Avoiding The Infosec Extinction Part 2.

1600 words, 8 minutes.

Turning Up The Magnification

Three lens microscope for simultaneous observations. 1882

This is the second of a short series of posts about the Cyber Security market. This market is interesting now because I believe it’s at a juncture where we can choose one of two possible futures. We being the product builders, investors, and customers. In the previous post I presented you with a choice. A choice between a beautiful fantasy, and practical reality.

Congratulations. If you’re still reading then you’ve chosen reality. You’ve realised a spiralling number of products, shortage of skills, and growing necessity for integration, are the real barriers to better customer outcomes. You’re prepared to entertain the idea that budget holders will be reluctant to allocate funds if there is little or no evidence of their risk being reduced. You’ve anticipated these factors are hampering adoption of otherwise brilliant, effective products, and the commercial success of the those who make them. Either that or you’re just curious about the treasure I spoke of.

Nothing is for free. Before we get to the treasure you’re going to have do some work. Reading this post is that work.

What if you don’t agree with me when I say the real danger isn’t “elite hackers” or the “Internet Of Things gone rogue”? What if you don’t share my concern that the greater danger is vendors descending into shampoo-bottle, age-defying pseudoscience in an effort to sell product to customers bamboozled by choice? In that case it’s I who have work to do. This post is that work.

The Explosion In Products

Take a look at the slide below from Momentum Partners. The logos are so small they might as well be bacteria on a microscope slide. Click it to get the x10 zoom, again for x100. There are about 600 Cyber Security companies across 20 categories under the microscope.

This isn’t the whole market, it’s most of it. Some companies solve a significant problem. Many are just features that belong inside someone else’s product or products that belong inside someone else’s company.

Being a single-feature product or a single-feature company doesn’t mean the feature is superfluous. It means the delivery of it into the customer’s hand is economically inefficient at best, and non-viable at worst. Modulo the remaining funds you’ve raised from your investors. Thanks, investors.

This slide is what happens when customers look to solve one point-problem after another. It’s what happens when vendors obsess about building a better mousetrap, cockroach trap, moth trap, or fly-zapper. Eventually your house is stuffed with traps and your time is spent maintaining them. The burden of running it all and the supplier relationships become overwhelming. You start buying trap monitoring and management systems. You only discover all this once you’ve made the first half dozen or so purchases.

Large customers might want one product from each category. Twenty product line-ups to consider. You’d need to embark on 80-100 on-paper product reviews, 40 product trials, 20 procurements. If you really wanted to be thorough or had a complex estate requiring more than 1 product from a category, you could double those numbers. Double.

“But you wouldn’t buy them all in year 1!"

No you wouldn’t. You’d start with 20% of products already deployed. Add another 20% each year. 4 procurements per year, 8 in-depth trials, and 20 on-paper product reviews. Per year. Every product or service must be installed, commissioned, configured, supported, and maintained. After 4 years you have 100% coverage. 4 years.

“But what about consolidation?"

UTM was a great, customers loved it. It consolidated a good three or four products into one. However, new categories or products are appearing all the time. The chances are that next year there will be more logos on the slide than this year. Can you see where this is going? This explosion of products and companies has a cost. To customers. To vendors. To investors.

This is why as a customer you should begin by forgetting about products completely and think first about winning systems, because products come and go while winning systems endure. Products are what you use to implement winning systems.

Let’s ask each of those three gentlemen in the title picture what they can see.

The Customer Lens

So far security budgets keep increasing.¹ That means the constraint on adoption is the customer’s ability to understand, evaluate, and integrate all of these products in such a way that they deliver improved outcomes. If you believe the paragraphs above then by the time a customer has full coverage of all categories he needs, early product choices may have been retired. Some of the companies making them will have gone bust. Many of the firms on the slide will be dead within 5 years. Some will carry-on with just enough revenue to stay alive while not being strong enough to attract attention from an acquirer or the IPO market.

