Working in cyber and staying sane requires a healthy sense of accepting our inability to control or understand all the moving parts. This industry is a complex and dynamic field that presents both challenges and opportunities. To navigate this landscape effectively as a Cyber PMM, it’s essential to understand its unique characteristics and the key factors shaping its future.
That’s why the first series after the Vision Series is focused on Industry Dynamics. It’s pragmatic to start with defining the “lay of the land” that we are operating in. And I won’t pretend to understand it all, but let’s start with high level observations on the key forces shaping cyber markets today.
Cyber is Now Central
Cyber is now central to most geopolitical and corporate strategic objectives. It’s hard to find an organization or government without a growing digital presence or dependency. This has led to amazing advancements, but threat actors are exploiting vulnerabilities in digital systems to achieve their objectives. Cyber warfare is now at the forefront of international conflicts and is significantly impacting global order.
This digital age has made societies smarter yet more vulnerable. Democratic nations are struggling to secure election systems due to the vulnerabilities in outdated machines. There are systemic risks like this emerging everywhere, including risks in utility systems such as water plants and power grids. Cyber is now a central part of society and has driven great opportunities for advancement, yet it has also exposed us all to more risk and vulnerability than ever.
Social media has also taken us all by storm in the past ~15 years. We are glued to our phones and sharing increasing amounts of personal information that is being stolen regularly. So digital risks abound, making cyber a crucial topic for the foreseeable future. Working in cybersecurity is exciting because we are part of the group bringing order to the aforementioned chaos, and that’s a good thing.
Market Sizing
The cybersecurity industry is substantial; according to Gartner, worldwide end-user spending on security and risk management is projected to total $215 billion in 2024, representing an increase of 14.3% from 2023. Security services represent the largest share of this spending. While this figure is significant, it pales in comparison to behemoths like Apple, which rakes in nearly $400 billion annually. Nevertheless, the industry’s growth rates and increasing demand indicate a prosperous future.
I always like to use market sizes and CAGRs as a baseline for presenting GTM plans to my peers. If I am bringing a certain product to market, it’s a good habit to know the size of the category/market I am competing in. This helps level set revenue and growth expectations for the field and marketing peers.
Private equity firms are significant players in the cybersecurity landscape, financing both startups and established companies. They wield considerable influence, and understanding their role can provide insights into decision-making processes within the industry. For example, I remember when I was working at Optiv, I was aware of the fact that Blackstone owned a large % of the company, impacting certain strategic decisions. We need to understand who the puppet masters are in the businesses we work for.
Funding rounds like Series A, B, C, and D are often celebrated in the cybersecurity community. I think it’s crucial to recognize that funding doesn’t necessarily indicate a technology’s real-world viability. Many startups aim to be acquired by larger players, and the startup path can be arduous.
Just because a startup is good at raising capital doesn’t mean they will succeed in this industry. Time will tell for fundraisers and funding isn’t exactly a sign of cyber success. It is merely an indicator of potential market viability and future demand. Investors typically don’t invest in ideas that have no chance of return, so it doesn’t hurt to keep an eye on where the funding is happening.
Anyway, I’m not an expert in finance or how funding works. A good resource to dive into this topic more is Venture in Security if you’re into this aspect of the industry.
3,700+ Vendors and 8,000+ Products
The cyber industry comprises vendors of all shapes and sizes, with a continuous influx of startups. For a summary of this jumbled mess, you can check out https://dashboard.it-harvest.com/ where research analyst Richard Stiennon provides more numbers.
As of this writing, he counts 3,729+ cybersecurity vendors across 17 categories, 1,000+ sub-categories, and 8,000+ products! Let that sink in. Have fun trying to get up to speed if you’re new to this business.
Because of this high volume of vendors and products, it’s important to break things down into categories. We have to categorize vendors properly to understand the realities of the categories we are operating in. Understanding vendor types and sizes is also important. There is a mix of cyber vendors from startups to major IT and networking firms, and a whole lot of mid-size vendors in between.
Yet no single vendor can claim more than 10% total market share (my best guess, given that the total industry is valued at ~$215 billion, with no single vendor reporting more than ~$20 to $25 billion). Anyway, I’m not here to arrive at an exact market share percentage; the point is that this is very much not the consolidated telco industry in the US in the 1950’s. Cyber is extremely fragmented.
