Introduction
My goal with this post isn’t to analyze every vendor in the market – I would need a lot more time to achieve that! The goal is to provide a high level view of vendor realities to try and make some sense of it all. Entering a cyber vendor is a fun adventure but it does have its ups and downs, so I hope my experiences can help shed light on the vendor universe.
I’ve had the opportunity (and challenge) to work for seven vendors as a PMM practitioner for the past 11 years. This roller coaster ride includes twists and turns at Splunk (current gig), Cisco (acquiring Splunk so I’m heading back), VMware (now Broadcom), Siemplify (now Google), Secureworks (Dell), Optiv and Comodo. And with over 3,700 vendors in the industry, the seven vendors I worked for are obviously not representative of every product or service in the market.
I also won’t be describing life inside any particular vendor I’ve worked for; I’ll just share the key themes I’ve discovered from competing in various market segments. This experience gave me exposure to many of the key vendors in the industry in terms of market share and brand recognition. The day-in and day-out battle with many vendors to gain customer mind-share helped me learn the commonalities and differences between vendors.
It’s really not that secretive
A good starting point for this vendor analysis is acknowledging that the cybersecurity industry doesn’t really have too many secrets. You probably don’t need me to analyze any specific vendor. It’s actually very easy to figure out vendors in some ways. The first reason for this is that it is a very incestuous industry. For those of us “on the inside”, we don’t have to look far to find someone in the company that worked for a competitor. Likewise, we won’t have to look far to find someone that is jumping ship to join a competitor. It’s a revolving door scenario. As a result, most vendors are acutely aware of the SWOT analysis across their key competitors. The irony here is that there aren’t many information secrets between information security vendors.
The other reality is that the same set of market analysts from the big analyst firms are speaking to each vendor regularly, collecting data and publishing reports that shine light on each vendor’s SWOT analysis. While these don’t share every little detail about every single vendor, they give good overviews of where the leading vendors stand. The information is available if your company has a license to the firms and reports covering your market, and you should consume these analyst reports. This to me is a foundational part of being a solid PMM – know your market.
The last reason for this openness is that firms are pretty loud about anything remotely close to a strength or differentiator. Just visit the vendor’s website and you can pick up a ton of data and information about that vendor if desired. Or just follow their pages on LinkedIn, and you’ll see key updates or launches or announcements. You can also take advantage of all the open source vendor information such as product demo videos, webinars, conference booths, financial disclosures, and other content that exists on vendor websites. There’s a gold mine of information on vendors out there if you have the time to look for it – of course, if you’re a Cyber PMM, you won’t, but just know it’s there :).
Vendor Commonalities
So what do vendors have in common? First, vendors in cybersecurity are driven by similar market forces and trends. The main driver across vendors is revenue and profitability, as expected, and everything else is built around that objective. All vendors are subject to similar budgets available for security buyers for certain product areas. Are you marketing an EDR product? Well, you will be up against an existing vendor that has already gained that wallet share, or competing with the leading EDR vendors for it. So all vendors have to face the same buyer realities.
Similarly, all vendors are subject to the same market realities that shape market conversations. For example during the pandemic in 2020, you saw vendors posting similar statements and engaging in similar content production efforts on “securing remote work”. And industry conferences force all vendors into the same show floor at RSAC or Black Hat, with each vendor having a very similar approach to joining those events.
Most vendors are also engaged in the same types of marketing activities, have similar business growth goals, and similar go-to-market (GTM) org structures. The main functional groups fit somewhere within Marketing or Sales. In Marketing, I’ve seen the following groups consistently represented (though with varying names): PMM, Demand Generation, Creative, Events, Field, and Analyst Relations. I’ve often referred to a Venn diagram of Product Marketing sitting in the middle of these groups because we usually need to interact with all of them to be successful. This has the advantage of being a nexus point between each group but has the disadvantage of an unclear role in the organization.
