Introduction
Now that we’ve gone through an overview of the industry, Cyber PMMs need to understand the markets and buyers within the industry. Who/what are they? What are the key spending drivers? These questions and more are important to consider because at the end of the day we are marketing… products. And products require… buyers. And buyers… sit within companies. And companies… sit within markets. And markets create… industries.
Defining every industry, market and buyer would require more time than I have, so I will try to distill this down to the basic principles.
The Importance of Market Segmentation
Let’s start with the basics. At a 30,000 foot level, all companies in every industry have IT to protect with someone building cyber programs. And this can be a single IT person that is wearing 15 hats and doing security on the side for a 8-person small business in Tulsa. It doesn’t matter. At some point, there are decisions being made about cybersecurity; even if a company decides to neglect it, that’s still a cybersecurity decision, however unwise. And there’s a lack of time and bandwidth, so I get it. But the point here is that every organization in any industry now has to deal with cybersecurity at some point.
I’m assuming there aren’t any companies left without a digital component to their operations. By the way, if someone thinks of a case where this isn’t true, please post a comment, I’m genuinely intrigued by this question. Is there any organization left without some digital component to their operations? I mean, is anyone not using email or a website at this point? Does anyone not have digital files stored on local devices or in the cloud? I was thinking that blue collar companies are immune, but then I recently hired a contractor to fix my backyard fence. And while everything he did during the project was with his hands, we still communicated by email, and I paid his invoice by credit card with a link he emailed me.
I suppose you could argue that it wasn’t his problem – and that really Google/Gmail was responsible for cybersecurity, and that the payment processor secured the transaction. So I can see that position. But won’t that contractor also have to file taxes at year end, and save a 1040 PDF on his machine? I mean, there are all kinds of ways we can dissect this problem, but ultimately I think we can say that the vast majority of organizations are making cybersecurity decisions. Again, even if those decisions are to neglect cybersecurity altogether, that’s still a decision.
The reason I’m starting here is because we can assume that every industry is going to be a potential market for cybersecurity products and services. Now the nuances of each industry from financial services to healthcare to manufacturing are going to vary, but we can say up front that market segmentation will require a broad view.
Ok, with that baseline aside, it’s also important to understand a few other demographics for the companies within industries. For example, geographic considerations matter in terms of which countries certain specific industries mainly operate in, which IT tools they mostly use, how many employees they have – to name a few important demographics. Geography for example matters in terms of local regulations, however I would argue that most industries are global; we can assume that every country has a banking system that needs cybersecurity, even if the regulations governing them differ.
Then each industry has a list of top 500 or so firms that dominate that industry. IN some cases this is really much lower, say a top 100, 50, 10 or 5. There are banks like JP Morgan Chase, but then there are small regional banks in each city in the US, right? So targeting a whale like JPMC would be a much different process and conversation than Bank of the Rockies or whatever. But that doesn’t mean both banks don’t operate in the same industry. This is why we need more demographic factors such as revenue, employee count to rank stack organizations in each industry.
With that aside, the next part of market segmentation would be targeting specific companies in the industries that you prioritize based on your product’s fit for that segment. Understanding a segment’s cybersecurity needs would depend upon knowledge of the industry’s commonalities in terms of general IT and Security environments. So a market segmentation breakdown might look like this:
| Industry | Segment | Geography | Employees | Revenue | Characteristic C |
| Banking | Top 100 Banks | United States | >5,000 Employees | >$10B to >$100B Revenue | … |
| Banking | Regional Banks | United States | <1,000 Employees | >$10M to <$100M Revenue | … |
| Banking | Top 50 Banks | Japan | >3,000 Employees | >$1B Revenue | … |
Any number of characteristics can be measured, however a company’s IT footprint will be a useful measure of their cybersecurity challenges. It’s just useful to gather this context for thinking about broader markets, and in terms of how your products fit into those markets. How many devices do they usually manage? Which enterprise apps do they mostly use (SFDC, Workday, Office 365, etc.)? Are they cloud-based or on-prem and why? How large is their IT and Security team? Do they outsource to MSS/MDR? Are they likely using a competitive tool? Do they commonly use other cyber tools for domains like Identity and Access, Endpoint Security, Network Security, or SIEM? And on and on.
