Why is it that an acquisition cannot occur in the IT Security space without that tired old word, consolidation, being rolled out to describe it? This must be a pet peeve of mine since a quick Google search reveals that I have written about consolidation nine times. Nothing I write will change the perception of Wall Street or journalists evidently. So, why don't I do some research to back up my oh so strongly held belief? If the industry is consolidating then the number of vendors should go down, right?
Over the past year I have carefully assembled a very large list of IT security vendors. I would love to say it is a complete list but that appears impossible. I encounter new security vendors every single time I research my list.
Just before the RSA Conference this year I scrambled to categorize the last 280 vendors into their major buckets. Since that pass I have done a much deeper dive into three locations, Georgia, India, and Israel, because I received push-back on my reported numbers. Now I peg India at 41 total security vendors and Israel at 228, lower than an exuberant Israeli press reports but enough to make Israel the undisputed #2 in cybersecurity. Georgia is another matter. I have not been able to find any more than 25 vendors, placing Georgia behind Florida.
Before revealing for the first time the results of my analysis let me just make the point (again) that the IT security industry does not consolidate and will not until the numerous threat actors give up and go home.
The IT security industry percolates. McAfee acquires Foundstone. The three founders leave as they get great ideas for new technology: Kevin Mandia to create Mandiant, George Kurtz to form CrowdStrike, Stuart McClure to found Cylance. Or IBM acquires ISS. Or Symantec acquires hundreds of startups. This is the security industry circle of life. To extend the metaphor: threat actors are the fuel, breaches and attacks are the fire that fuels the cycle of startups bubbling up and be acquired by large vendors - constant percolation.
I have categorized 1,440 IT security vendors in 35 countries. These are companies that make products. The only services included are the Managed Security Service Providers (MSSPs) and a few testing labs; no resellers, distributors, or consulting firms are included.
Here is the breakdown by country.
Vendors by country
It is no surprise that the United States has over half of all security vendors at 827. On a recent trip to Israel sponsored by AIFL I was overwhelmed by the enthusiasm for the cybersecurity startup scene. There were over 100 exhibitors at Cybertech2016 which made it into my database. The Prime Minister keynoted the event and declaimed that Israel aimed to be the cyber capital of the world.
Sign up for CIO Asia eNewsletters.