Sales is often divided into Regional Sales led by managers of certain geographies, and Sales Engineering counterparts. This is like a Jobs & Wozniak situation where you have both “seller” and “techie” working together to realize a customer objective. Personally, I’ve always enjoyed working with SE’s more than Sales because I’m more of a technology nerd than I am a talker. But you need to work with both. You will also have a group that focuses on lead conversion sometimes referred to as Sales Development Reps (SDRs) or Demand Gen Reps (DGRs). Some companies also distinguish sellers between “Enterprise” vs. “Commercial” vs. “Public” etc.
Note that Product Management (PM) is also often considered a close “sibling” of the GTM organization. This is because they are advising on product launches very early in the process, and then often pulled into the Sales process at the latter stages of the buyer’s journey when a buyer is looking for use case validation for their needs. PM is also critical to the success of placement in industry analyst reports like Gartner Magic Quadrants because they will provide the demo to the analyst doing an inquiry, and will fill out the meatier parts of their infamously granular spreadsheets. Alignment with PM will be a conversation for another post – there’s just too much to cover here.
Similar Leadership Influences
These GTM structures across each vendor are typically led by a Chief Revenue Officer (CRO), or a combination of a CRO and a Chief Marketing Officer (CMO). You can replace “Chief” with “SVP/VP” in most cases. The CMO should in my view report directly to the CEO but there have been cases where I’ve seen “anti-marketing” CEOs at the helm, and they’ve layered CMO’s under a CRO. Also in some cases, I’ve seen CEOs diligently scanning through Sales forecasts to predict if they’ll still have a job in a few months. If forecasts are low or are inaccurate, you can expect there to be a lot of hard conversations with the regional sales managers to get their act together.
And if the sales pipeline is lower than expected, you can expect your CMO to start asking tough questions which will impact your life in some way. This is why I can understand some CEOs thinking it’s all one organization, and the CMO should report to the CRO, but I think that Marketing is its own animal and too important to bury. I’m just providing a few examples of how I’ve seen things work (not how they should work) because just like any organization that’s ever existed, it starts at the top. This is why I will note later that the biggest difference between vendors is leadership and culture. Companies live and die by the quality of their leaders and it has proven true in my experience that my best learning experiences were when working for high quality leaders, and the worst when I was under poor leadership at the highest levels.
There is almost always a dynamic between the product or engineering leadership and the GTM leadership. Product and Engineering leaders typically fit into the CPO or CTO titles, but when it comes down to it the person with the most influence in that world is the person that owns Engineering. The reason for this is simple. Engineers are those that are either going to make a product launch happen on time or not. So the person in the company that is dictating how developers should spend their time, and on which efforts, wins the day, or loses it! This failure of thoughtful planning is responsible for untold tragedies in terms of time and effort wasted going in the wrong direction. I’ve witnessed some really terrible examples of how engineering teams are completely unaligned to product management functions and in turn to market realities.
Ownership Differences
While you will find a similar organizational structure across vendors there are a few areas where differences are evident. The two key areas that I’ve seen include ownership structure and culture.
Ownership structure nuances depend on if the vendor is publicly traded or privately held. In the publicly traded world, there is a greater emphasis on quarterly reporting and planning, and more comments like, “did you hear what the CEO said on the earnings call?” Whereas in the private world, you can expect less rigid structure and more rapid innovation, but this comes with less structure and more confusion. Less objectivity in decision making is the norm in the privately held company world and more decisions are based on someone’s “gut” vs. proven methodologies.
In the publicly traded company world, you will see more standard answers, more routine meetings, and more structure. I’ll admit, it’s just more boring and you will find yourself on calls with 25 people to solve a basic problem. This creates less of an ability to innovate (innovator’s dilemma) on the whole because new ideas are less welcome and harder to make a reality.
You have to find your sweet spot. I’ve found both good and bad aspects in both public vs. private worlds from my experience across startups to Fortune 500’s. I’ve seen a variety of structures, systems, and leadership teams succeed and fail. Everything depends upon where the vendor is at in their growth journey.
Cultural Differences
Alongside the ownership structure, the biggest difference across vendors from my observation comes down to culture. In the healthier vendor organizations I’ve seen, a solid leader drives a customer-first culture that is blended with an eagerness to meet those customers’ needs with amazing products or services. The common obstacle to this ideal is that someone at the top thinks they “know better” and they begin building something without first validating a market need, speaking with key customers, and briefing analysts on plans first. This type of arrogance is a recipe for disaster. As the saying goes, “beware of creating a solution in search of a problem.”