This is why the term “product-market-fit” has become so popular. Because when engineering a product or service, it should broadly apply to a market segment, not just a single end user. Whether it’s financial services, healthcare, retail, manufacturing, or any industry out there, you will need to have some sense of where your product is most likely going to be adopted based on broader market segmentation.
In many cases, winning in certain markets leads to another over time, as business success is based on those types of referrals and proof points from existing happy customers. Success or a beachhead with several happy financial services companies can improve the odds of not only more market share in finserv, but also can lead to gaining legal or insurance customers for example. This is referred to as the “bowling pin model” and a great example of this is found in a recent How to Win podcast with the founder of Pendo.
Building Buyer Personas in Cybersecurity
I realize market segmentation requires more of an explanation, so I recommend finding other books, posts or resources from experts in this area if you want a deeper dive. Just ChatGPT it 🙂
After segmentation is sorted, it’s time to think about the actual buyers of cybersecurity products and services. Typically, this process begins with defining your target buyer personas. There is a limited list of roles within security teams today. For simplicity’s sake, these personas can be broken down into security leaders or security practitioners while recent research indicates that 8+ buyers are forming buying groups/committees to make security purchases and include folks from other groups. So do not discount the role of IT or Infrastructure roles as an influence to Security purchases.
Security leaders have titles like Chief Information Security Officer (CISO) or VP of Information Security. (Quick note, if you want to stay friends with me, it’s pronounced, “See-So”, not “Sizzo”, and definitely not “Sisso” but I won’t hold it against you if you say it that way 😀). And I won’t build a complete persona template here, so check out this link for an example. This can go as in depth as you want it to be, and I recommend also adding sections like:
- Key Challenges
- Objectives
- Reporting Structure
- Key Influences
- Information Sources
- Content Needed
- Budget Considerations
- Technology Needs
Then, I like to differentiate between Practitioners as SOC Directors, Security Analysts, Security Engineers, Incident Response Consultants, etc. as unique personas. There are common titles like Security Analyst, SOC Analyst, Incident Responder, Security Architect, and Security Engineer but these vary in terms of detail like Senior SOC Analyst II. And you can apply the same categories as above in the CISO template to build a persona profile for these personas, depending on who you are targeting. Again, since so many cases are really a “decision by committee” for security purchases, it’s important to consider these security personas as well as those in IT like CIO’s, IT Directors, Compliance Officers, and others.
There are several reasons why this exercise is critical. First, when your Sales team is going out to bring in new accounts, they will need training and enablement based on who they are talking to. Next, you can’t build effective messaging without knowing your audience. You will have to know which persona you are talking to and how to ensure they are the hero of your story by using your product or service. Think about the best Super Bowl ads you’ve ever seen – they are targeting a definitive audience. It’s essential to know this. Then, when you are building campaigns and content to enable those campaigns, you can build these based on persona needs to ensure everyone in the buying process has what they need to make an informed decision. Since most buyer’s are researching products before getting on the phone, this is becoming more essential by the day.
Buyer Motivations and Pressures
All of these personas are influenced by the motivations and pressures of keeping their systems secure in one way or another. CEO’s ask the CISO, “are we safe from the XYZ breach risk?” That’s the bottom line – “are we at risk?” or “are we safe?”. Because being (and even the appearance of being) insecure means lost trust. Lost trust from customers means lost business. Lost business means CEO’s get fired and companies collapse. I’d call that motivation. Another pressure point is, “are we safe from fines for non-compliance?”. With fines and penalties for non-compliance increasing, this has become a key motivation for security teams.
While the CISO sometimes reports to the CIO, CISO’s end up effectively reporting to the CEO when there are high priority security situations. CISO’s are getting a seat at the board level because cybersecurity is such a critical element of success and failure. Also CIO’s can’t keep up with the dynamics of security enough to report on the details, so boards want to cut to the chase and pressure the CISO directly for straight answers.
For example, when big hacks are announced in the news, everyone panics and this drives urgent board meetings with questions on current risk exposure. So the CISO is often put in high pressure scenarios like this to address risk or respond to specific threat campaigns like new ransomware attacks. “We don’t want to be a news headline tomorrow” is a motivator. Becoming the main story or headline as the subject of a breach is devastating.
