Sign up
Sign up
I’m going to say something that is pretty self-evident to anyone who’s been around our industry for a while. There are too many security technology companies. And the sheer quantity and funding that they have create a reality distortion effect around our entire space.
A few stats:
The cyber tech landscape. Hope you have your magnifying glass.
(Source: Momentum Cyber)
Wildfires can be both destructive and painful, but healthy, setting the foundation for new growth. It seems from a distance that those wildfire conditions might be settling in for the next 12-18 months as security budgets flatline, there’s an increased focus on ROI and rationalization, and VCs pull back on investment (particularly pulling back on portcos that haven’t really found product market fit).
The focus on getting to profitable unit economics (at least) this year is something relatively new. Generally, it’s been growth at all costs and valuations that were purely driven off top line (and top line momentum). That’s a lot of pipeline pressure. That’s a lot of money to spend. That’s a lot of BDRs to hire and a lot of events to run. That’s a lot of CISOs to spam.
Let’s put this in perspective: assume half of those funds being raised go to GTM, and half go to product. That’s ~$12B of GTM investment funding per year. Assume it’s largely targeted to the largest 10K companies in the world (with a massive skew to the US), and that’s $1.2M being spent on sales reps, BDRs, marketing agencies, etc to get the attention of each of those 10,000 companies (and most of that ending up in the inbox of the CISO). And that’s not even counting the sales and marketing efforts of companies that aren’t reliant on funding anymore.
There’s no doubt that there are some incredible companies doing great things to make the world more secure. And astute investors that are backing companies that will change our industry. (I’m fortunate enough to know many of them and be a LP with some of them.)
That being said, security programs are breaking under the tool weight that exists today. It’s common for large companies to have upwards of 80 security tools in their environment. That’s too many.
The sheer supply in the industry, and the combination of investment funding and pressure for top line growth create some very distorted dynamics.
1) The industry is more in search of problems than solutions
When all you have is a hammer, everything looks like a nail.
An average pitch goes something like this:
“Did YOU KNOW’ that companies today have terribly weak ABC and that threat actors are actively exploiting these and it will cost you money and reputation if you are one of them? Dark/Deep/Sentinel/Overlord/Watch is the ONLY company that provides you with the visibility you need on a single pane of glass via our buzzword, buzzword, buzzword zero trust solution that will stop these threats in their tracks.”
At the end of the day, this marketing is more about trying to bring awareness to the (often niche) problem than it is about really helping customers. And you know some if it is BS, but you aren’t totally sure which parts. So you discard it all, unless someone you trust recommends the solution to you.
2) What becomes individually rational becomes collectively insane.
All of this investment is totally rational at the level of an individual company. The problem is that when multiplied by thousands, the net effect is minimal signal, all noise.
One arms race is between attackers and defenders. The other arms race is for the attention of the defenders (if I could just get 15 minutes of your time!) In this environment, there’s a ton of pressure to take shortcuts by overpromising what your product can do and positioning it in line with the latest industry buzzwords.
All of this erodes trust and sows confusion.
3) It fosters a surreal conventional wisdom that places primacy in technology.
The surreal conventional wisdom is this:
Why does this happen, when most people know better?
Because it’s easy. We all want to believe. Security isn’t that hard if we can just buy it.
But that inevitably leads to disappointment and failure because:
And so, this is my friendly reminder to bring it back to basics:
People, process, AND technology. It’s cliché. But it’s true.
And you need all three in equal measure. Tech is necessary. But not sufficient.
Where technology leads, and people and process often don’t follow. Or if they do, it’s about hiring people to manage tools.
This all has knock on effects for the jobs marketplace because you see (a majority) of job postings written as if the end goal of a person’s role is to manage a tool. So you look for people that have a lot of experience with that tool. And then you don’t find them within budget.
So, a plea to remember the proper flow of things:
We see a major imbalance between the 1) the criticality of the human element and 2) the amount of innovation, investment, and creative thinking that are paid to this area.
That’s why we do what we do.
For further reading: