Three types of consolidation in cybersecurity, and how monopolization and commoditization are shaping the industry of tomorrow
Taking a deeper look at the topic of consolidation, explaining what the different types of consolidation are, what this means for the industry, and why we are unlikely to end up with one or two tools
Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!
Over 1,700 copies of my best selling book “Cyber for Builders: The Essential Guide to Building a Cybersecurity Startup” have been delivered by Amazon so far. This book is unique as it talks about building cybersecurity startups. It is intended for current and aspiring cybersecurity startup founders, security practitioners, marketing and sales teams, product managers, investors, software developers, industry analysts, and others who are building the future of cybersecurity or interested in learning how to do it.
Note: this article was written a few weeks before the PANW update and all the discussions about platformization it spurred. The piece has not been edited after and I believe it remains as relevant today as it was before.
Over the past several years, I have been discussing the complexity, nuances, and intricacies of the cybersecurity industry. In the process of doing it, I observed what I would call cybersecurity’s form of Godwin's law: “As an online discussion about cybersecurity grows longer, the probability of someone suggesting that the industry is going to consolidate approaches 1”.
“The market is consolidating” - that’s what people say regardless of the problem at hand. Be it the emergence of a new attack vector that needs to be secured, the rising number of tools security teams have to rely on, or the impact of the economic downturn on cybersecurity, to name a few, consolidation appears to be an obvious, imminent, and in the minds of many people, inevitable answer to our problems.
In this piece, I am offering a deeper look at the topic of consolidation, explaining what the different types of consolidation are, what this means for the industry, and why we are very unlikely to end up with one or two big vendors that can centralize all of security anytime soon.
Defining the term: types of consolidation in cybersecurity
When people say the word “consolidation”, they usually mean a market trend that leads to a reduction in the number of security tools. In simple words, “We have too many security products, and that’s just not sustainable. The market will consolidate, and we will end up having fewer tools”. This, however, is a great oversimplification of reality, and taking this angle doesn't help us understand what is actually happening.
There are three types of "consolidation" happening in cybersecurity: industry consolidation, spend/tool consolidation, and platformization. Each of these three trends is somewhat independent, yet all three are fully interconnected.
Industry consolidation in cybersecurity
Industry consolidation: fundamentals
Industry consolidation is seen when large companies are buying small startups to expand their portfolios, add new revenue streams, and solve a broader list of problems. It is this type of consolidation that is the main driver of the mergers and acquisitions (M&A) activity in the industry.
The M&A activity in cybersecurity has always been strong. A critical factor that leads to consolidation is the expectation of public markets that large corporations will continue expanding and growing their revenue. Since the incumbents have well-established distribution channels, they possess an ability to simply plug new products and features into their existing systems and start selling. All they need is a product they can package and sell that is both in demand and complementary to the company’s other offerings.
As I have previously discussed, another important reason for industry consolidation is that cybersecurity innovation is most often bought, not developed in-house. The pace and the areas of cybersecurity innovation are set by the offense, and it is not financially viable nor possible for security enterprises to confidently predict what new areas will be relevant decades from now, and build expertise in these areas in advance. To remain relevant, large companies have to look outside - continuously acquiring new capabilities and hiring the best teams, offering great exit opportunities for savvy founders, and subsequently encouraging the creation of more point solutions.
Industry consolidation is a continuous, linear process
Industry consolidation is a continuous state of the field, not a process that will be completed in a few years and leads to fewer cybersecurity companies. While the market categories known today are going to be consolidating resulting in more M&A and fewer players, new threats will continue to emerge, and with that - new point solutions, new market categories, more consolidation, new categories, and on and on and on.
The industry consolidation trend is uni-directional: multiple companies merge into one, but not the other way around. This means that if no other factors were at play, after a sufficiently long time, we would have been destined to end up in a place with only a few large players. The reality, however, is that the number of new entrants every year is higher than the number of M&A transactions, leading to the situation when the industry is consolidating, but the number of vendors continues to grow. In one of my past articles, I explained why we need more startups and venture capital in cybersecurity, and what needs to change for the industry to mature.
