Consolidation Wave Hits Infosec, Sparing CISOs From Tool Sprawl

Consolidation in the cybersecurity space is being driven by overwhelmed security teams grappling with fragmented toolsets amid continuously evolving threat environments. Jason Merrick, Senior Vice President of Product at Tenable, paints a vivid picture of this shift by highlighting how chief information security officers (CISOs) are pushing back against vendor sprawl to streamline defences and eliminate dangerous gaps.

"The really interesting thing is that you're lucky if you only have 12 vendors that you have to work with in the security space," he sets out. "Even if you look at the world of identity, you've got privileged access management vendors, single sign-on, MFA tools, governance capabilities…there's this sprawl of technologies."

Which, it must be noted, depends on a similar sprawl of competencies, certifications, and human abilities. "You've got a limited number of security practitioners with certain skill sets, and being able to do more with a single vendor is really the, you know, that's a big thing within the consolidation."

There's also the inevitable fact of shelfware, unused or duplicated software lurking within the organisation, and then there's the canary in the coal mine: spreadsheets, filling the gaps. "Yesterday, I met with an ANZ customer. They have 120 security tools.120!" Merrick exclaims. "Part of the CISO's responsibility is reducing that number of vendors significantly; anecdotally, he said, something funny and very true, 'I need to get my team out of Excel'."

While this situation might seem absurd, it is more often the norm than the exception. The upshot isn't just added cost and strain on human resources, but that surfeit of solutions can mean reduced rather than enhanced risk management. Attackers love chinks in the armour, and Merrick says best-of-breed setups can leave gaps between tools, allowing attackers to exploit misconfigurations, vulnerabilities, and "toxic combinations" across assets.

"The attack surface has expanded, encompassing traditional IT, cloud environments, identities, IoT devices, operational technologies (OT), and now artificial intelligence (AI). Organisations need to inventory their digital assets," Merrick stresses. After all, unless there's a record of what to protect and how, efforts may be reduced to guesswork and porous defences.

Consolidation, then, is customer-led. Merrick says he spends considerable time with end users and channel partners, and interactions confirm that cost pressures, skill shortages, and the need for cohesive visibility. A platform approach, he explains, simplifies management, enhances prioritisation, and fosters collaboration across teams. "You've got a limited number of security personnel," Merrick notes. "Being able to do more with a single vendor is a big advantage within consolidation."

Tenable's strategy exemplifies a consolidation ethos through its focus on exposure management, a maturation of traditional vulnerability management. Rather than reactive patching, exposure management emphasises pre-breach posture: inventorying assets, analysing risks, and identifying critical fixes. "It's boiling it down to what are the critical few things that you can do today to reduce risk," Merrick explains.

The company's journey reflects deliberate consolidation. Over six years, Tenable has completed multiple acquisitions, targeting OT, identity, cloud, attack surface management, third-party integrations, and AI.

"Our focus centres on exposure management," Merrick says, noting that the Tenable One platform aggregates data from sensors across the attack surface. Crucially, while consolidation is a theoretical goal, it isn't always a practical one – so Tenable One ingests third party data from vendors including Microsoft, CrowdStrike, and Palo Alto and more.

While he didn't broach the topic, this addresses one of the potentially major drawbacks associated with consolidation: vendor lock-in, while providing unified prioritisation, attack path visualisation, and reporting.

As for the topic du jour, Merrick confirms that AI plays a pivotal role in Tenable's approach, highlighting how it supercharges analysis and reporting. "It's analysis on steroids," he agrees, explaining that the company owns a vast dataset from 44,000 global customers from which it correlates vulnerabilities with regional threats and industry patterns.

It should be noted that consolidation offers a natural advantage for vendors, too; asked how customers should make their selection, Merrick says starts with introspection. "Focus on outcomes over products. Knowing your own organisation, its goals and priorities, means making the best selection."

And he offers praise for the general state of infosec maturity in the ANZ region. "Boards are shifting from compliance checkboxes to genuine risk reduction, with for example customers aspiring to financial services-level maturity even in unrelated sectors like healthcare."

He says the benefits of consolidation are clear: reduced costs, fewer gaps, and proactive defence. And as always, "Finding vulnerabilities before breaches is very valuable. And, of course, it costs significantly less than detection, response and remediation."