Hello CSPs
I would argue that the most significant influence on the industry over the past decade has come from the entrance of cloud service providers (CSPs), specifically the “big three”: Amazon, Microsoft, and Google. These three vendors play a pivotal role and have high growth rates as companies increasingly migrate their workloads to the cloud and leverage CSPs native security capabilities. Will they drive more consolidation in our fragmented industry? We shall see.
CSPs consider ‘security’ a competitive differentiator for their cloud businesses and have been investing heavily in enhancing their security postures. Consequently, they exert a considerable influence on the security of data and applications hosted in their clouds. Despite this shift towards cloud-based solutions, on-premise systems continue to hold importance in specific industries due to compliance and resiliency requirements or a gradual transition to the cloud. The world will continue to be hybrid with a mix of cloud and on-premises environments.
Also interesting is the growing relevance of these vendors in terms of the enterprise applications they offer. Just think about the tools we use at work every day. In most larger enterprises, if you’re using a productivity app, it’s either Microsoft or Google, right? That’s also where data is stored so threat actors focus on exploiting their vulnerabilities.
Key Security Players
In addition to the CSP’s, a few key players have maintained their positions as prominent security providers. These include (alphabetically) Cisco, Crowdstrike, Fortinet, IBM, Okta, Optiv, Palo Alto Networks, Qualys, Rapid7, Secureworks (Dell), Splunk, Tenable, Trellix (fka McAfee), VMware (now Broadcom), Zscaler among others I’m forgetting about (CSPs are left out since we covered them already). I’m not saying startups or other vendors don’t have good technology, it’s just these are the larger market players with more well known brands.
These brands consistently occupy prominent positions at events like the RSA Conference in San Francisco and feature prominently in Gartner Magic Quadrants and Forrester Wave reports. My litmus test for defining these brands? I simplify it down to this – when these vendors are absent at the big cyber events, it raises eyebrows. And if you’re not working for one of these vendors, you’re trying to displace one of them, partnering with one of them, or potentially being acquired by one of them in the future.
An important distinction and recognition is understanding if a vendor is a software provider or services provider or a hybrid. As mentioned earlier, services account for a larger share of overall cyber industry revenues. Traditionally known as Managed Security Services (MSS), now more commonly referred to as Managed Detection and Response (MDR), services business are a crucial part of our industry. They serve as an extension of many SOC teams, and are a go-to resource for incident response scenarios, assessing risk, architecting security programs, performing penetration tests, and helping with compliance.
Acknowledging IT
When you look at the bigger picture, it can be useful to look at cyber as a part of the broader IT industry. The IT industry is much larger, expected to total $5 trillion in 2024, marking an increase of 6.8% from 2023. To me it’s just logical to associate the two industries. Information Technology needs Information Security, and these two realms are closely linked. But like any relationship, conflicts are inevitable. Therefore, it’s essential to strike a balance between honoring IT heritage and recognizing the unique demands of cybersecurity. The two must work together cohesively for a strong security posture.
I know that we cyber folks like to think we’re independent, but in reality, similar to the CSP dynamic above, many of the systems and tools we’re securing have IT industry roots. And IT came first, then Security was an afterthought. Remember, it was Microsoft vs. Apple first, not cyber vendor A vs. cyber vendor B. The initial proliferation of information technology was not built with security in mind. It was built to connect people, share information, and enable trade. Only later did folks begin to say, “umm is this secure?”
I recently saw a documentary on HBO about the Y2K crisis (Time Bomb Y2K), and it illustrates my point somewhat. The information systems built in the mid-20th century were built so fast that the reality of the systems failing really didn’t get addressed until the late 90’s when all of society was panicking about the Y2K crash scenario. It just illustrates the point that system security or resilience really wasn’t the primary consideration at first.
The IT and Security team relationship within organizations is typically a rocky one. On the IT side, you have the objective of enabling systems, employees and business growth. Then on the other you have a Security team that is seen as “holding IT back” but doing critical work of securing the business. So there are competing objectives, leading to friction. “Should the CISO report to the CIO?” and questions like this are pretty common these days. I don’t have the answer to that. The point is that the cyber industry is distinct from IT, but closely related since it’s built upon the shortcomings or vulnerabilities of IT systems.
The Impact of Defense and Intelligence Agencies
There’s a close relationship between cybersecurity companies and national security, leading to a revolving door of talent and expertise. Some of the cyber industry’s brightest minds have backgrounds in defense or intelligence. Threat intelligence team leadership, in particular, benefits from these experiences, as the skills and knowledge are highly transferable between these domains.
And there are many startups that are founded by those with intel or defense backgrounds, as they have the experience and vantage points that bring about really innovative technologies. I’ve worked for several vendors with these types of roots. Carbon Black for example was co-founded by an NSA computer scientist. And Siemplify (now part of Google) was co-founded by ex-IDF soldiers.
I have found it an honor to work alongside the veterans who have served our country from a national security perspective. For example, I remember when I worked at Optiv, the leader of the global threat intelligence center would school me on the basics of threat intel and adversary tactics, techniques and procedures (TTPs). Another experience I had was working for Secureworks and getting to know the team in their Counter Threat Unit (CTU). No it wasn’t the same as the Jack Bauer CTU in the 24 series, but it was still pretty cool to meet the folks on that team and learn about some very interesting backgrounds.
As a marketer, this experience was great exposure to the reality of the difficult and important jobs that intelligence professionals in our industry have. And it’s also a good reminder that we’re all in a common battle together, even if as a Cyber PMM we don’t have direct involvement in daily cyber operations. With so much criticism of marketing in general, being able to gain this perspective from veterans is a welcome sense of importance to our mission.
Compliance and Regulations
Probably the most boring aspect (at least for me) of working in cyber is understanding compliance. However, we have to understand this key driver because it impacts how security teams assess and utilize our products. Will this product produce an XYZ report that I need to address XYZ regulation? These are buyer’s journey questions you may need to address in your content.
I once drove a program called Painless PCI for Comodo, which was built upon the use of a vulnerability scanning technology we provided called HackerGuardian. The product was marketed as a solution to address PCI Compliance for merchants. When training the field on our product, I needed to explain the nuances of PCI-DSS so that they could understand which specific sections of the mandate we addressed. Compliance was the main use case by which the product was made market viable.
Compliance is a critical consideration in cybersecurity, with various regulations and frameworks like PCI-DSS, HIPAA, GDPR, SOC 2, NIST, and state-specific regulations shaping the decisions security leaders make. While it’s a must have, it’s important to note that compliance does not always equate to security. While compliance is essential, organizations typically acknowledge that they need to go beyond mere adherence to achieve a stronger security posture.
Similar to the acronyms section later, getting to know the basics of the major compliance mandates and regulations is a must as a PMM.
It’s Chaotic – Get Over It
The world of cybersecurity is far from tranquil; it’s more akin to a battlefield where confusion reigns. This is understandable considering the very reason it exists is because of threat actors trying to exploit an open information system for any number of motives. We’re part of a digital war – not on the front lines, but we’re part of a mission to protect and defend the systems that underpin our way of life. We are marketing products that are defending against attacks by nation states, criminals, hacktivists, and others. By nature, this is a chaotic, fast-paced industry.
So to thrive in this industry, you need to develop a thick skin because the terrain is unforgiving. I often jokingly liken my entry into this industry to Frodo and Sam’s journey into Mordor when they are disguised as Orcs. It’s a world characterized by chaos, unpredictability, and constant vigilance. To understand everything else, you have to first accept the nature of the beast and get over it. Don’t take the chaos personally, or become so absorbed in it that you lose your personal life balance.
Much of the cybersecurity industry revolves around unpredictable external events. This constant state of alertness has led to widespread burnout among practitioners and leaders. Mental health is a major issue in cybersecurity – people are ‘on edge’ around here. And I will never suggest that marketers are facing the same amount of stress and pressure as practitioners; we have our own set of challenges such as information overload, changing priorities, keeping up with market forces, crafting messaging, and supporting buyer’s along their journey. This is also a lot to handle, so don’t think you are beyond the risk of burnout.
This is a topic for another post, but there are keys to success in this area that include work/life balance, healthy habits, stress management, cultivating hobbies, effective time management, and knowing your boundaries. I have more posts planned on this topic, stay tuned.
Sometimes We’re the Scapegoat – Get Over It
Suspicion and skepticism are embedded in the industry’s DNA, driven by the fundamental concept of “Zero Trust” – the idea that trust should be granted to no one in the digital realm. This pervasive distrust has given rise to a lot of suspicious individuals who often view “Marketing” with disdain. We are seen as “con artists” by many, even though we are simply serving the function in the industry of bringing products and services to market. We are often blamed for simply doing our jobs.
It’s common to see posts from industry voices that call out “the pitiful state of marketing” and everyone seems to have advice for us. It’s a real challenge to see this sense of disrespect and be treated as industry scapegoats – as if we are the cause of the collective state of anxiety and burnout. Sure, we have a lot of work to do to eliminate the FUD tactics and better serve buyers in our industry. Not saying we’re above criticism and can’t improve how we operate. Working on it :).
In short, we need to accept that as Cyber PMMs, we will not make many friends in cyber from the get-go. So if people-pleasing and being liked is your thing, think twice about this job.
It Can Be Dark and Cynical – Get Over It
In this digital landscape, every organization is a potential target, whether by nation-states, criminals, hacktivists, or other malicious actors. And unfortunately, it seems that with enough persistence, hackers often find their way in, and it’s virtually impossible to achieve absolute security.
Just look at the instances of teenagers with laptops hacking modern corporations all from their parents’ basements. Or look at how recently hired government employees are gaining access to and releasing national secrets on gaming forums. This is all causing bewilderment and cynicism within the industry. It can be a dark place.
This is a cliche, but experts increasingly acknowledge that it’s not a matter of “if” but “when” a breach will occur, leading to a pervasive cynicism around the industry. This is a market reality you need to accept as a Cyber PMM. Our industry is a cynical one. It’s more of a caution to keep in mind; be careful about delivering messaging that is all “sunshine and rainbows” because your audience will roll their eyes if you paint too rosy a picture as if you’re delivering some silver bullet solution.
The Cyber Acronym Spiral
Let’s call it the Cyber Acronym Spiral. We see an acronym in our first month on the job, and you think, “ah, that’s nice, what a great idea.” Then, after 3 months you start seeing a few more, and you begin thinking, “wait, now I’m losing track, which acronym is which again?” Then after your first year, you realize that there are hundreds of acronyms that you have to account for, and you begin spiraling into cynicism. That’s the typical Cyber PMM acronym journey, until one day you arrive to a point where you create your own! And the never-ending cyber acronym spiral continues.
But seriously, acronyms do have their uses. For example, the prevailing acronyms are sometimes an indicator to see where the entire industry is trending. For example, we all know the industry’s focus has shifted from preventing attacks to detecting active threats and responding effectively or automatically – a concept referred to as detection and response (Enter DR). This is now seen more wholly as threat detection, investigation and response (enter TDIR) by Gartner or sometimes as XDR depending on who you ask. TDIR is seen as an umbrella acronym in cybersecurity that covers a range of technologies across markets.
Most vendors in the market incorporate some form of ‘DR’ messaging in their marketing strategies. This isn’t new. EDR has been around for over a decade now thanks to Anton Chuvakin who was at Gartner when he coined that term initially. So I’m not saying that TDIR is a new thing here. But it has evolved from just EDR through many uses to nearly every segment. Most of the time, each vendor defines it differently, and market analysts also have varying definitions, so it’s a mess. But embrace it, and just learn how to ride the waves as they come instead of resisting, because acronyms are useful in messaging when you don’t want to spell out an entire category 500 times in your brief or presentation.
I could probably do 10 more posts on acronyms alone. Here’s my take on “DR”. I like to refer to DR as standing for “DisRuption”. It’s an acronym that is often used to try and suggest a new technology or new way to solve existing problems. EDR, MDR, NDR, XDR, and on and on. It’s all about disrupting existing markets.
Anyway the point is that as Cyber PMMs, we have to know our acronyms and their roots. Did it originate from a vendor trying to create a new category? If so, which vendor? Was it an analyst firm? If so, which firm? In this industry, acronyms proliferate to an alarming extent, reflecting the complex and jargon-heavy nature of cybersecurity. Get your acronym game in order and use them sparingly, tactically and knowingly.
Conclusion
The cybersecurity industry is a dynamic and multifaceted landscape characterized by chaos and a constant pursuit of security. Cyber PMMs must remain up-to-date with market trends, see the bigger picture, and not get lost in an attempt to ‘control it all’ in order to succeed. A flexible mindset that can ingest new information on a daily basis, stay mentally healthy, and learn how to adapt is vital.
I hope this was a good starting point for anyone starting to scratch the cyber surface and gain a basic lay of the land on the key drivers shaping our industry. Did I miss anything? Please add your comments below.