Perils of industry consolidation
While most security leaders and practitioners tend to see the cybersecurity industry consolidation as a good thing, there are some downsides. I will be discussing select aspects of this later in the article. Here, I will just say that fewer vendors naturally leads to oligopolies and even monopolies, which isn’t great for the buyers who are faced with vendor lock-in, high prices, outdated tech stacks, and other challenges commonly seen in markets with low competition.
It is worth being clear that industry consolidation is not the same as platformization (the creation of platforms). Some buyers choose to not deal with trying to integrate multiple tools into one cohesive experience, and many of those who do see the creation of platforms as a part of their strategy, fail to execute and end up assembling monstrosities of outdated and disjoined tools.
Spend/tool consolidation in cybersecurity
Spend/tool consolidation: fundamentals
Spend/tool consolidation is seen when security teams are looking for ways to reduce the number of tools. Large enterprises feel the pain of having to maintain and integrate a large number of security products the most. It is not uncommon to see cases when the security stack grows so big and complex that just maintaining a compliant CI/CD pipeline becomes a 5-10-person job. There are tens of different tools to test, integrate, debug, and maintain, and each of those changes every year or two, requiring people to start the cycle all over again.
The main drivers of spend/tool consolidation are cost savings and coverage de-duplication. When the budgets get tighter, security teams are expected to accomplish more with fewer resources, which forces them to become better at optimizing and rationalizing their security stack. This includes reviewing the capabilities of their existing vendors to see where they could solve additional problems and eliminate the need to introduce new small, granular solutions, renegotiating contracts, and reducing the number of vendor relationships. Extracting as much value as possible from the existing security stack is critical because many of the known security breaches could have been prevented with the solutions customers already paid for, if only they were properly configured, kept up to date, and if the customers knew about all the capabilities their vendors offer.
A subset of the spend/tool consolidation trend is bundling - a strategy by large players (most notably, Microsoft) that incentivizes for security leaders to move to platforms like 365 E5, saving security budget and accessing security capabilities at a discount in exchange for larger IT contracts.
Spend/tool consolidation is a continuous, cyclical process
Spend/tool consolidation is a continuous, cyclical process. When new attack vectors and problem areas emerge, customers have no choice but to adopt the innovative best-of-breed solutions offered by startups, regardless of how granular they might be. This causes security stacks to expand to the point where security teams are forced to reevaluate their vendors and find a way to reduce the number of tools. As new problem areas become demystified and better understood, what once required a separate vendor becomes a small feature of a larger platform (this process is accelerated by the industry consolidation and M&A activity).
At the same time when some products are being consolidated, new problem areas emerge, forcing security teams to buy more tools and kickstart this cycle all over again.
Perils of spend/tool consolidation
Although spend and tool consolidation generally leads to positive outcomes, helping companies reduce technical complexity, therefore reducing attack surface, eliminating duplicated coverage, and cutting the number of vendor relationships, to name some, there are trade-offs.
Two of the most notable downsides of spend/tool consolidation are vendor lock-in and situations when the companies have to settle for average solutions instead of best-of-breed tooling. As the number of vendors a security team relies on decreases, the power of each individual partner increases, and so does their ability to force the customer into a lock-in, getting them to agree to strict contract terms, increasing prices, and so on. Additionally, tool consolidation can cause security leaders to sacrifice quality to lower the complexity of their stack, and ultimately settle for less effective tooling from platform vendors.
It is worth noting that reducing the number of vendors doesn’t necessarily result in fewer tools and that buying many products from one company doesn’t necessarily decrease technical complexity. Vendors that assembled their platforms via M&As instead of building them as one solution from the ground up, and companies that scooped up a large number of point solutions without even trying to integrate them, can cause as much (and frequently more) pain as working with many companies.
Platformization in cybersecurity
Platformization: fundamentals
Platformization is seen when large vendors are working to assemble security platforms. Unlike industry consolidation, the focus isn’t simply on owning a broad set of disjoint tools but on integrating them into a platform. Moreover, platformization and industry consolidation are not necessarily related:
Companies can buy small startups without integrating them into a platform.
Companies can build large platforms in-house or primarily in-house, without heavily relying on M&As.
