kras99 - stock.adobe.com
The cybersecurity threat landscape seems to shift on a weekly basis, and the marketplace has responded aggressively to the ever-growing challenges enterprises face.
Most early cybersecurity products focused on narrow, network-oriented use cases. As cyber threats have grown in sophistication and scope, however, vendors have adapted in kind. Security tools and services have now evolved to address use cases across the digital ecosystem, including identity and access management, email security, cloud security, edge security, secure remote access, endpoint security, threat intelligence, SIEM and more.
These industry advances have resulted in a collision between legacy markets and new security apps -- leading, in turn, to increasing consolidation among security vendors and technological convergence among products and services. While many security teams -- tired of wrestling with tool sprawl and a plethora of providers -- will likely welcome cybersecurity consolidation, they must also consider how it will affect their purchasing strategies.
Consider zero-trust network access (ZTNA), for example. Customers can still buy standalone ZTNA products and services, but a growing number of vendors now package the technology within broader, multifeature Secure Access Service Edge or security service edge platforms. Without a clear strategic vision for its cybersecurity portfolio, an organization risks deploying overlapping tools and services, wasting resources and supporting unnecessary technological complexity.
Cybersecurity consolidation drivers
Consolidation is only natural when markets evolve, and it generally happens because one company acquires another with one of the following two goals:
- to expand market share -- i.e., purchase a competitor, along with its technology and customers; or
- to expand into a new market -- for example, from networking to security, by purchasing an established player, along with its technology and customers.
Both motivations have driven recent cybersecurity consolidation activity, with vendor acquisitions occurring on almost a monthly basis over the past decade. Dozens of major deals closed in 2022 alone, including Palo Alto Networks' purchase of Cider Security, Google's acquisition of Mandiant, Snyk's purchase of Fugue and Cloudflare's acquisition of Area 1 Security.
1. Expanding market share
Small, nimble companies with venture capital backing are often best able to develop innovative capabilities in emerging markets. Large, established companies, on the other hand, frequently find it easier to purchase new capabilities -- via startup acquisitions -- than build them from scratch.
For instance, in the early 2000s, Fidelis Cybersecurity developed new technology it called extrusion prevention -- what most of the industry now refers to as data loss prevention (DLP). In 2012, General Dynamics acquired Fidelis to augment its existing cybersecurity capabilities with the then-new DLP technology. Today, a number of vendors package DLP functionality within broader offerings, such as cloud access security broker (CASB) platforms.
The CASB market, in turn, experienced dramatic consolidation shortly after the technology's inception. In 2017, TechTarget Editorial reported a spate of acquisitions that left relatively few standalone CASB service providers.
More recently -- returning to the ZTNA example -- several large vendors have acquired zero trust-oriented startups to bolster their existing offerings. In 2020, Barracuda acquired Fyde, and Fortinet acquired Opaq Networks. In 2022, Juniper Networks acquired WiteSand, Johnson Controls bought Tempered Networks and SentinelOne acquired Attivo Networks.
2. Expanding into a new market
In other cases, nonsecurity corporations see acquiring security vendors as a means of entry into a lucrative market. This type of acquisition typically leads to less technological convergence, as the acquirer's primary goal isn't to add new technology to an existing platform or product suite.
In 2006, for example, server and storage vendor EMC Corporation -- nine years before it would itself undergo an acquisition by Dell -- purchased RSA Security. Under EMC's ownership, RSA continued to function largely as an independent security company.
The future of cybersecurity consolidation
Security vendor consolidation will continue to accelerate in the coming months and years. Expect to increasingly see previously standalone point security technologies become part of comprehensive, multifeature platforms and product suites.
Anticipate also, however, that new technologies and point tools will keep proliferating, especially in the following areas:
Further down the road, once IoT's presence becomes more ubiquitous, new products and services will also emerge to combat the inevitable criminal exploitation of these environments.
Many still-to-come security tools will lean on technologies such as AI, machine learning, behavioral analytics and automation.
How to prepare for cybersecurity consolidation in the enterprise
To prepare for future cybersecurity consolidation as a security leader, consider the following:
- Security architecture. First, focus on developing a modern, standards-based security architecture that centers on zero-trust principles. This provides a high-level framework for building out the cybersecurity portfolio strategically, strengthening the security posture and adapting to future market convergence with relative ease.
Of course, most organizations need to take the long view, as few have the luxury of abandoning their current security stacks and implementing fully zero-trust environments overnight. Rather, flesh out the ideal security architecture as a reference point, and then work toward it incrementally, as resources and circumstances permit. New threats will inevitably emerge along the way, which might necessitate unforeseen investments in relevant point tools.
- Processes. Develop and optimize repeatable, well-documented processes that reflect the security function's high-level strategic vision and align with industry best practices. Train staff in these processes so they clearly understand the specific actions they should take in the event of any given security incident.
- People. Assess the human element, and determine which tasks must happen in-house and which the security program could outsource. Even as technology continues to improve, people remain the critical link -- and Achilles' heel -- in building secure business environments. Employees who have solid training in sound processes will always be the most important and effective asset in supporting company security policies.
- Technology. Finally, to sort through the sea of available products and services, ask which ones would best accomplish the following:
- align with the organization's vision for a zero-trust security architecture;
- align with the organization's risk appetite;
- address vulnerabilities without creating unnecessary technological redundancy; and
- complement the existing security stack.