Cybersecurity: a young and global ecosystem

The cybersecurity vendor ecosystem is extremely diverse and highly competitive, much like the threat actor ecosystem. We estimate there are more than 2,500 active cybersecurity vendors worldwide, most of which are small and privately held.

The common perception is that this crowded and fragmented ecosystem is a negative. There are too many struggling vendors competing for the same business. Vendors don’t have enough economy of scale to maintain investment in research and development. Customers have to manage too many incompatible vendors, as well as alerts and notifications. This results in highly complex cybersecurity systems that are easy for threat actors to penetrate. On some levels this is true. But all the vendors are focused on the common goal of protecting customers by detecting, preventing and disrupting the threat actors. And this diversity is vital to drive innovation and evolution to address new threats and to improve existing cybersecurity solutions. It also spreads the risk. If every organization only selected from three or four vendors, threat actors would just focus their efforts on fewer vulnerabilities and potentially affect more organizations in a single attack, akin to the recent high-profile SolarWinds and Microsoft Exchange hacks.

Nature shows that diversity and evolution are key to survival. For example, predators learn to recognize the appearance of their favorite prey, but Cuban painted snails have evolved to disrupt this. Through an apparently endless variety of bright colors and stripe variations, no two individuals look the same. This confuses predators, which take more time to assess if the target is edible or poisonous, giving the snails a chance to escape. Similarly, cheetah cubs have evolved to look like honey badgers from above, which deters aerial predators due to the honey badgers’ known ferociousness. But the most striking example is the octopus, which can change its appearance 170 times an hour to evade predators.

A young and global ecosystem

The cybersecurity ecosystem is global, with vendors headquartered in more than 50 countries. But over 75% of vendors are based in just three:   

• The United States has the highest concentration, accounting for 57% of all currently active cybersecurity vendors. The combination of funding and availability of expertise, as well as higher customer spending have contributed to a good environment for cultivating startups. Cisco, Palo Alto Networks and Fortinet are the largest US-headquartered vendors.
• Israel has established itself as an important hub for cybersecurity startups, accounting for 11% of vendors based on their headquarters’ locations. The nation’s strategic approach to cybersecurity and the role of military intelligence units have created a continuous pipeline of entrepreneurs, expertise and funding. The leading Israel-headquartered vendor remains Check Point.
• The UK is also a cybersecurity startup hub, providing a source of acquisitions for larger US vendors, such as CrowdStrike’s purchase of Humio, announced in February. Vendors headquartered in the UK represent 9% of the total ecosystem. Sophos remains the largest, though its private equity owners are in the United States.

Europe is another center of expertise, spread across multiple countries, where there are a cluster of more established cybersecurity vendors. These have developed integrated cybersecurity platforms, with endpoint security at the core, for both organizations and consumers. Acronis, Avast, Avira, Bitdefender, ESET, F-Secure and Kaspersky are key examples. The EU’s cybersecurity strategy will create further growth opportunities and new lines of funding to fuel the expansion of vendors in the region and to cultivate startups.

Cybersecurity is also a young ecosystem, with new threats and vulnerabilities providing a stimulus for startups. 32% of active vendors were only established in the last five years. The recent surge in digital transformation has been a catalyst for the latest wave of startups focusing on cloud security, identity and vulnerability assessment. The ecosystem is constantly changing. Each year, approximately 150 to 180 startups emerge. Some of these vendors will be acquired after a few years, especially those with differentiated technologies and strong business cases. In total, there are more than 100 mergers and acquisitions each year, which drives some consolidation.

Only a few vendors will successfully progress from being a startup to become a medium-sized player, generating annual revenue of more than US$100 million. Fewer still will reach the US$1 billion a year mark. Others will just survive, remaining as niche vendors, fulfilling specific customer requirements. The remainder will likely fail and disappear once funding stops. Overall, the net effect is an ecosystem that is continuously expanding. Nevertheless, all cybersecurity vendors face the same three challenges as all other technology firms, though the addressable market is constantly increasing: 

• Maintaining relevance in a rapidly evolving market.
• Increasing share of spend among existing customers.
• Displacing competitors to win new accounts.