The IT security industry is not consolidating

Why is it that an acquisition cannot occur in the IT Security space without that tired old word, consolidation, being rolled out to describe it? This must be a pet peeve of mine since a quick Google search reveals that I have written about consolidation nine times. Nothing I write will change the perception of Wall Street or journalists evidently. So, why don’t I do some research to back up my oh so strongly held belief? If the industry is consolidating then the number of vendors should go down, right?

Over the past year I have carefully assembled a very large list of IT security vendors. I would love to say it is a complete list but that appears impossible. I encounter new security vendors every single time I research my list.

Just before the RSA Conference this year I scrambled to categorize the last 280 vendors into their major buckets. Since that pass I have done a much deeper dive into three locations, Georgia, India, and Israel, because I received push-back on my reported numbers. Now I peg India at 41 total security vendors and Israel at 228, lower than an exuberant Israeli press reports but enough to make Israel the undisputed #2 in cybersecurity. Georgia is another matter. I have not been able to find any more than 25 vendors, placing Georgia behind Florida.

Before revealing for the first time the results of my analysis let me just make the point (again) that the IT security industry does not consolidate and will not until the numerous threat actors give up and go home.

The IT security industry percolates. McAfee acquires Foundstone. The three founders leave as they get great ideas for new technology: Kevin Mandia to create Mandiant, George Kurtz to form CrowdStrike, Stuart McClure to found Cylance. Or IBM acquires ISS. Or Symantec acquires hundreds of startups. This is the security industry circle of life. To extend the metaphor: threat actors are the fuel, breaches and attacks are the fire that fuels the cycle of startups bubbling up and be acquired by large vendors – constant percolation.

The numbers

I have categorized 1,440 IT security vendors in 35 countries. These are companies that make products. The only services included are the Managed Security Service Providers (MSSPs) and a few testing labs; no resellers, distributors, or consulting firms are included.

Here is the breakdown by country.

It is no surprise that the United States has over half of all security vendors at 827. On a recent trip to Israel sponsored by AIFL I was overwhelmed by the enthusiasm for the cybersecurity startup scene. There were over 100 exhibitors at Cybertech2016 which made it into my database. The Prime Minister keynoted the event and declaimed that Israel aimed to be the cyber capital of the world.

After Israel, Northern Ireland, Scotland, Wales, England combine to chalk up a healthy 75 security vendors, and Canada 49.

Based on the number of invitations I receive to speak in India, and the number of followers I have on Twitter, Facebook, and Linkedin, from India it is no surprise that India is booming in cybersecurity with 41 companies. I expect there to be many more startups coming out of India soon. Perhaps the acquisition of Cyberoam by Sophos will be to India what the IPO of Check Point was to Israel, igniting a fevered startup economy.

Now let’s look at the breakdown within the United States:

Of course California is the overwhelming leader in cybersecurity with 324 vendors, most in the Bay Area. In my experience Boston (60) should have a clear second place but in recent years “cyber” has become big business in Washington DC. If you combine Virginia (60), Maryland (27), and DC (4) you get 91 vendors, which points to a second major concentration of vendors in the US.

Even though I knew of many vendors in Texas it surprised me to count 53, way ahead of New York (38) and Florida (34).

I have looked carefully at many lists of security companies in Georgia (25). I think the reason the local business press is so effusive is that people in Atlanta still think of ISS, SpyDynamics, CiphererTrust, and Lancope, as their own, even though they have been acquired and belong to IBM, HP, Raytheon, and Cisco respectively. Based on the valuations of these companies, Georgia can still claim to be a hotbed of cybersecurity.

One last interesting set of data is my classification of all vendors into the major buckets of Network, Endpoint, Data, IAM (Identity and Access Management), and GRC(Governance Risk Compliance).

For now, my estimate of the actual revenue are very rough and based on a total IT Security market of $104 billion in 2015. Much more on that later. But the number of vendors in each bucket are accurate. The 230 network security vendors include all Firewalls, UTM, IPS/IDS, NBAD, and netflow based solutions.

IAM is next. The reason there are so many vendors in this space – 211 – is that there are so many authentication mechanisms. Two-factor authentication, password grids, smartphones, and biometrics from finger prints to facial recognition to voice and even how you walk (gait) are included in this bucket.

The Data security bucket (169) includes all the encryption and digital certificate solutions. This space will continue to boom as the industry scrambles to counter the latest threat: government surveillance.

GRC has 190 participants. Many of the vendors will not be happy that I lump them in this bucket, but here is where vulnerability management, SIEM, log management, and risk management vendors belong.

There are other buckets and I will be writing about each of them. Anti-fraud is a big business with 43 vendors. Cloud security has 29 pure plays. Threat intelligence has 31 vendors but that belongs in a bucket I am calling Cyber Defense which also includes the breach detection, advanced malware defense, incident response, and security analytics, sectors.

This is not an industry that is consolidating. It is growing by every measure: sales, number of vendors, number of countries with vibrant security eco-systems, and number of industry analysts needed to cover it.