Each vendor has a unique culture and I haven’t found two alike. A unique culture is shaped by factors such as the founder’s vision, the year the company was founded, the founding team, where funding comes from, the state or country the company is headquartered, and how fast the company has grown (or not grown), among a number of other factors. Oftentimes, the Human Resources or People team will have an initiative to “improve our culture” but it usually amounts to hosting some awkward get together once per quarter, like some kind of forced family gathering when the kids roll their eyes and ask, “can I go back to my room now?” The truth is that entire industries have a culture as well. And as discussed earlier, cybersecurity can be a chaotic place to work driven by a bunch of factors I won’t dive into again. It comes down to a lot of mistrust mixed with profit incentives and the realization for some that “cybersecurity” is a depressing impossibility.
I’ve seen many leaders stand up in front of their entire company and state some idyllic vision that was written at an “offsite” meeting with the leadership team. They state things like “to secure unstoppably amazing societal progress” or something else fluffy like that. And I totally understand the need for a vision statement, but at the same time the way it’s manufactured within most vendors seems so fake that it’s hard to get behind.
Many companies will also try to force-feed “cultural values” like “Openness” or “Respectful Honesty” but you can’t manufacture culture. It either exists or it doesn’t and leaders either embody the values they want everyone to follow or they don’t. I think the bottom line is that you need to bring your own set of values to work every day. I don’t think it’s a company’s job to teach people how to behave. If a 42 year old employee doesn’t know how to behave or respect others at work, then don’t expect some cultural code of “respectful honestly” to fix that. That ship has long since sailed from the dock.
Cyber PMMs Influence Within Vendors
In this messy dynamic, Cyber PMMs have an influence beyond what many think. I have seen top quality PMM leaders get mindshare with CEO’s simply by demonstrating a market need for a certain product, or by conducting the requisite market research and analysis that stands against unjustified development plans. CEO’s in that case will sometimes lose sleep and begin asking, “Is the CPO/CTO really in tune with this market or are we wasting millions?” And sometimes that’s all you need to right course a ship going in the wrong direction. PMMs ensure product-market fit.
Our ruthless presentation of facts, research, survey data, market forecasts, and most importantly – the voice of the customer, will win over any level-headed business leader. It’s our job to make sure those facts make their way around the company. At every stage you get, be sure to present them with a fierce nature and smart leaders will listen. Smart Sales leaders will listen because they are looking for more customers to sell into and want elbow room in “blue ocean” markets. Smart Marketing peers will listen because their success needs to be based on an actual market-based conversation. And Smart PM peers will listen because product development needs to be based on broader market and buyer realities, as discussed in this post. Everyone wants to win.
PMMs within any vendor environment can shape strategic objectives by introducing customer evidence into the equation that was missing previously. But it depends on leaders that take it seriously. Without customer-obsession, vendors are doomed to fail because they really have no value beyond meeting actual market/customer needs. Surely you are asking, “but that data sheet I built, that’s valuable isn’t it?” Not if it’s written to address the wrong customer problem. Or if it’s targeted at the wrong persona. Or if you are not messaging your product around the right set of customer outcomes. Content is just a vehicle to carry a message that should be painting your customer as the hero of the story. The best vendors understand that it’s less about the quantity of outputs and more about targeted, surgical actions.
You’re likely going to feel some level of imposter syndrome as a PMM when you’re surrounded by all these other “essential” functions. Engineering has a clear function and objective – to develop products. Sales… sells them. Product Management builds the roadmap. Accounting pays the bills. And so on. If you asked these functions to state simply what a PMM does they would give you many different answers. Sales would say, “they build content for me.” Product Management would say, “they pretty up my stuff.” Accounting would say, “they are a cost.” Nevermind them.