Think about being a customer of a company that just got hacked. It’s not fun to learn that your data was exposed in a breach, though it happens all the time. And due to new disclosure regulations, I am receiving more and more letters in the mail that say, “your data may have been compromised in a recent breach of our systems.” This accountability is a step in the right direction, and I’m seeing requirements in the works from the SEC that would require publicly traded companies to have a security leader employed and follow stricter requirements. But the point is that this is all making it hard to be a CISO.
The story where the CISO of Uber nearly gets jailed for covering up a breach is an example of how things can develop. Then there’s the infamous SolarWinds case. This article cites, “SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks,” the SEC said, referring to Timothy Brown, the company’s former chief information security officer. I’m sharing these cases to highlight how the stakes are getting more and more serious. Becoming a CISO is not as glamorous as it once was as a result. It’s a serious position to have during risky times.
The Security Buying Committee
Let’s call the group of security professionals and IT Managers with security influence in a typical firm a security “buying committee”. Instead of rehashing what a buying committee is, check out this article where it lists members such as the champion, economic buyers, technical buyers, end users, and other department leaders.
This group is responsible for purchasing a stack of complex technologies to keep their organization safe and to address compliance. Without naming every single type of technology they will purchase, the most common technology buckets are Services, SIEM, Endpoint Security, Email Security, Cloud Security, Identity & Access Management, Network Security (Firewall, IDS/IPS), and SOAR.
Many teams will use guidelines and architectures from organizations like NIST to guide their security strategy in order to cover all their bases. They may also refer to analyst firm reports like Gartner Magic Quadrant to generate shortlists of vendors.
Once a shortlist is generated, often the firm will also generate a Request for Proposals (RFPs) from that shortlist of vendors, and then those vendors are off to the races. They will fly in to present or more likely now they will Zoom-in to present, and the comparisons begin. In that process a ton of questions are asked to compare and contrast vendor features, and I have been asked on many occasions to help provide descriptions during this process to help vendor positioning.
However there is usually a team dedicated to this process internally. And the buyer will either have the content and tools needed to justify buying your product, or you will lose the deal. So in one way or another, PMMs are connected to these buying decisions. Cyber PMMs have done a good job if our firms are even in those conversations and being shortlisted because we created the value perception that was needed to get in the buyer’s mind-share. From there, if a flawed product shows up to a demo and gets outdone by competitor’s features or user interface, that is hard to blame on PMM. That usually indicates a lack of product innovation which we can’t create.
The buying committee also makes informed decisions based on further inputs from asking peer groups for recommendations, searching vendor websites for information, reviewing costs against available budget, attending trade shows, having end users watch demos, and digesting the ocean of content generated by vendors within each market segment.
This is a lot to process and adopting or offloading a new enterprise technology is very painful, especially if there is a migration between competitors with different UIs and systems. Security buying committees are also constrained by limited budgets and a complex stack of existing vendor technologies that are hard to untangle from. Empathy about this fact is key to shining in this process and winning deals.
Learning From the Process
So how can we Cyber PMMs become involved in this process? First, connecting with the Sales team and reading win/loss reports wherever they exist is vital. Sometimes it’s just an email sent out about losing a deal, or a win story sent out by a seller.
In my experience, these reports are rarely enforced or structured very well and require some Sherlock Holmes work internally to get access to SFDC where you can click into each account. Note, Sales is not usually very adept at adding notes into SFDC because they are busy, ya know, selling! So don’t apply too much expectation on the field in this area, because unless their direct managers are requiring accurate reporting it will be hard to find. The point is that you need to know buyer behavior and getting access to buyers will depend in part on your access to Sales. So nurture that connection and try to automate as much reporting as you can because you can’t sit on Zoom all day meeting sellers and taking their time.
Sales surveys are a tool I highly recommend using to understand buyer dynamics in your product area. A simple 10 question survey on product features that are helping win or lose deals, as well as what content they find most helpful can help you realize what you should focus more time on.
You only have so much time in the day so try to design your time to be data-driven instead of throwing spaghetti at the wall and seeing what sticks. And having data with you also aligns cross-functional marketing teams to see the “why” of the requests you’re submitting to them.