Platformization is a unidirectional, strategy-led process
Platformization is a natural response to several factors:
Security vendors are adding new products and capabilities to their portfolios, be it by building them in-house or through M&As.
Security teams are looking for integrated, cohesive experiences as opposed to having to deal with tens (and even hundreds) of disjoint solutions.
Platformization is a unidirectional and vendor-led process. This means that unlike spend/tool consolidation, which is cyclical in nature, security vendors are moving in one direction - typically adding more capabilities to their platforms. Moreover, platformization requires the vendor to embrace a specific strategy and a certain way of building products. Because as I have discussed, companies can buy small startups without integrating them into a platform, they need to have the willingness and the ability to connect different tools into one experience.
Perils of platformization
Platformization comes at a cost. As I explained in one of my previous articles, “... any monolithic platform becomes less secure as it grows in size. People who had an opportunity to work with a large legacy platform, be it SAP, Salesforce, or Workday, know that the bigger the platform, the less efficient it becomes. Moreover,
Large platforms drown in technical debt.
Large platforms have poor support channels.
Large platforms become insanely hard to implement, especially in fields that require customization.
Large platforms are expensive because most customers are paying for a multitude of features they will never use.
Large platforms are expensive because the deeper they become embedded into the customer’s workflows and the more areas they cover, the harder it becomes to switch and the more power the platform vendor has over the buyer.
Last but not least, the larger the platform, the bigger its surface area, and the more vulnerabilities it ends up introducing. To top it off, bad actors find it easier to focus their efforts on poking holes in one single tool which unlocks all doors, thus leading to the situation when the biggest security products may also become the most insecure single failure points.”
To understand what customers can expect from a platform, one needs to first understand how this platform was built. Platforms built by the same vendor from the ground up are much more robust, integrated, and scalable, and they offer a unified experience. On the other hand, platforms that have been stitched together from acquired companies before their technology had the chance to mature introduce a wide variety of challenges:
Different components of the same platform may be built using different technologies and therefore are not scalable and not interoperable.
Different components of the same platform may have their own limitations or behave in unique ways that are inconsistent with the rest of the product.
Platforms assembled from product acquisitions tend to have larger amounts of technical debt, and with that, a larger total cost of ownership.
In general, security platforms assembled by stitching together a large number of separate startups that were built without a cohesive strategy to work together in mind rarely result in a more integrated experience than buyers expect it will.
For anyone interested in learning more about the trend of platformization, I highly recommend this article from Claude Mandy, a deep dive by Cole Grolmus, or this piece by Adrian Sanabria.
Every industry trends towards monopolization
There is this image that has been floating around the internet illustrating what happened to the defense industry and how it went from a large number of small vendors to a few large conglomerates.
Image source: Defense Industry Consolidation, Anduril
This graph appears to be over 20 years old, so I would not rely on it to understand the state of the market today. That said, it illustrates the overall direction quite well.
Here is how Packy McCormick explains what happened in the defense industry: “M&A is not a novel concept in the defense industry. Its modern structure is defined by the consolidation that emerged from “the Last Supper,” a 1993 dinner at which Deputy Secretary of Defense Bill Perry told the CEOs of the largest defense contractors that the military would be spending less money going forward and urged them to consolidate. They did. Dozens of smaller defense contractors became five Defense Primes: Lockheed Martin, Boeing, Raytheon, Northrop Grumman, and General Dynamics.”
Will cybersecurity follow a similar path and become monopolized? It is hard to answer this question definitively.
The US government understands that it needs to do whatever is in its power to defend the nation’s economy and critical infrastructure. In practical terms, this could mean giving a blanket go-ahead to large players such as Google, Cisco, Palo Alto, and CrowdStrike, to name a few, to buy whatever companies they need to strengthen their capabilities. If it comes to the nation’s security being at stake, it is highly unlikely that the Federal Trade Commission is going to block a merger even if there would be some antitrust concerns. While this is nothing but speculation, one can see how that would make sense. While competition and a healthy market economy are great, it remains to be seen if in the eyes of the government, they would be more valuable than the nation's security. Cybersecurity’s equivalent of “The Last Supper” could kick start the trend that will lead to massive market consolidation within a decade or less. However, it’s unlikely that the actions of the government would push cybersecurity to rapidly consolidate the way it happened in defense.
