The cybersecurity market is not consolidating. It is rewiring itself

https://ca.finance.yahoo.com/news/cybersecurity-market-not-consolidating-rewiring-220111211.html

Publish Date: 2026-02-27 17:01:00

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points. The cybersecurity industry defies long‑standing predictions of consolidation. PHOTO GETTY IMAGES For more than two decades, the cybersecurity industry has been accompanied by a familiar refrain. There are too many vendors; too many tools; too much fragmentation. Eventually, the thinking goes, consolidation will clean it all up. Platforms will absorb point solutions, competition will thin out and order will return. Richard Stiennon has been hearing that story for 25 years. He still does not believe it. As the founder of IT Harvest and one of the longest tenured analysts in cybersecurity, Stiennon tracks roughly four thousand security vendors and their products globally. From that vantage point, the idea that the industry is consolidating in any traditional sense is not just wrong. It misses what is happening beneath the surface. Stiennon did not arrive in cybersecurity through a conventional analyst pipeline. He began his career in automotive engineering, moved into the early internet era by launching an ISP, and watched that company get acquired during the first wave of digital infrastructure buildout. That experience led him into security focused companies and eventually to Gartner, where he became one of the earliest analysts dedicated to covering cybersecurity as a standalone domain. That chapter shaped his thinking. Traditional analyst models, he observed, tend to focus on the top tier of vendors in any category. Useful, but incomplete. The real market dynamics live in the long tail, where innovation forms long before it becomes obvious. IT Harvest began as a spreadsheet tracking a few hundred vendors. Over time, it grew into a dataset of thousands. In 2022, Stiennon launched a dashboard to make that data searchable and usable at scale. The arrival of large language models only accelerated its value, making it possible to map not just vendors but products, categories and relationships across the entire industry. The most persistent misconception that Stiennon challenges is the belief that cybersecurity is consolidating the way industries like telecom or automotive once did. In those markets, consolidation meant fewer competitors and shrinking choice. Cybersecurity behaves differently. Large vendors do not buy startups to eliminate competition. They buy them to absorb innovation. New threat classes appear, startups form with intense focus, and once a category proves real, larger players step in to acquire proven technology with customers already attached. It is not a roll-up strategy; it is an innovation pipeline. Story Continues This distinction matters because it explains why many attempts at forced platform consolidation fail. When companies attempt to aggregate tools without deep integration or buyer driven value, the result is often complexity layered on complexity. Stiennon sees repeated failures among companies that make consolidation the strategy rather than the outcome. Private equity is often cast as the villain in these conversations. Stiennon’s view is more pragmatic. Firms such as Thoma Bravo, he argues, are not consolidators in the classic sense. They are specialists in rebuilding companies that cannot easily reinvent themselves under public market pressure. Public companies struggle to make radical shifts, particularly when it comes to pivoting technology strategy or retooling product lines around emerging capabilities like AI. Going private creates space to make those changes without quarterly scrutiny. When done well, those companies often return to the market stronger than before. That dynamic does not reduce competition; it reshapes it. If acquisitions are the mechanism by which innovation travels upstream, they are also risky. Stiennon estimates that roughly half of all security acquisitions fail to integrate successfully. Sometimes the technology does not scale. Sometimes cultures clash. Sometimes the acquiring company discovers the innovation was not as real as it appeared in a fast-moving market. The speed of cybersecurity leaves little room for perfect diligence. Stiennon recounts examples where even internal teams were misled about the maturity of technology. In an industry driven by urgency, the line between vision and reality can blur quickly. The lesson is not to avoid acquisitions, but to be more disciplined about outcomes. Integration matters more than headlines. If there is one area where Stiennon sees unambiguous momentum, it is AI powered security operations automation. He describes it as the fastest moving change he has witnessed in his career. For decades, security analytics focused on prioritization. Tools attempted to surface the most important alerts and leave the rest to human analysts. The new generation of platforms aims to go further, automating analysis and response across the entire incident lifecycle. What makes this moment different is not ambition, but adoption speed. Stiennon points to startups that moved from zero revenue to millions in recurring revenue within months. Buyers are not experimenting cautiously. They are adopting out of necessity as alert volume rises and skilled analysts remain scarce. If successful at scale, this shift will redefine how organizations staff, budget and structure security operations. On quantum computing, Stiennon is openly skeptical about near term impact. He does not dismiss science, but he respects the engineering challenge. Practical, scalable quantum systems, in his view, remain decades away. Yet he strongly advocates for investment in post quantum cryptography. Not because the threat is imminent, but because the preparation is valuable regardless. Mapping cryptographic assets, identifying weak algorithms, improving key management, and consolidating control are all foundational security improvements. Preparing for post quantum cryptography forces organizations to clean up some of the most neglected parts of their security posture. Even if quantum timelines slip, the work pays dividends. Across thousands of vendors, Stiennon consistently sees one differentiator separate companies that scale from those that stall: leadership. Passionate leaders create urgency, clarity and belief. They turn incremental progress into decisive momentum. They build organizations capable of scaling faster than most teams believe is possible. In a crowded market, execution often matters more than novelty. Technology opens the door. Leadership determines whether a company walks through it. For buyers, the lesson is to stop waiting for consolidation to simplify decisions. It will not. The market will remain dynamic because threats continue to evolve. The better question is which tools reduce operational friction and deliver measurable outcomes. For founders, the message is sharper. Build something real. Prove value quickly. Earn customers. The market rewards those who move fast and deliver substance, not those who wait for narratives to catch up. From Stiennon’s vantage point, cybersecurity is not settling down. It is accelerating. And the companies that succeed will be the ones that understand that motion and learn to move with it. You can connect with Richard on Linkedin. RDX-Leaderboard This section is powered by Revenue Dynamix. Revenue Dynamix provides innovative marketing solutions designed to help IT professionals and businesses thrive in the Canadian market, offering insights and strategies that drive growth and success across the enterprise IT spectrum.