14 vendors are Champions in Canalys’ EMEA Channel Leadership Matrix 2021
7 December 2021
The expectation is always that there will be consolidation in a crowded cybersecurity market, but history and nature shows us that these expectations are wrong.
The cybersecurity vendor ecosystem is extremely diverse and highly competitive, much like the threat actor ecosystem. We estimate there are more than 2,500 active cybersecurity vendors worldwide, most of which are small and privately held.
The common perception is that this crowded and fragmented ecosystem is a negative. There are too many struggling vendors competing for the same business. Vendors don’t have enough economy of scale to maintain investment in research and development. Customers have to manage too many incompatible vendors, as well as alerts and notifications. This results in highly complex cybersecurity systems that are easy for threat actors to penetrate. On some levels this is true. But all the vendors are focused on the common goal of protecting customers by detecting, preventing and disrupting the threat actors. And this diversity is vital to drive innovation and evolution to address new threats and to improve existing cybersecurity solutions. It also spreads the risk. If every organization only selected from three or four vendors, threat actors would just focus their efforts on fewer vulnerabilities and potentially affect more organizations in a single attack, akin to the recent high-profile SolarWinds and Microsoft Exchange hacks.
Nature shows that diversity and evolution are key to survival. For example, predators learn to recognize the appearance of their favorite prey, but Cuban painted snails have evolved to disrupt this. Through an apparently endless variety of bright colors and stripe variations, no two individuals look the same. This confuses predators, which take more time to assess if the target is edible or poisonous, giving the snails a chance to escape. Similarly, cheetah cubs have evolved to look like honey badgers from above, which deters aerial predators due to the honey badgers’ known ferociousness. But the most striking example is the octopus, which can change its appearance 170 times an hour to evade predators.
A young and global ecosystem
The cybersecurity ecosystem is global, with vendors headquartered in more than 50 countries. But over 75% of vendors are based in just three:
Europe is another center of expertise, spread across multiple countries, where there are a cluster of more established cybersecurity vendors. These have developed integrated cybersecurity platforms, with endpoint security at the core, for both organizations and consumers. Acronis, Avast, Avira, Bitdefender, ESET, F-Secure and Kaspersky are key examples. The EU’s cybersecurity strategy will create further growth opportunities and new lines of funding to fuel the expansion of vendors in the region and to cultivate startups.
Cybersecurity is also a young ecosystem, with new threats and vulnerabilities providing a stimulus for startups. 32% of active vendors were only established in the last five years. The recent surge in digital transformation has been a catalyst for the latest wave of startups focusing on cloud security, identity and vulnerability assessment. The ecosystem is constantly changing. Each year, approximately 150 to 180 startups emerge. Some of these vendors will be acquired after a few years, especially those with differentiated technologies and strong business cases. In total, there are more than 100 mergers and acquisitions each year, which drives some consolidation.
Only a few vendors will successfully progress from being a startup to become a medium-sized player, generating annual revenue of more than US$100 million. Fewer still will reach the US$1 billion a year mark. Others will just survive, remaining as niche vendors, fulfilling specific customer requirements. The remainder will likely fail and disappear once funding stops. Overall, the net effect is an ecosystem that is continuously expanding. Nevertheless, all cybersecurity vendors face the same three challenges as all other technology firms, though the addressable market is constantly increasing: