The cybersecurity industry is in the midst of a feeding frenzy. Every major player is racing toward the same ultimate prize: becoming the one-stop platform for cybersecurity. It's about winning wallet share, consuming capabilities, and convincing customers that complexity can be solved with consolidation. We've watched this play out through relentless acquisition cycles - Zscaler's shopping spree, Crowdstrike's expansion beyond endpoints, and countless others hoovering up point solutions.
But one acquisition caught my attention for all the wrong reasons: Palo Alto Networks acquiring CyberArk for a staggering $25 billion.
Don't get me wrong, the financials make perfect sense. CyberArk has solid technology, talented people, and does Privileged Access Management (PAM) in a way that actually works. For PAM, it's a differentiator in a crowded market where everyone else is still scrambling to build or buy their way into the identity space. And let's be honest, I don't count Microsoft's Entra in this conversation due to it being a basic, but newly evolving player that has a large market share - simply by dint of history and convenience.
The strategic logic is equally sound on the surface. Identity has become the new buzzword - it's the new perimeter, the new edge, the new everything. Every conference keynote, every vendor pitch deck, every analyst report tells us that identity is where the action is. And they're not wrong about its importance.
Here's the thing, if you strip cybersecurity down to its most basic concept, it's really about one fundamental question: "Who can access my data, and what can they do with it?" When you frame it that way, identity's foundational role becomes crystal clear. It's not just important, it's the bedrock everything else is built on.
The Dangerous Consolidation of Truth
In my view, identity, given its fundamental role in ALL cybersecurity, should always remain discrete and independent. It should be a separate unbiased source of truth from the platforms and technologies that consume identity information to make access control decisions.
When you combine identity management with the enforcement platforms, you're essentially creating a single entity that serves as judge, jury, and executioner for every access decision in your organisation. Sure, there will be plenty of marketing slides about role-based access controls, logical separations, and architectural safeguards to "minimise risk." But strip away the enterprise architecture theatre, and the fundamental problem remains: it's one platform controlling everything.
This isn't just a technical concern, it's a philosophical one. Cybersecurity has always been, and should remain, a team sport. The best outcomes come from collaboration and cooperation between different technologies and vendors, each bringing their specialised strengths to the table. When everything gets absorbed into a single mega-platform, we lose that diversity of thought, approach, and innovation.
The Lie We Keep Telling Ourselves
Anyone who's had to listen to me expound on cybersecurity will remember that, I’ve always made the following point: "If any single vendor tells you they're the only thing you need for cybersecurity, they're lying and they're wrong, and you should tell them exactly that."
The reality is that the complexity of modern cybersecurity can't be solved by giving one vendor complete control over your security stack. It's solved by thoughtful integration, careful architecture, and maintaining checks and balances across your security ecosystem. When your identity provider is also your firewall vendor, your endpoint protection platform, and your observability tools, who's watching the watchers?
The False Promise of Simplicity
I understand the appeal of consolidation. IT teams are overwhelmed, security professionals are burned out, and the promise of "one throat to choke" sounds incredibly attractive after managing dozens of point solutions. But we're trading short-term convenience for long-term risk.
This strategic consolidation reduces complexity while preserving the redundancy and choice that keeps you secure. You get the operational benefits of fewer vendor relationships and unified management, but you avoid the catastrophic risk of putting all your eggs in one basket.
When everything flows through a single platform, that platform becomes not just a single point of failure, but a single point of compromise. When the judge, jury, and executioner are all the same entity, there's no appeal process, no second opinion, and no redundancy when things go wrong, and in cybersecurity, things always go wrong. Smart consolidation gives you the best of both worlds: simplified operations with distributed risk.
A Better Path Forward
The answer isn't to reject innovation or cling to unnecessarily complex architectures. It's to demand better integration without consolidation, and better collaboration without domination.
We need identity platforms that play well with others, not ones that seek to consume everything in their path. We need vendors who view themselves as part of an ecosystem, not as the ecosystem itself. And we need to resist the siren call of the "single pane of glass" when that glass can so easily become a prison.
The cybersecurity industry's consolidation game might make investors happy and simplify sales processes, but it's making our organisations less secure, not more. We're voluntarily creating the very single points of failure that our threat models warn us against. Strategic consolidation should be the aim, not complete consolidation from a single vendor and therefore a single point of failure.
So the next time a vendor tells you they can replace your entire security stack with their platform, remember: they're not just selling you technology, they're asking to become your judge, jury, and executioner.
And that's a role no single vendor should ever have.
Mike Beevor is the CTO of Principle Networks, where he helps organisations build resilient, well-architected security ecosystems. He previously held senior positions at Zscaler and continues to advocate for the principled approach to cybersecurity that refuses to compromise long-term security for short-term convenience.
