Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!

Introduction

Ironically, while industry analysts focused on cybersecurity are constantly analyzing the security market, there is little analysis about the analysts themselves. 

The industry analyst space is notorious for its lack of transparency and seemingly conflicting incentive structure. As an operator, I often hear anything from “all industry analysts are pay-to-play with zero objectivity” to “industry analysts are the smartest people on the market who define where the future is going”. It is tempting to think that in 2022 when you can google just about anything, industry analysts are obsolete. The truth is a bit more nuanced as while the facts and numbers are freely accessible online, comprehensive analysis and view of the market are less so. Higher-order strategic analysis based on one’s experience in the industry still commands a high premium. 

In this piece, I attempt to shed the light on this notorious space, looking at the industry analyst model, reasons industry analysts hold so much power in cybersecurity, trends, challenges impacting the industry analyst firms, and what the future may hold. Given how complex and multi-faceted the topic is, it is not possible to be entirely right about it, and neither is it the statement I intend to make with this piece. Instead, I want to offer a perspective without oversimplification, unnecessary controversy and catchy titles, and contribute to the educated discussion about the future of the industry. 

The industry analyst model

In cybersecurity, industry analysts serve three main categories of customers:

• Buyers - medium and large enterprises looking to understand what security product to buy, when to get behind a specific trend in security, how to replace one vendor with another, etc. 

• Vendors - cybersecurity companies looking to understand how to get in front of specific customers, what strategy to pursue, what markets to enter, and what to prioritize for their roadmap.

• Investors - VC firms, investment banks, private equity, Wall Street analysts, and others looking to understand what vendors are best positioned to become market leaders, who has the product-market fit, and what tools are being adopted by what types of customers. This customer group is the smallest one for most industry analyst firms. 

Analysts add value to the ecosystem by doing the following: 

• Writing research about market trends, technologies, and forces shaping the future of the industry. While paid subscription to research is generally the main revenue source for large firms, the frequency with which the research is used and the future of this business model are under question (I’ll be talking about this later).

• Conducting vendor briefings - talking to different companies on the market, and learning about their products and services. Note this is free and accessible to any vendor, not just the paying customer. In many analyst firms, all briefing requests are routed to analysts and it is an analyst’s decision to "cover" that vendor in their market or to pass on the briefing request. For many, whether or not a vendor is a paying customer has no impact on their decision to cover the vendor but every analyst is different and their approaches may vary.

• Providing advice to paying research subscribers, which includes answering vendors’ questions about the market, product, and go-to-market strategy and advising enterprise business and security leaders about vendors, products, and problems they are trying to solve. 

• Organizing events and webinars, speaking at industry conferences, and other forms of thought leadership. These may be events organized by analyst firms as well as analyst firms being paid to have an analyst present at an event put on by a third party, including vendors.

Reasons industry analysts hold a lot of power in cybersecurity 

There are several reasons why industry analyst firms such as Gartner and Forrester hold a lot of power in cybersecurity; the most prominent, in my opinion, are the following two. 

Quality of what’s bought and sold isn’t known

Cybersecurity is a rather unique field in that the quality of what is being bought and sold is not known. If you are buying, say, an accounting tool, you can evaluate if it does what it claims to do; the same is true for most (if not all) other types of software. However, it is not the case in cybersecurity. A team buying a security product cannot easily validate and be certain that in critical moments, the product will do what it promises to do. 

In recent years, the creation of the MITRE ATT&CK framework and tools that operationalize the framework such as Atomic Red Team, FourCore, and Prelude have started to enable teams to test their security coverage. These changes are accelerating the move from promise-based to evidence-based security but we are still in the very early stages of that evolution. 

As it is not possible to easily tell if the tool does what it promises to do, having an impartial external party do the validation is often perceived as critical not only to de-risk the decision-making but to obtain approvals from other departments involved in the purchasing process, namely finance, operations, procurement, and compliance. 

