What cybersecurity consolidation means for enterprises

Cybersecurity consolidation drivers

Consolidation is only natural when markets evolve, and it generally happens because one company acquires another with one of the following two goals:

1. to expand market share -- i.e., purchase a competitor, along with its technology and customers; or
2. to expand into a new market -- for example, from networking to security, by purchasing an established player, along with its technology and customers.

Both motivations have driven recent cybersecurity consolidation activity, with vendor acquisitions occurring on almost a monthly basis over the past decade. Dozens of major deals closed in 2022 alone, including Palo Alto Networks' purchase of Cider Security, Google's acquisition of Mandiant, Snyk's purchase of Fugue and Cloudflare's acquisition of Area 1 Security.

Consolidation and convergence in the cybersecurity market will continue to accelerate in the coming months and years.

1. Expanding market share

Small, nimble companies with venture capital backing are often best able to develop innovative capabilities in emerging markets. Large, established companies, on the other hand, frequently find it easier to purchase new capabilities -- via startup acquisitions -- than build them from scratch.

For instance, in the early 2000s, Fidelis Cybersecurity developed new technology it called extrusion prevention -- what most of the industry now refers to as data loss prevention (DLP). In 2012, General Dynamics acquired Fidelis to augment its existing cybersecurity capabilities with the then-new DLP technology. Today, a number of vendors package DLP functionality within broader offerings, such as cloud access security broker (CASB) platforms.

The CASB market, in turn, experienced dramatic consolidation shortly after the technology's inception. In 2017, TechTarget Editorial reported a spate of acquisitions that left relatively few standalone CASB service providers.

More recently -- returning to the ZTNA example -- several large vendors have acquired zero trust-oriented startups to bolster their existing offerings. In 2020, Barracuda acquired Fyde, and Fortinet acquired Opaq Networks. In 2022, Juniper Networks acquired WiteSand, Johnson Controls bought Tempered Networks and SentinelOne acquired Attivo Networks.

2. Expanding into a new market

In other cases, nonsecurity corporations see acquiring security vendors as a means of entry into a lucrative market. This type of acquisition typically leads to less technological convergence, as the acquirer's primary goal isn't to add new technology to an existing platform or product suite.

In 2006, for example, server and storage vendor EMC Corporation -- nine years before it would itself undergo an acquisition by Dell -- purchased RSA Security. Under EMC's ownership, RSA continued to function largely as an independent security company.

The future of cybersecurity consolidation

Security vendor consolidation will continue to accelerate in the coming months and years. Expect to increasingly see previously standalone point security technologies become part of comprehensive, multifeature platforms and product suites.

Anticipate also, however, that new technologies and point tools will keep proliferating, especially in the following areas:

• multi-cloud security
• secure remote access
• zero-trust security

Further down the road, once IoT's presence becomes more ubiquitous, new products and services will also emerge to combat the inevitable criminal exploitation of these environments.

Many still-to-come security tools will lean on technologies such as AI, machine learning, behavioral analytics and automation.

How to prepare for cybersecurity consolidation in the enterprise

To prepare for future cybersecurity consolidation as a security leader, consider the following:

1. Security architecture. First, focus on developing a modern, standards-based security architecture that centers on zero-trust principles. This provides a high-level framework for building out the cybersecurity portfolio strategically, strengthening the security posture and adapting to future market convergence with relative ease.
   
   Of course, most organizations need to take the long view, as few have the luxury of abandoning their current security stacks and implementing fully zero-trust environments overnight. Rather, flesh out the ideal security architecture as a reference point, and then work toward it incrementally, as resources and circumstances permit. New threats will inevitably emerge along the way, which might necessitate unforeseen investments in relevant point tools.
2. Processes. Develop and optimize repeatable, well-documented processes that reflect the security function's high-level strategic vision and align with industry best practices. Train staff in these processes so they clearly understand the specific actions they should take in the event of any given security incident.
3. People. Assess the human element, and determine which tasks must happen in-house and which the security program could outsource. Even as technology continues to improve, people remain the critical link -- and Achilles' heel -- in building secure business environments. Employees who have solid training in sound processes will always be the most important and effective asset in supporting company security policies.
4. Technology. Finally, to sort through the sea of available products and services, ask which ones would best accomplish the following:
   • align with the organization's vision for a zero-trust security architecture;
   • align with the organization's risk appetite;
   • address vulnerabilities without creating unnecessary technological redundancy; and
   • complement the existing security stack.