Another good example of industry consolidation comes from the pharmaceutical industry.
Source: M&A: Fundamental to Pharma Industry Growth
There are indeed people who use the example of biotech and big pharma and suggest that cybersecurity is going to follow the same path. The arguments in favor of this idea are rather weak because they miss the main reason why big pharma had to consolidate. “The single most important driver for changes in the pharma industry is the ever-increasing cost of drug development. Most companies can no longer afford to carry out R&D to find innovative compounds. The most-quoted study of drug development costs states that on average, the development of a new drug—a new active pharmaceutical ingredient (API)—costs around $1.4 billion if pipeline failures are factored in. It usually takes ten years from synthesis to approval, thus $1.2 billion in capital costs accrue to the figure below, which results in an average total cost of $2.6 billion to develop a new drug. One fundamental reason behind the growing costs is the advancement of medicine. To create value, new drugs need either to solve a problem that has previously been intractable, or be significantly better than what already exists on the market. The other driver for the development costs is the ever-increasing regulatory requirements.” - Source: What Drives Mergers & Acquisitions in the Pharma industry?
Needless to say, cybersecurity is nowhere near as capital-intensive as the pharma industry. Research and development in security costs money, but we are mostly talking about the cost of talent and infrastructure which are much more cost effective compared to pharmaceuticals.
Another example of consolidation that keeps popping up in discussions is banking.
Source: The Making of the “Big Four” Banking Oligopoly in One Chart
The drive for operational efficiency, government regulation, and ambitions for business expansion are among the factors that have led to the consolidation of US banking. As Jeremy Kress, Assistant Professor of Business Law, at Ross School of Business, explains, “Three distinct waves of bank mergers have contributed to the rapid consolidation of the U.S. banking sector. First, in the 1980s and 1990s, policymakers repealed longstanding geographic restrictions that had limited banks to operating within a single state. Once banks were allowed to expand across state lines, many merged with lenders in neighboring states, creating a cohort of larger, regional banks. Next, banks began to grow not only in size but also in scope. In 1999, the Gramm-Leach-Bliley Act eliminated Great Depression-era restrictions on activities like investment banking and selling insurance. Many banks expanded into these new activities through mergers, such as Citicorp’s acquisition of Travelers Insurance Company and Chase Manhattan Bank’s combination with investment bank J.P. Morgan. The third wave of bank mergers began during the 2008 financial crisis, when several financial giants acquired failing firms, often with government assistance. JPMorgan Chase acquired Bear Stearns and Washington Mutual, Bank of America absorbed Merrill Lynch and Countrywide, and Wells Fargo merged with Wachovia. These crisis-induced mergers created the behemoth financial conglomerates that dominate the U.S. financial sector today.”
The cybersecurity industry doesn’t appear to share the same fundamentals as banking: it is largely unregulated, and geography-agnostic, and as a software industry, it can already take advantage of large operational efficiencies.
I could list many other industries here, from food and beverage to automotive, oil and gas, and others. It does seem like all (or most) industries tend to move towards consolidation, and there is evidence that backs this hypothesis. Back in 2002, in Harvard Business Review, Graeme K. Deans, Fritz Kroeger, and Stefan Zeisel published a piece titled “The Consolidation Curve”. The article, written as a summary of a study of 1,345 large mergers completed over the 13 years prior to the publication date, argues that once an industry forms or is deregulated, it will move through four stages of consolidation.
Source: The Consolidation Curve
I highly recommend this short article to anyone looking for a framework to help understand how industries consolidate. Based on my observations, different market segments in cybersecurity are currently at different stages of the curve, with the vast majority being between stage one (opening) and stage two (scale).
Several factors are driving the monopolization of cybersecurity, including:
Although there are few barriers to starting a security company, there are significant barriers to growth. Large incumbents benefit from strong distribution channels (both direct and via channel partners) while new entrants struggle to get buyers to take notice.