Confusing marketing and choice overload

Cybersecurity is notorious for being a complex space to navigate, both because securing organizations is hard due to the reasons that are too diverse to cover in this article, and also because the market itself is incredibly crowded. There is a never-ending list of “me too” vendors in each of the sub-segments commonly abbreviated by few-letter acronyms that can take a long time to untangle - SSPM, CSPM, EDR, XDR, NDR, SASE, DLP, ZTNA, SDP, NGFV, IDS, IPS, IAM, VPN, SSO, UBA, UEBA, WAF, FWaaS, MDR, CASB, SIEM, SOAR, XSOAR, AV, and many more. Each of these and other market sub-segments features a broad range of vendors offering seemingly identical tools but positioning them differently, often claiming a creation of a new market. The functionality these products offer overlaps between and across different categories. To make matters worse, there are anywhere between 3000 and 10,000 vendors in the industry (the number depends on which source you use). 

Making decisions in this chaotic space with new threats (and new products to fight them) created daily is nearly impossible. Naturally, having an impartial third party go over all this cacophony of signals and distill them into a shortlist of vendors, an easy-to-navigate chart, and useful research is very much needed. 

Trends shaping the evolution of industry analyst space

Maturation of cybersecurity and impact on demand for industry analysts

We are seeing the maturation of cybersecurity as an industry. This is something I have previously talked about at length. Rather than repeating the same statements, I’ll reference some of the observations. 

“In the past, security used to be thought of as a tool problem: “what do I need to install to be safe”. Now it has evolved into more of a systematic belief or approach promoting the foundational layers of security: collect data into one place, look into it, understand what is happening in your organization, identify how to detect malicious behavior, and respond appropriately.” - Source: Open source in cybersecurity: a deep dive

In a world where security is seen as a tool problem, picking “the best” product on the market was critical. Now, we have seen enough evidence that security is more nuanced than buying “the best” and hoping that the vendor will keep an organization safe.  

“Mature security professionals know that security is a process, not a feature. The best way to build a security posture is to build it on top of controls and infrastructure that can be observed, tested, and enhanced. It is not built on promises from vendors that must be taken at face value. This means that the exact set of malicious activity and behavior you’re protected from should be known and you should be able to test and prove this. It also means that if you can describe something you want to detect and prevent, you should be able to apply it unilaterally without vendor intervention. For example, if a security engineer has read about WannaCry, they should have the ability to create their own detection logic without waiting a day or two until their vendor does a new release.” - Source: Future of cyber defense and move from promise-based to evidence-based security

As cybersecurity is getting more complex and more technical, it’s no longer enough to just hear “what other people are doing”; selecting the right vendor becomes more nuanced. Security leaders now increasingly recognize that every environment is unique, and choosing a vendor simply because it was adopted by the competition or listed as a “Leader” in Gartner Magic Quadrant is a decision that can be detrimental to the organization’s security effort.  

The rising power of individual contributors and product-led growth

In the past, when security products were inaccessible, requiring minimum spend and forcing potential buyers deep into the sales process before they would get access to simply try what the tool actually does, industry analysts were the only people who have seen tens and often hundreds of products with their own eyes. 

That has started to change in the past decade. More and more individual contributors inside large enterprises are empowered to find and recommend security tooling that they think can solve the problem in their organization. They don’t read subscription-based industry research, and instead are deeply involved with security leaders and communities of peers on Discord, Slack, Meetup, and other platforms, not to mention the real-life interactions at events like BSides. 

While the final decision about adopting a specific tool is made at the top, security leaders are commonly presented with a research summary showing how different tools compare. This became possible with the rise of product-led growth - an approach that promotes building easy to find and purchase products that anyone can get started with without having to attend mandatory demos, talk to salespeople or even put their credit card details in. This dismantles the barriers and shifts the power away from the industry analysts making it easy for security people to access and evaluate different tools - something that was previously only available to industry analysts and executives of large corporations. 

Rising power of peer groups

A few decades ago, security was seen as a part of IT function; very few organizations had a dedicated person at the leadership level in charge of cybersecurity, and even if they did - the voice of this person was not represented at the board level. That has changed dramatically over the past decade. 

