When I waded into the cyber-security world last year, the first thing that struck me was, my god, so many companies. We’re talking about hundreds and hundreds of vendors—and every one of them is quick to assure you they’re indispensable for preventing a looming cyber disaster.

An average business customer, however, lacks the time and money to sort the saviors from the snake oil. That’s why, in cyber, there’s a strong case for faith in big companies: They have the resources to protect your business and, if a new security bell or whistle emerges, they will know about it. Meanwhile, customers won’t waste their time with flash-in-the-pan products.

One believer in big is Amit Yoran, the new CEO of Tenable, which sells software that looks into all nooks of a network to spot potential threats. Yoran, a veteran of Dell, told me there are around 1,500 cyber-security companies, but that 97% of them are minnows with less than $20 million in revenue—and many lack a compelling business case.

“There’s a lot of features masquerading as products and products masquerading as companies,” he said, echoing a refrain you’ve heard if you’ve spent any time in Silicon Valley. He’s got a point and, if he’s right, a lot of these “companies” will be out of cash and blow away by the end of the year.

But there’s another side to the story, which is that minnows produce a lot of innovation. In my years covering tech, I’ve learned some big companies are only really good at one thing: being big. Pre-occupied with public relations and customer lock-in, they can overlook good ideas all around them.

This big versus little debate occurs in any industry, of course, but in cyber it matters more since security is at stake. All of this will be on display this month in San Francisco at RSA, the year’s biggest security event, where both Big Cyber and small startups will be strutting their stuff.