Close this search box.

We Need to Talk: Breaking up with Your SIEM Vendor

Relationships are challenging at times.

Think of it like a seesaw. Like in a seesaw, every relationship, be it with your partner, a family member, or a friend, requires effort from both sides to keep it balanced and healthy. But what happens when one person pushes while the other is just along for the ride? That’s when the seesaw tips and the relationship can turn sour.

Breaking Up with Your SIEM Vendor

Many security leaders are currently pushing in an unbalanced relationship, and their SIEM vendor is just along for the ride. However, like many personal relationships that go on longer than they should because of the actual or perceived difficulty in ending it, security leaders might hesitate to talk with their SIEM vendor.

I get it; you spent months getting the product implemented and integrated into your security ecosystem.

You invested in training the team on the product and built workflows and playbooks around this product.

You might even like your sales rep and customer support person, so you are okay with the constant delays in new product features, lack of out-of-the-box integrations, and shortcomings in automation.

But while you put up with a lot from your SIEM vendor, your team’s frustration grows with each passing day. Holding out hope that your SIEM vendor, who has let you down repeatedly, will suddenly change their ways is only hurting you and your team’s ability to protect your environment. If this sounds like you, now is the time to break up with your SIEM vendor.

Here are three tips to make this breakup as painless as possible and help you build a healthier relationship with your next security operations platform vendor.

1. Bring Receipts

Before initiating your SIEM vendor breakup, gather your “receipts” showing how your vendor failed to meet your needs. These receipts might include:

  • Email conversations where your vendor promised a feature or bug fix that never materialized.
  • Feature requests submitted to your vendor left in no-man land.
  • Open support tickets with little to no movement from the vendor.
  • Integration needs that were denied or put into a backlog never to be dealt with.

While it’s your right to end your SIEM vendor relationship anytime, bringing receipts to this uncomfortable conversation will show your vendor that you have good reasons to leave.

2. They Will Try and Win You Over - Remember Why You Need to Leave

Just like in a personal relationship, when the vendor realizes that you are serious about moving on, they will try to convince you that they can change. They may offer meetings with high-level executives, improved support plans, or discounts on your next renewal.

Remember why you decided to move on before being swayed by these last-ditch efforts and play the relationship forward in your mind. While things might improve in the short term, will they change in the long term? Probably not, but let’s give them the benefit of the doubt and say they put more effort into the relationship going forward. In the back of their mind, each time you make a support call or meet with your sales representative, they will think about how you threatened your way to more attention.

Any vendor worth working with would not be blind-sided by a customer notifying them they are leaving. They would have seen warning signs way before now. You’ve decided to move on for good reasons, so don’t fall for the “I can do better” song and dance.

3. Find Your New Vendor First

Before kicking your current SIEM vendor to the curb, you must know where you will land. When finding your new SIEM/Security Operations Platform vendor, make a short list of must-haves and not-wants. Your list might look something like this:

  • Must Haves
    • Coverage for my top security use cases
    • Be deployable in my chosen environment (cloud, on-prem, or both)
    • Use a specific technology (such as AI, automation, etc.)
    • Supports my security stack products out-of-the-box
    • Provide on-demand training
    • It doesn’t charge for new integrations
    • And anything else you cannot live without
  • Not-Wants
    • Limited integrations
    • Difficult to use interface
    • Too many manual processes
    • Opaque roadmap
    • And anything else that would be a deal breaker

Given the recent tumult in the SIEM market, it is wise to understand the company’s strategic vision for the next 3-5 years. While there is no guarantee any vendor you select might not be the next one to announce a merger or acquisition, having a brief conversation on this topic at least lets the potential new vendor know that you are taking the process seriously.

Closing Thoughts

Ending a relationship is never easy, especially if it has gone on for years. That said, just because something is difficult does not mean it isn’t for the best. Do yourself and your team a favor; if you are in a dead-end SIEM vendor relationship, take steps now to take control of your security future. Contact us to set up a personal consultation today to see how Stellar Cyber and our Open XDR Platform have helped many security teams move on from a toxic SIEM vendor relationship.

Also, if you are one of the unlucky organizations caught up in the recent SIEM chaos, we have special offers to help you transition to Stellar Cyber.