With the rising influence of cybersecurity leaders in their organizations, we see the creation of peer groups - communities of CISOs that regularly exchange ideas and experiences, share their knowledge, and help each other make better decisions. They take many shapes; some are formal like The CISO Society, CISOs Connect and CISO Executive Network while others are informal circles of friends. 

Unlike industry analysts that commonly come from research backgrounds and academia, peer networks are communities of people who have been (and still are) in the trenches, building teams, designing strategies, getting the buy-in from the leadership, and doing what is needed to secure their organizations. Many security leaders are becoming more interested in industry trends as well, and some are forging the next wave of innovation, forming investment syndicates such as Silicon Valley CISO Investments in the US and Cyber Club London in the UK. It has become very common for venture capital firms to create formal and informal CISO advisory councils, such as Forgepoint Advisory Council, Village by Team8, Venture Advisors by YL Ventures, and NightDragon Advisory Council, to name a few. 

A lot of the market intelligence (“here is what X is using and here is how it works”) is now shared between security professionals themselves, without industry analysts acting as intermediaries (obviously, with respect to the NDAs they are bound by). 

Continuing rise of industry influencers 

Gone are the times when “Gartner says” was perceived as ground truth. Today, every analyst builds their own brand and their own following, whether they work for a large player like Gartner or Forrester, or are entirely on their own. Having a stamp of approval from a large powerhouse certainly helps, but it is no longer a requirement. 

We are seeing a rise of industry influencers - trusted leaders who do not necessarily define themselves as analysts but who have built great followings by offering valuable advice and insights. The Return on Security by Mike Privette, the Strategy of Security by Cole Grolmus, Unsupervised Learning by Daniel Miessler, and others are examples of this trend. In today’s world, the deepest forms of trust are established by continually contributing valuable advice, not by getting a large company to hire you. Most importantly, security and tech leaders are looking for insights from someone who has “been there, done that”; the generic, cookie-cutter “strategies” from market observers are becoming less and less relevant. 

The rise of platforms for individual creatives such as Substack enabled many people to monetize their wisdom and community. Lenny’s Newsletter is a prime example of how people who have a unique perspective can build a following around it and monetize their knowledge, industry connections, and experience. I don’t see why we can’t replicate a similar success in cybersecurity, especially considering that getting access to advice from ten world’s leading security professionals would cost ten or more times cheaper than a subscription to research by a large industry analyst firm. 

It’s not just the independent voices that need to build their own brands, but also the employees of large corporations. The goodwill formed during their tenure at Gartner, Forrester, or IDC can follow them no matter where they go. A great example is Anton Chuvakin, formerly a Research VP and Distinguished Analyst at Gartner who continues to be a strong voice in the industry long after leaving Gartner and joining Google. 

In the past, a company would need to buy a subscription to an industry analyst firm which gave them access to hundreds of advisors. Today, many are starting to realize that they don’t need hundreds - they will rather pay an order of magnitude less, and directly to the few people whose opinions, experience, and insights they value. The challenge of monetizing insights remains: there is a strong need for solid industry analysis, but it’s not always clear how an independent analyst can make money. If they don’t offer advice and services on top of the market insights they produce, they become a very smart journalist, not an analyst. 

Challenges affecting the industry analyst space

Perception of unfair, “pay-to-play” game

In many circles, there is a strong perception that industry analyst firms are biased, “pay-to-play” service providers. Not only has this perception has led to the distrust of many vendors and enterprise customers, but it has also resulted in several legal battles. 

In 2009, ZL Technologies claimed that Gartner’s "use of their proprietary 'Magic Quadrant' is misleading and favors large vendors with large sales and marketing budgets over smaller innovators such as ZL that have developed higher performing products”. The case was dismissed because it lacked a specific complaint. Gartner had insisted that the Magic Quadrant reports contain "pure opinion", not statements of fact. 