What portion of the customer’s network will be made of living-dead vendors 5 years from now? What impact will their fate have on customer security and the workload of staff charged with finding replacement products? Although budget increases may show no signs of slowing, these other “costs” will create increasing amounts of drag on adoption. This drag is already significant and is getting worse. When evaluating products, how important is that drag factor? Even the best product is no good if it’s not implemented promptly or becomes shelf-ware.

The Vendor Lens

There’s a cost to procurement, integration, and operation over and above what the vendor is paid. These costs (only some of which are monetary) limit the customers ability to adopt new products. They introduce unnecessary friction or drag. Security software isn’t a pill. It’s a pacemaker. It requires delicate integration. These products aspire to become part of the corpus. Integrated logically and physically in some cases. Painful to remove or replace. Perhaps even risky. What is the drag coefficient of your product? How can you, the vendor, reduce it?

The Investor Lens

How much intellectual property will be stranded in living dead firms? How much effort will be consumed in a blaze of competition across these 600 companies? How inefficient is this population explosion and inevitable mass extinction? All competition is inefficient viewed in this way, but it matters less when you are selling soap versus software. Occasionally private companies merge organically, but many have expectations of valuation, and difficulties with management which cannot easily be solved. Otherwise useful and potentially valuable intellectual property is left to rust. Investors know the value of a folder of narrow patents, or stack of unmaintained software. Frequently the office chairs are worth more.

A CIOs View

Talk to a CIO or CSO and you’ll hear a familiar list of problems relating to their adoption of new security products.

• Onboarding new security products takes too long.
• Integration is too slow, shallow, and difficult.
• Too many skills are required (for “skills” substitute the word “products”).
• They are still regularly compromised or discover vulnerabilities anyway and have to scramble to fix them.

Of course more products means more awareness of security problems (good). It also means more false positives (bad). No product is perfect, we’ll presume that vendors who care about about their customers resources will work tirelessly to eliminate false positives (which sounds dreadful in a press release), and not just add more features (which sounds much better). I’ll leave it to you to make assumptions about how effort is prioritised within such vendors.

Putting It Together

• Too many companies for most customers to evaluate.
• Not enough large acquirers in Cyber Security to scale up sales of these products in an economically efficient way.
• Customers wish products were better integrated, more open, plug and play.
• Products that require too much skill to evaluate, integrate, and operate.
• Investors burning a lot of capital to put what are in some cases “feature products” into the hands of customers.
• A market where vendor attrition and mortality rate is a significant problem for customers trying to maintain stable, supportable, operations.

How could this entire market be re-engineered to solve these problems for customers, vendors, and investors? It sounds like an impossible task, but it’s one that’s worth attempting because even when investor capital and customer budgets are plentiful, human effort isn’t. Even if it was, it doesn’t scale well. If you are a customer and your plan is “more people” or even “more vendor certifications for the same number of people” then you don’t have a good plan. From a vendor’s perspective that plan looks even worse. Cyber Security product design and creation skills are scarce and always will be. I’ve touched on this before.

The other reason why these problems are worth solving, is that a solution may hold the promise of continued growth in Cyber Security budgets, because people will pay for what improves their outcome. A truly great solution will drive that increase, not just reduce friction holding it back.

A Sustainable Cyber Security Market

I’m going to offer three possible solutions to some of the problems described here. One tried and tested, an investors solution. One radical, a Software Engineer’s approach. Finally, one transformational vision of the future from a Product Manager. Each solution draws upon my experience in those three roles over the last 20 years.

Each aims to address problems described here while maintaining market flexibility, sustainability, and competitiveness. Each centres around the concept of an Ecosystem. I’m going to develop that concept from the superficial co-marketing, keiretsu, and sales partnerships found in the market today into something closer to real ecosystems found in nature. These real ecosystems don’t just offer their participants a saving here or marginal efficiency there, they enable systems of increasing returns.

If that sounds interesting then check back soon or follow me on Twitter or LinkedIn.