Fighting for Space in an Overcrowded Cyber Security Vendor Market

So here I am, just a few short weeks into my “tenure” as a cyber security analyst at TAG Cyber, talking to vendor companies, hearing their pitches, and learning how that all fits into TAG Cyber’s non-traditional analyst model. We’re not an analyst firm that writes head-to-head vendor comparisons. We don’t break down technology for end users (though TAG Cyber’s CEO, founder, and head analyst, Ed Amoroso, can certainly hang with the best) and advise CISOs and their teams on what to buy, how to buy, the best ways to implement X solution, etc. Our focus, instead, is listening to security vendors and trying to pick out the ones doing interesting things, in ways that might be different from the other 80 companies in their product space. Gartner, Forrester, IDC—those firms already tell you which companies have what features and functionalities, and who has the greatest market share and best product roadmap. Rather, our job at TAG Cyber is to learn about companies that have a different angle or story to tell. They might not be the biggest or offer the most robust set of capabilities, but they are doing innovative things.

Of course, “innovative” may be in the eye of the beholder, and I am learning that Ed, from his 31 years at AT&T, 17 of them as Chief Security Officer (17!! In a position that normally turns over every 2-3 years!) has a unique perspective on just about every aspect of the market. But that’s what we do: provide subjective feedback and advice to cyber security vendors that are trying to make an impact on the market, even if they’re just a tiny startup. And the most interesting the story, the more likely we are to write about the company and assist with their messaging and positioning.

This approach to analyst work has some of my long-time security friends and colleagues, several of them former analysts, shaking their heads and asking, “um...what?” Yeah, exactly. We aren’t trying to be the same thing as the entrenched cyber security analyst firms. We do things a little differently. We’re a bit weird. We have a cartoon series, for goodness sake. It’s awesome, by the way.

What’s your competitive edge?

Therefore, when we get security vendors on the phone, we want to hear what makes them tick, what makes their product different, and how they plan to continue to exist in a market where the competition is fierce. Already in the 4 weeks I’ve been with TAG Cyber, I’ve heard Ed grumble about the number of vendors who try to make themselves stand out by explaining that the founding team is comprised of ex-Israeli Defense Forces personnel. Heck, I’ve heard it at least 4 or 5 times already.

What I think, upon hearing merely a handful of these calls, is that companies are trying to demonstrate an impressive pedigree, and certainly learning cyber and defense in the IDF or other country's military provides that. But it doesn’t necessarily make you unique or better than all the other startups founded by people with a similar background. Alternatively, what Ed and I are looking for from our vendor briefings is to hear what drives vendors to build a particular security product. That’s what makes them interesting. Lots of people can build tools; just look at the RSA Conference and Black Hat expo floors as all the evidence you need. We don’t need more tools in cyber security. We need more effective tools, tools that are built with a different perspective on the problem. There are already a lot of threat intelligence/firewall/SIEM/vulnerability scanning/email protection/you-name-it tools available.

What makes you unique?

It was eye opening, therefore, to have a conversation about uniqueness with Ed after one such briefing with the founder of a company that sells a nice tool, albeit in a crowded category. You see, as an analyst at TAG Cyber, my job is to find the interesting vendors and write something about them, just like I am writing this blog right now. The blog doesn’t have to be profound and it doesn’t have to include the technology’s architecture, features and functionality, or the vast number of customers who love the product (“customer” is a subjective term anyway). Anything I publish on www.tag-cyber.com simply has to be an interesting story (again, that might be subjective, but that’s our mission).

Getting back to that call—Ed and I always reconvene after our briefings to talk about what we heard. As a new analyst, this is extremely helpful. I get to learn what Ed heard on the call (versus my perspective) and how he would approach a company with messaging and positioning help. For this particular company, the summary of my feedback was: smart person, sounds like they have a nice tool, can’t figure out what makes them different from the 50 other tools we have listed in our vendor directory on our website. Ed agreed (phew). What he said next got me thinking. It was, in a nutshell, this: There are so many vendors that it’s hard to stand out. Sometimes individual vendors don’t have capabilities or functionality that differentiates them from their competitors. And that’s OK. As long as they can make money at it and don’t have fantasies that they’ll become the next big thing, sometimes it’s fine just to have a good, solid tool. Security end users need those, too. That tool doesn’t have to be “disruptive” or a “market leader.” Sometimes it’s fine to simply provide a useful tool to end users who need that type of tool.

What’s your mission?

He likened it to a person's favorite local Italian restaurant (I knew I liked Ed from the start. Food analogies are my jam). Count the number of Italian restaurants within a given radius of your house—maybe it’s 5 miles if you’re in a city or 10 miles if you’re in a suburb or more-remote area. How many of those Italian restaurants serve food that’s radically different from the one down the street? How many of them serve dishes that are even a little different, meaning, the ingredients are basically the same but one place serves pasta with red sauce that uses a lot of basil, another uses nutmeg, a third is heavy on red pepper flakes. In other words, all essentially the same, just a smidge different. The food, itself, is basic Italian, nothing out of the ordinary, and the chef and/or owner isn’t striving for a Michelin Star. Their goal is to offer good food, at good prices, in a comfortable environment. That’s it. Simple.

As a consumer of Italian food, you probably prefer one of these places over the others. Maybe you really love basil in your red sauce or one place has cushy booths. Or maybe you just like the atmosphere and it’s convenient, which is welcome after a long day of hunting down cyber terrorists or fixing software bugs. There’s no real substantive between the 2 or 10 southern Italian places in your ‘hood; you just like one more than the other. And that’s great! Because the restaurant exists and you can eat there whenever you want. It will never make a “Top Ten” list of best restaurants in your town/city/county, but that’s OK with you because that means you never have to make a reservation. The staff know you. They greet you with a smile. When you ask for parmesan to sprinkle on your seafood pasta, they don’t silently condemn you for breaking an Italian food cardinal sin.

What’s your approach to storytelling?

Back to security vendors and the briefing—although our goal as analysts is to find the interesting or different vendors and highlight the ones that have a great story to tell, Ed and I also discussed how refreshing it would be for a vendor to take the “neighborhood Italian restaurant” approach with their marketing and positioning. Not every company is going to be a Microsoft or Symantec. Very, very few companies are going to get acquired for $2.35 billion dollars by Cisco. It’s just not realistic. And that’s OK! Sometimes, a solid-but-not-unique tool with all the requisite functionality is what the customer wants. Maybe you’re that vendor but your product has an especially nice user interface, your solution deploys quickly, or your customer service team is outstanding. Those may not be true market differentiators, but there are, for certain, customers who will love that aspect of your product and keep coming back. Just like customers keep going back to their favorite Italian food spot.

The lesson from this conversation is that, try as companies may, some cyber security vendors don’t have the latest ground-breaking, bleeding-edge, one-of-a-kind solution they’d hoped for. But they do have customers who love them. And that should be the story. Self awareness is important, too. If you fall into this category, recognize that you’re not going to overtake the behemoths unless you truly innovate. And be honest (with yourself and your audience) when you are comparing your solution with others’. If your answer to our question, “what differentiates you from your competitors,” is, “our customers love us,” own it! Don’t try to sell analysts on your uniqueness or your “secret sauce” if you don’t really provide capabilities no one else does. We can read right through it.

And sometimes, analysts like Ed and I will appreciate your candor and write good things about your company because you were forthcoming. We love our respective local Italian restaurants too.