The consolidation wave in enterprise security is real, and the business case is compelling. A January 2025 report from IBM and Palo Alto Networks found that organisations manage an average of 83 security solutions from 29 vendors. The complexity is staggering – and attackers exploit the gaps between those tools. The push to rationalise is not just about budget; it’s about coherence.
But the allure of a unified platform brings its own hazard. Not every vendor offering “end-to-end visibility” is delivering genuine integration. And even when they are, consolidation can silently introduce the very risk it promises to eliminate: a single point of catastrophic failure.
Spotting integration theatre
Integration theatre is the cyber security equivalent of a Potemkin village: application programming interfaces (APIs) stitched together with no shared data model, dashboards that aggregate alerts without correlating them, and licensing bundles that market themselves as platforms while operating as loosely coupled point solutions.
The diagnostic questions I ask vendors are deliberately outcome-focused, not feature-focused. Does threat detection in one module automatically trigger a policy change in another, without human intervention? Does a compromise of an identity trigger endpoint quarantine in under a minute? Can you demonstrate bi-directional data flow between your extended detection and response (XDR), security information and event management (SIEM) and cloud security posture management in a live environment – not a sales demo? Genuine platforms reduce mean time to detect (MTTD) and mean time to respond (MTTR). Theatre does not.
A further tell: ask how the vendor handles failure of a single module. If the answer is that the platform degrades gracefully, probe it. If the whole stack collapses, it was never truly integrated – it was just co-located.
The CrowdStrike warning shot
On 19 July 2024, a faulty configuration update to CrowdStrike’s Falcon sensor brought down approximately 8.5 million Windows devices globally – airlines, hospitals, broadcasters, 911 call centres. Fortune 500 losses were estimated at $5.4bn (£4.03bn). Delta Air Lines alone reported $500m in damages. This was not a cyber attack. It was a platform failure.
For organisations that had consolidated endpoint protection, identity threat detection and cloud security posture management into one vendor stack, the incident was not a localised disruption – it was organisational paralysis. The lesson, as one post-incident analysis framed it, is not to avoid consolidation. It is to understand what you are trading away: architectural redundancy and failure isolation in exchange for operational simplicity.
Governance and architectural safeguards
If you are consolidating, the governance framework must be commensurate with the concentration of risk. The Financial Conduct Authority’s (FCA’s) post-CrowdStrike guidance is instructive here: by March 2025, firms in scope of operational resilience rules were required to demonstrate they could sustain important business services in severe but plausible failure scenarios. That is the right standard of thinking for any CISO evaluating platformisation.
My approach rests on three pillars. First, layered redundancy: no single vendor should own more than two adjacent security domains without a contractual and technical fallback. Staged rollouts, canary deployments and automated rollback mechanisms are non-negotiable SLA requirements, not optional extras.
Second, zero-trust architecture: platformisation does not exempt you from zero trust principles. Compartmentalise blast radius. Even within a unified platform, segment data flows so a compromise or failure in one domain cannot propagate laterally.
Third, continuous third-party risk oversight: the WEF Global Cybersecurity Outlook 2025 explicitly flags supply chain vulnerabilities as a systemic amplifier. Your platform vendor is a critical third party. Contractual rights to audit, independent pentesting, escrow arrangements and documented exit strategies are governance essentials, not aspirations.
The board conversation
The WEF notes that boards are no longer asking whether they are secure – they are asking whether they are resilient. Platformisation can absolutely support resilience. But only if the CISO insists on genuine integration over marketing, builds governance structures proportionate to the concentration risk created, and retains the architectural independence to survive vendor failure.
Consolidation is a strategy. Platform theatre is a liability. Know the difference before you sign.
John Bruce is CISO at Quorum Cyber, an Edinburgh-based managed security services provider and Microsoft partner.