When you submit a Jira ticket to create an asset for example, just adding a simple note that, “In our recent conversations with sales and buyers, we found that 74% of them would like to hear more about how we solve for ransomware in financial services but struggle to find that information.” That typically creates more alignment than no rationale at all.
There are other ways to get more involved and I recommend if you’re interested in this you can read this post where I dive into this topic in more depth.
Customer Data and Market Trends
Customer data and telemetry is another must-access factor for Cyber PMMs. This is an extension of the market segmentation exercises we addressed earlier. Because if you know the total addressable market size for your product, then you should measure how much of that market you have today. This gives everyone a sense of your potential in the market to grow, or lack thereof.
Answering questions such as:
- How many customers use your product today?
- What is the total revenue being generated and growth rate?
- Which geographies and industries are they in?
- How are they using the product (for which features and use cases)?
- Are they buying and then not adopting it with actual use cases?
- Who are we losing deals to the most, and why?
Asking these questions not only validates market growth, but also helps you understand whether or not you should begin to address customer adoption issues or maybe the issue is new logo acquisition. Or perhaps there is a single feature you are losing a majority of deals around, and you can address that specifically. Data drives better actions.
Oftentimes the reality is that you won’t be able to access data on usage for on-premises style products, but with most cloud-based technologies you can measure almost anything. Engage with your product management peers to get access to what they are reporting on because I can guarantee you they are looking into those metrics to report up to their superiors. A simple access request to those documents is almost always accepted unless it contains too much customer information that really should be kept hidden.
Some of you are thinking, “who has time for all this?” Don’t get me wrong, you don’t have to start sitting in spreadsheets all day. Work with others and ask for help. There’s almost always a finance nerd in your organization that is working on spreadsheets all day on things like CAGR, TAM, etc.. Create a bridge with these employees and explain to them the reasons why you are seeking information, and always demonstrate why it’s essential to business growth. They will understand and help you out.
Impact of Service Providers
Another key reality with the security buying committee is that they are resource-constrained. People in cybersecurity are really short on bandwidth these days. I’ve seen estimates from 2 to 3 million workers needed to address current job shortage across the industry.
This is why the highest growth market segment in cybersecurity remains to be Security Services for the foreseeable future, and especially those service providers that are able to scale by using automation, because they are also facing the same talent shortage. This is also what is giving rise to the attractiveness of automation and AI tools.
Service providers such as MSSP’s, MDR providers, security consultancies, and incident response consultants are busier than ever and growing at a high rate due to this outsourcing trend. The buyers you are selling to are more than likely engaging with service providers for some type of contract-level services that will impact your technology usage and deployment.
For example, if you are trying to sell any type of endpoint detection technology into an account or market, you need to understand that a services provider is going to impact that conversation. The buyer may say, “our MSSP uses their own agent for endpoint detection so we won’t require that capability right now.” Part of any product marketing strategy needs to assess how partners would manage your technology on your buyer’s behalf.
I’ve seen this first hand. When I was at Optiv, one of the highest growth businesses was in the area of “co-managed” technology services. Because buyers were in need of extra sets of hands and pairs of eyes to do the actual day-to-day configuration, changes, patching, alert monitoring and triage for required security technologies. I also saw how Secureworks impacted many technology decisions for its clients based on the use of their own technology.
Anyway, I will discuss more about the trends and product marketing factors related to services providers in a later post.
Conclusion
Our journey to becoming successful Cyber PMMs starts by understanding market segmentation, identifying buyer personas, and unraveling the motivations and pressures driving cybersecurity buying decisions. The insights into the security buying committee dynamics and the pivotal role of sales enablement underscore the necessity for Cyber PMMs to foster a deep understanding of both the technological and human elements of cybersecurity. Leveraging customer data and market trends makes it clear that the key to success lies in data-driven decision-making and a thorough grasp of cybersecurity buyer processes.
In the next Industry Dynamics post, I will be diving more into the realm of vendor dynamics. Stay tuned, and I look forward to hearing your comments or opinions on this topic.
Please let me know your thoughts on LinkedIn, X or here on www.cyberpmm.com.
