Identity Security is on the path to consolidation.
Some vendors will fail, others will stick the landing.
The identity security market is hot. Since 2020, venture firms have poured funding into newly founded companies, and all have focused on capturing their stake in the market and creating subsegments to match their products’ capabilities. It’s safe to say identity security is in the land grab phase of market development.
The situation is messy. There are dozens of vendors spread across proliferating categories. Differentiation is hard to come by. Everyone gathers intelligence, analyzes risk, and enforces ‘least privilege’ for your cloud and identity resources—many claim they can see everything everywhere without deploying anything anywhere.
Like many nascent categories, there are more vendors than it can ultimately sustain.
The market is hurtling headlong toward rapid consolidation. Some companies will fail, and others will be acquired. Most are traveling at breakneck speed toward their inevitable conclusion.
Some will hit the wall. Some will stick the landing.
Cloud security eats identity security?
Not quite.
For a while, it looked like cloud security vendors would bleed into identity security and dominate the market. In 2021, Orca Security raised an eye-popping $550M and promptly expanded its cloud-native application protection platform (CNAPP) slash all-in-one cloud security posture management (CSPM) platform to include cloud infrastructure entitlement management (CIEM) capabilities. In February 2023, when Wiz announced a $300M fundraising round at a $10B valuation and annual recurring revenue north of $200M, they, too, added CIEM capabilities and positioned themselves even further into the identity security market.
Vendors barrage enterprise security leaders with promises that their products will eliminate their security problems. CISOs have dozens of products from which to choose. More products complicate the security architecture, so CISOs prefer fewer products with broader capability sets—the preference benefits vendors with broad platforms that solve a range of problems across cloud and identity security. Smaller vendors focused on narrower categories–identity threat detection and response, identity security posture management, and CIEM–deliver deeper defenses against identity-centric threats but at the expense of adding another dataset and dashboard to the enterprise security portfolio.
Security practitioners struggle to correlate threats across a growing ecosystem of analytics, alerts, and dashboards. Meanwhile, breaches continue at an astonishing pace, considering the substantial investment to prevent them.
Let the games begin: Cisco, Oort, Splunk, Tenable, Ermetic.
Consolidation is already underway.
In July 2023, Cisco announced it was buying Oort, an identity threat detection and response vendor founded in 2019. Barely two months later, it also acquired Splunk, the SIEM powerhouse. Neither transaction is final, but from the outside, product combinations seem obvious. Cisco’s approach to identity and security is, unsurprisingly, network-focused. The products deploy on-premises. Oort and Splunk bring cloud-focused capabilities to Cisco’s portfolio, layering security on top of cloud services and SaaS.
It will be a mess while they figure out the right product combinations, package together capabilities, and build the delivery engine. The Oort team are Cisco veterans, so they’ll have a leg up when navigating the big company politics and bureaucracy that tend to thwart successfully integrating small, nimble startups.
CISOs won’t love the outcome, but they won’t hate it either. An established, well-known, strategic vendor delivers what they’ve asked for: broader capabilities from a smaller number of well-integrated products.
Tenable made their name securing Active Directory and helping companies navigate the morass Microsoft created when they introduced AzureAD into the identity provider equation. Ermetic built a cloud-native application platform with CIEM capabilities so that customers could inventory and secure their cloud assets and make sure user entitlements weren’t overprovisioned, leaving cloud resources under-secured. The result is an all-in-one platform–conveniently named tenable one™–that solves a broader set of security problems than each vendor handled individually.
The investment theses are decipherable. Customers have hybrid enterprise architectures. They need cloud-centric vendors to deliver more capabilities to secure on-premises identities, applications, and services. Similarly, on-premises vendors must do more to secure new cloud infrastructure, SaaS, and cloud identity services. Broad cloud security platforms need better, deeper identity security capabilities to solve the intricate, nuanced problems that ITDR, ISPM, and CIEM vendors focus on.
The industry should expect more combinations following these three general patterns.
Advice for identity security product managers.
At the risk of repeating myself, the identity security market is hot. Product managers at the fastest-growing companies are holding on for dear life, adding features to keep pace with marketing promises and customer demands. At the hottest companies, the pressure is greatest to focus on customer value, often at the expense of the things that will be most urgent when those companies arrive at the inevitable exit via acquisition.
Having sat on the acquiring side of the table, I have some advice.
Quietly, while no one is looking, focus your product organization on two critical tasks: create clear abstractions between your product’s components and inventory your product’s use of open-source software.
If your identity security company is acquired, it will likely be by a larger company already possessing cloud and/or identity security capabilities. Integration across those products will be mandatory during the immediate post-acquisition phase. The period during product integration is disruptive to customers and dangerous to the business. You sacrifice new features so that you can do the integration.
A little effort now will go a long way later.
Clean abstractions make product integrations cleaner and more straightforward. The integration will take less time, freeing you and your new product colleagues to get back to new feature development quickly and painlessly. Your architecture will be simpler, making maintaining and supporting your product easier and cheaper.
Product due diligence performed during acquisitions and later-stage funding focuses on IP ownership and always requires disclosure of open-source software.
Carve out weekly time to understand whether you have bundled toxic software into your product. We build software these days by assembling capabilities from existing open-source tools, packages, and libraries. Unless you developed guidelines at the outset, your developers likely incorporated software using so-called copyleft licenses into your product.
This is bad but not catastrophic.
Suppose one of your developers selected software licensed under GPL, for example. In that case, lawyers ask product managers for context about the software’s usage and then generally interpret some level of IP risk to the business. To be on the safe side, the lawyers will recommend removing the offending software to manage the risk that IP concerns delay or kill the deal or lower the valuation of the acquired company.
As early in your product’s lifecycle, inventory open-source software and the licenses used. Most source code repos are now quite good at finding and reporting this information, often including components and their licenses.
Those abstractions you spent time on will isolate the impact when removing the offending code.
Prioritizing two simple tasks will incur minor, short-term pain and pay huge dividends measured in hours of sleep and cash in pocket.
Good luck!
Words spoken from experience Eric, no doubt. To make your recommendation to monitor and inventory your product's use/dependency on open source software even more actionable, I have had good experiences with source code analyzers, and would say that this could be worth investing on (not only for open source usage monitoring but for general source code quality and hygiene). Here is an example: https://snyk.io/product/open-source-security-management/license-compliance/ - I wonder what other's take is on this
Hi Eric;
Another insightful article and one that all product managers should take into consideration when reviewing their Tech-Debt inventory. We had placed a heavy emphasis on tracking all open source with our development of 3Edges for dynamic authorization and I feel really proud of our team having kept track of what code came from where and under what licensing. We also leverage synk to check on our compliance etc.
Thanks for the blog post;
Derek