We need to be grounded in the value we deliver with confidence. That confidence comes from being the best friend and voice of the most important person to the business when they aren’t in the room and that is the CUSTOMER. You can never ask, “how does this activity benefit our customers?”, and be kicked out of a meeting. There’s always a need for that voice. We are that voice. That’s our influence.
Is Cybersecurity Dysfunctional?
Based on the similarity of challenges that I have witnessed across most vendors, I sometimes wonder if there is something systematically dysfunctional about our entire industry. The grass never seems to be greener on the other side – or at the other vendor. I once heard someone from a new vendor I joined quip, “the grass may not be greener here, but it’s a little less brown.”
I have seen presentations at events that say all vendors, especially marketers, are “selling snake oil”. This assertion always gets laughs, but is there any truth to that? I also hear questions like, “how can certain IT vendors sell security products to protect their own vulnerabilities?” So it makes you wonder if maybe the entire industry is just dysfunctional and that we are crazy to work in these halls.
Here’s my take, with any industry there is never perfection. And there is always potential for dysfunction by individuals, so I’m not ready to say that the industry is “inherently dysfunctional”. I can’t provide any more evidence for this claim than is true for any other industry. Sure, I’ve heard of stories of employees being fired for unethical mistakes they made, or companies being fined for unethical decisions, but which industry doesn’t find these cases? These are really individual acts of unethical behavior that don’t really mean the industry is corrupt as a whole.
Also, calling every product or service “snake oil” isn’t fair. When defenses are built it does create technical layers and headaches for threat actors, which increases the cost and time needed for their hacking operations. The problem is that too many marketers promote products beyond their function. It’s better to acknowledge that while there is never a silver bullet, having defensive technologies in place is better than nothing. Think about your home security system for example, however basic it is. Do you lock your doors when you go on vacation? I sure hope so. Can thieves still buy enough sophisticated equipment to break in? Sure, it happens every minute. But by installing cameras, floodlights, trip wires, grenades – whatever, you can put in defenses that make your house not worth the cost of breaking in. The marketers of each of those home security components shouldn’t claim, “stop all thieves”.
Vendors as Part of our National Security Apparatus
Cyber vendors have a role to play in broader national security. I’m not saying you’re Jack Bauer all of the sudden, calm down :). I’m just saying that our national security modernization efforts now treat cyber as a war domain, with a mission to protect IT infrastructure and cloud services as you would treat our other key utilities like electricity, water, food, or transportation. The companies delivering these critical services have a responsibility to prevent data breaches. Just look at the recent ransomware attacks on this Children’s hospital if you think I’m exaggerating.
In this sense, vendors are partly responsible for protecting our national infrastructure from threat actors as we provide the tools to protect our way of life. Everything connects – and our role might seem distant from national security, but in the end it all connects. And part of our role is about being open and honest about the vulnerabilities in our products. I’ll say it again, we shouldn’t be marketing them as “fail safe” or by putting any other hype around our messaging that misleads buyers. Be realistic and don’t take your role lightly.
I also fear that if our national cybersecurity policies are not taken more seriously, we might eventually see a move to nationalize IT/digital infrastructure in the name of national security. I see more and more evidence of this daily – just look at the nation-state attacks against our elections, the theft of our core intellectual property, the theft of our military secrets, and the ability to shut down our electrical grid or nuclear power plants, and so on.
We need to ask how vulnerable we are to leave these systems out to fend for themselves and buy products from privately held firms with profit (not national security) incentives. It’s a very tricky line to walk right now and with each passing day producing more data breach headlines, the situation is not going away any time soon. I don’t have the answer, but it’s cause for conversation about the industry at large, and each vendor’s role in national security, not just the economy.
Closing
Vendors have a lot in common and there aren’t too many special snowflakes in this industry. The key factor for what makes a vendor unique is their culture. No vendor will produce a magic pill that prevents all cyberattacks. Cyber PMMs are part of similar GTM org structures and our role is to be the customer’s voice in every conversation among other superpowers we bring to the table. Vendors help cybersecurity teams in the fight against the threat actors that are doing bad things. As a result, vendors are an important part of our economy and national security, and Cyber PMMs should remember this to bring more meaning and satisfaction to our role.
