with plenty more in the full report for Forrester clients!):

  • Escape is impossible. Whether it’s based on name recognition, partnerships, cloud, productivity suites, laptops, video game consoles, or any other reason you can think of, questions like “Why not just do more with Microsoft?” will come from finance, business line leaders, and your board. The way you answer this question matters, and the answers can’t be personal or technical. The answers have to be financial and backed up with evidence.
  • Microsoft is a legitimate security vendor. Since 2021, Microsoft has been evaluated against its competitors in several Forrester Wave™ evaluations, earning Leader positions in several. The argument that “Microsoft isn’t a real security vendor” won’t hold water.
  • Breaches don’t matter. Plenty of security vendors want to fire up a DeLorean and take us back to the early 2000s as they clutch their pearls about this Microsoft vulnerability or breach. CISOs care. Some CIOs care. CFOs, CEOs, and boards don’t care, especially in this economic environment. Besides, everyone is a consumer of — and a business partner with — a company that’s had a breach by now. This doesn’t move the needle, and the trope is as tired as it is ineffective.
  • But size often does. We heard from CISOs and CIOs that the sheer enormity of Microsoft often works against them in the form of inconsistencies across account teams and sales processes – especially with RFPs, product names, and included functionality. The resulting confusion opens the door for smaller competitors to provide the focused attention needed to help leaders make a solid business case for retention of — or investment in — their preferred products.
  • Fear leads to anger, anger leads to hate, and hate leads to … di$count$. Whether a CISO really wants to go with more Microsoft or not is kind of unimportant. Savvy CISOs, CIOs, finance leaders, and procurement teams can come together and use the overwhelming, existential dread Microsoft instills in its competitors to squeeze out discounts and deferred payments from them.

Microsoft isn’t the only security vendor pursuing a consolidation strategy. Plenty of others are too. But few of those vendors have the same reach across the enterprise that Microsoft does with as many lines of business. This report is designed to help security leaders pick their battles when it comes to this tech — and security — mega-vendor.

Forrester clients with questions should request a guidance session or inquiry with me or my colleague and co-author Jess Burn to discuss in detail.