Later in 2014, Gartner was sued by NetScout once again claiming the “pay-to-play” model. NetScout argued that "Gartner is not independent, objective or unbiased, and its business model is extortionate by its very nature. Its substantial success is due to the worst-kept secret in the IT industry: Gartner has a 'pay-to-play' business model that by its design rewards Gartner clients who spend substantial sums on its various services by ranking them favorably in its influential Magic Quadrant research reports and punishes technology companies that choose not to spend substantial sums on Gartner services." The judge granted Gartner motion to dismiss the NetScout lawsuit. Gartner's blog still lists the statement from 2017: “We take the independence and objectivity of our research very seriously. Without it, we wouldn’t have a business. Gartner is not “pay for play.” Influence over research content or the amount of research coverage focused on any vendor, sector or topic is not, and has never been, for sale by Gartner. Period.”

Multiple issues are leading to this perception of unfair game: 

• Strong potential for conflict of interest stemming from working for two sides of the market at once. In many industries that deal with consumers, the government or the industry forces have been actively creating checks and balances to eliminate the cases forcing people into a conflict of interest. 

• Little regulations of the analyst relations space contribute to the perceived conflict of interest. Analyst relations professionals employed by vendors often use gifts and luxury experiences in a hope to gain the attention of industry analysts. It’s not uncommon for vendors to invite industry analysts to expensive sports games, serve their dinners in luxury restaurants, or offer them laptops and other gadgets. While the vast majority of analysts are capable of remaining unbiased in their research, it does create the potential that some will feel pressured to talk about vendors a certain way when they type their report on the laptop gifted by the vendor. 

• Limited disclosure of potential conflict of interest. While some industries like the media have learned the importance of public disclosure of potential conflicts of interest, that has not happened to the same degree in the industry analysts' market. Large firms like Gartner and Forrester have started to implement their own disclosure requirements while many smaller firms often do not think about this problem at all. 

• Low level of awareness of how the whole industry analyst space functions, what is available for free vs what requires investment, etc. Few startup founders know, for example, that it’s free to meet with an analyst, brief them about the product and the problem the vendor is solving. 

All the analysts I met appear to be deeply analytical, objective, and unbiased people passionate about the future of the industry. More so, despite the never-ending rumors of the “pay-to-play”, I have not come across any documented evidence of that happening in the top-tier firms (small players may be a different story). Large analyst firms such as Gartner, Forrester, and IDC, have strict rules about conflict of interest and would terminate any analyst that does not disclose the such conflict. The same cannot always be said about a select few small firms that write “whitepapers” and “research” paid for and approved by vendors that are then used for lead generation.

While the overwhelming majority of the analysts are people of high integrity and high moral standards, the systemic issues and ethical blind spots in the space make it very hard to see the industry as a whole fully un-biased.

Detachment from innovation

While security is rapidly evolving, industry analysts are incentivized to pay little attention to innovation compared to the amount of time they have to spend with large customers. This has nothing to do with people or their desire to stay on top of changes; it is simply because cybersecurity innovation does not come from large vendors or Fortune 500 enterprises. Such is the nature of what Clayton Christensen described as the “innovator’s dilemma”, and nowhere it is as clear as in cybersecurity where as I have written before, innovation is most commonly bought, not developed in-house. In cybersecurity, innovation is born at informal communities, conferences of enthusiasts like BSides and DefCon, and security briefings like BlackHat, to name a few. 

On the other hand, it’s the established vendors and large enterprises who pay the bills of industry analyst firms. Startups shaping the future of cybersecurity do not have the money to become paying vendors, and often have no time to do vendor briefings. 

While there are some analysts that do invest a lot of time and effort into tracking innovation in cybersecurity, it is safe to say that the industry analyst industry as a whole is not in the business of looking for innovation; it is serving established clients looking for established products. In contrast, angel investors and VCs are scouting for the next big thing, and you can often see them in communities of practitioners - something that Gartner and Forrester analysts, slammed with vendor briefings and customer inquiries, cannot afford to do as much. Some enthusiastic analysts do find time and energy to closely follow the startups in their interest areas as they know that’s where the next innovations will be coming from. 