There is a limited number of buyers for cybersecurity tools. Although we like to say that “security is everyone’s problem”, the reality is that most cybersecurity companies are targeting the same several thousand large and mid-size companies.
The buying process in cybersecurity is heavily reliant on trust. This, combined with the fact that it takes a long time to build trust, explains why it is much easier for companies to upsell their existing customers than it is to make the initial sale to new prospects.
A large percentage of the cybersecurity companies are venture-backed. Venture capital creates an expectation that companies will exit within five to ten years; if they cannot go public, the goal is to get acquired. Most market segments in cybersecurity are too small for building a public company, hence the vast majority of successful exits are M&As.
Customers are trying to consolidate their spending and reduce the number of vendors.
There are probably no reasons why over the long term, the cybersecurity industry would not follow a similar path and become a highly consolidated, and likely oligopolistic market. That said, we cannot easily predict what that will look like since there are too many factors that could impact who survives and who will fade away and disappear from the industry market maps the way many market leaders did before them. Moreover, the cost of getting a “good enough” tool can sometimes be too high, so buyers in cybersecurity are forced to look for innovative ideas, and that means, buying from innovative startups. Many of these startups will eventually get bought by large players, but we are already used to this cycle.
Antitrust researchers generally deem markets “tight oligopolies” if the top four firms control more than 60% of the market. As of today, cybersecurity is not quite there, but if the current trend continues, we are likely to end up in a world where it will be controlled by a few players quite soon. It doesn’t help that many early-stage startups with great products are struggling to stay in business, and can now be scooped up for cheap by cash-rich incumbents.
The irony is that while most people in cybersecurity are rooting for industry consolidation, the same security leaders often dislike vendor lock-in, long-term contracts, mandatory minimums, and the absence of innovation. Consolidation reduces the number of tools, but it also leads to monopolization and the creation of oligopolies which erect significant barriers to entry, keeping startups built by passionate innovators from becoming competitors.
Every product category trends toward commoditization
Sometimes, what people refer to as industry consolidation is actually one of the many facets of commoditization. Commoditization is a process when a product or a group of products becomes a commodity, losing its unique characteristics, and becoming interchangeable with other products in the same category. Commoditized products all look the same, cost the same, and perform the same.
The following are some of the factors that create conditions for commoditization in cybersecurity:
In many market categories, a large number of competitors are all going after the same markets with similar offerings.
Companies in the industry struggle to differentiate and explain how their solution is better than any other in their category, instead relying on the same marketing language.
Buyers find it hard and often impossible to test and empirically validate the claims of different vendors.
The need to innovate to keep up with the adversary causes security companies to quickly add new ideas, capabilities, and approaches to their products to match the offerings of their competitors. This causes companies to start offering products that look more and more similar.
The existence of different standards, frameworks, and best practices calls for standardization of technology, and with that, the lines between different products and services are constantly blurring.
What keeps most of the cybersecurity industry from commoditization is the fact that buyers find it hard to find, make sense of, and easily compare pricing, get access to products, and understand different product attributes.
Once the market category is commoditized, buyers become increasingly comfortable with platforms, or best-of-suite solutions. Moreover, the product or capability becomes just a checkbox that has to be ticked during the buying process.
A good example of a product that became fully commoditized is antivirus (AV). In 2024, few customers care about which vendor is powering the AV their company is using, and even fewer would be looking to buy a best-of-breed antivirus. This is exacerbated by the fact that many commercial endpoint detection and response (EDR) and other vendors are simply reselling the same generic third-party AVs rebranding them as their own, and a large number of security practitioners agree that Windows Defender is good enough.
Closing thoughts
Cybersecurity consolidation isn’t “coming” - it started the moment the first security company emerged, and it will continue for as long as we have new entrants in the space, or until security doesn’t get re-absorbed by other areas of technology. There are different types of consolidation, and consolidation is overlaid with other trends such as monopolization and commoditization. It’s important to remember that the industry is complex, and anyone trying to simplify the evolution of the whole field to one trend, be it consolidation or something else, either doesn’t understand the dynamics in the space or is coming with an agenda, most likely to sell a new tool.