When you think about commodity markets, what categories come to mind? Oil? Gas? Metals? Corn? Coffee? And when you think about these categories, what are some attributes of each that contribute to their designation as a commodity? Uniformity? Fungibility? High demand? Necessity? Price fluctuation? All of the above?
There are probably finance experts who have ironclad definitions, and other non-experts who have opinions. But for practical purposes, and based on definitions from well-respected finance and dictionary websites (i.e., not Wikipedia), let’s assume that to be considered a commodity, a product or good:
If we take just the first four bullets, we could easily be referring to the cyber security products market. Before you take offense, let me explain:
At TAG Cyber, we bucket 54 categories of cyber security controls into which vendor products fit. Other analyst firms and industry frameworks have their own definitions and categories—some more, some less—but, generally speaking, when you think of EDR vendors, for instance, you might think of SentinelOne, Carbon Black, or FireEye. When you consider identity management solutions, you might evaluate Sailpoint, Microsoft, or Okta.
Products in each space (54 or otherwise) are abundant. It is exceptionally rare to come across a commercial tool without direct competitors. Especially when a space is more established, there can be—minimally—dozens of tools an enterprise security team might consider before narrowing down to a shortlist of acceptable options. But even in more nascent spaces, like edge tools, if you look hard enough, you can find a handful of solid vendors. And the technical differences between them are minimal.
I know vendors are going to balk at this. But the TAG Cyber analysts participate in 600+ briefings per year and are asked by our enterprise clients to create side-by-side comparisons of tools all the time. I assure you that the technical differentiators are not as big as the marketing messages makes them seem.
For comparison, let’s take coffee—a clear commodity. How and where coffee beans are grown have an impact on taste. How is the soil fertilized? How much sunlight do the plants get? At what point are the beans picked? How are they dried? How are they stored? For how long? Then the roasting and brewing processes refine the taste even further.
This is why there is such variance in the taste of the final product. Nonetheless, when you taste a cup of coffee, you know it’s a cup of coffee and its big bucket characteristics are that of other cups of coffee. You might prefer the taste of certain coffees more than others, but they are, at their core, interchangeable on the surface and achieve the same goal of being a cup of coffee.
Flipping back to cyber security, this is exactly how large numbers of vendors can compete in each space; it’s their “growing” and “roasting” processes that are their secret sauce, so to speak. Still, the goal for each category—securing endpoints, controlling access to resources, inspecting network traffic, etc.—is exactly the same between vendors, and the means by which this goal is achieved is only slightly different from vendor to vendor. The core elements of protection must be there, based on networking and architectural requirements and the ubiquity of types of resources/assets businesses must protect.
It’s why marketing and selling vendor products is so difficult. The sheer number of vendors, the high market demand for security products, and the necessity of those products for modern business all contribute to the uniformity and fungibility of these products—making them a commodity.
It’s also why many analyst firms stack rank vendor products—to give enterprises the opportunity to quickly and easily see products in each category and then nitpick the features and functionality of each.
It is, however, a fallacy that the features and functionality of each tool are vastly different. When we at TAG are asked to compare features and functionality side-by-side, more than 90% of the time we cannot reasonably argue significant variation between products. When, on the other hand, we speak to vendors, they make a very big deal about their differentiated features and functionality.
This disconnect is one big argument for security products as a commodity market. The tools in every category are abundant and they all serve to solve the same problems (be they at the endpoint, during access requests, on the network, between networks, etc.). The capabilities of the tools are similar—this isn’t a knock on security vendors; it’s inherent in the design of the industry. If you’re going to buy tires for your car, for example, the contrast between brands and models that fit your particular car are all very similar. It is what it is.
As a security vendor, then, you can choose to make a big deal out of features and functionality and risk someone (like an analyst or prospective customer) pointing out that they aren’t unique, or you can choose to celebrate the things that do make the company unique. Your history. Your background. Your passion. Your mission. Your fit in the customer’s environment.
If you choose to focus on the tech, make certain that you are truly capable of something unique. Don’t claim that you are the only vendor that can stop malicious traffic at the application layer, that no one can eliminate false positives the way your platform can, or that a zero trust architecture is your discriminating feature. Someone will call you out on it and distrust you henceforth. Case in point, just the other day, a vendor was claiming to have invented a new way of biometric-based authentication and Ed pointed out that he’d written his doctoral thesis on something similar in the 1990s.
Also, make sure that if you are pointing out and counting on what you believe to be a technical differentiator for your product, it matters. Do I care how my coffee was grown or roasted if I like the taste? I do not. If get a good cup of coffee, that’s what matters.
In a commodity market, it’s the little details, and maybe those aren’t tech details at all. In a commodity market, it’s the best story that wins. Thus, when declaring uniqueness, be 100% certain that no one else can claim what you do. We get a lot of vendors arguing, “no one else can do this,” and when we say, “this competitor over here claims they do,” we then spend ten minutes arguing about whether that’s true. If another vendor is claiming that they do and can make a reasonable argument about it by describing their “roasting” or “brewing” process, is it worth your time on every call to be arguing that point? Or are you better off finding some other aspect that truly differentiates you?
And here’s the secret: in a commodity market, you don’t have to be dramatically different; you just have to have the right features and functionality such that the product does what it says it does, and a message that resonates with buyers such that they buy and keep you in business. The lesson is, then, accept that your security product is part of a crowded market space and that many evaluators will view your product as having mostly the same characteristics as others in the space. Celebrate the processes or the mindset that sets your company or product apart. Don’t argue that a coffee bean isn’t a coffee bean. It’s not worth your time. You have better things to tell prospective clients.