The value of industry reports is under question

In today’s world, business and security decision-makers do not have time or desire to read pages of industry research. People are looking for bite-sized, practical advice from experienced practitioners that they can consume when needed, via their preferred channels (podcasts, blog posts, etc. that are mobile-friendly and can be accessed from anywhere). This change in consumer behavior threatens the traditional business model of industry analyst firms where customers would purchase subscriptions for tens and hundreds of thousands of dollars, with additional services presented as a value-add. The reality is that companies pay to get access to trusted advisors and see little value in the libraries of research included in the package. 

The industry-wide assessment tools like Gartner Magic Quadrant (MQ) have little to offer when it comes to vendor selection. Choosing security software is more nuanced than “what tool is in the “Leader” quadrant in X space”. Most importantly, the two MQ’s common axis criteria - “completeness of vision” and “ability to execute” - are of little help to a company that needs to decide how to secure its worldwide operations. Each company’s environment is different, and so are its security needs. Mature organizations know that and therefore evaluate security tooling based on criteria that are most beneficial to them. Note that while nobody buys security tools based on reading a piece of research, people may do so after speaking to an advisor. The one use case where tools like Magic Quadrant could be relevant is shortlisting vendors. As we know, almost every sub-segment of cybersecurity has over 10 vendors and some - well over 25 competitive products. Having a shortlist of the top 3-5 tools can help shorten the amount of time it takes for the company to evaluate potential vendors. This is especially true in commoditized market segments where there are sometimes tens of homogenous options with little to no differences between the actual products. 

Magic Quadrant and analyst reports offer valuable insights for late-stage investors, for whom criteria such as “completeness of vision” and “ability to execute” are very relevant. At the same time, MQ is not as relevant to early-stage (pre-seed, seed) investors, as industry analysts are lagging a few years in assessing disruptive innovation. 

It appears that Gartner understood that in this day and age, research is commoditized, and vendors are simply looking for ways to get into the top right corner of the 2x2 quadrant. When a vendor buying a Gartner subscription defines their success from the engagement as “getting into the Leaders quadrant”, it pollutes the relationship as it establishes very clear criteria of success, and what’s worse - the criteria the accomplishment of which Gartner cannot promise to provide. The rumor is that Gartner is starting to back down from Magic Quadrants tightly controlling the introduction of new ones and potentially debating retiring the existing ones (it’s hard to be certain if this is the case or when it will happen). The amount of time analysts spend on creating MQs and getting them reviewed (reportedly around 300 hours for one Magic Quadrant) would be better spent talking to startups innovating the space and attending industry conferences in the US and abroad. 

Seeing product demos is not enough to understand security

To understand why industry research as it exists today is becoming increasingly less relevant for vendor selection, it’s important to understand what sources of information are used to create it. There are a few: 

• Vendor briefings with executives and company founders (sometimes product managers) walking the industry analyst through the product, what it does, the problems it solves, and doing the demo

• Customer feedback with enterprise customers sharing with the analysts their feedback using security products

• Surveys, statistical analysis, and other research methodologies

While that does sound like a very comprehensive approach (and it is), there are some important gaps:

• Vendors are used to sending their largest, friendliest, and most impressive customers to talk to industry analysts, not someone who has suffered going through failed deployment, false promises, and buggy products. The analyst will only ever hear about growth, success and a great opportunity ahead, - not very helpful to build an unbiased image. 

• There is little evidence company leadership needs to supply to back up any of their claims. While analysts can verify the information provided by public companies, assessing private companies is almost entirely based on “he said they are growing”. Surely, it’s possible to check the company headcount chart on LinkedIn, if the vendor has more than 25 people, but that offers little insight into the actual business growth. 

• Making judgments about what the product does without a) being a security practitioner b) trying the product c) talking to the people using the product on a day-to-day is less than ideal. 

While cybersecurity is becoming more and more technologically complex, not all industry analysts covering cybersecurity have relevant security background or the experience working in the space. While some firms hire people with relevant expertise, many have their analysts “learn as they go” - by reading research, talking to vendors, and answering questions of enterprise customers. That is more than needed to analyze high-level trends in the space, but it is, in my opinion, not enough to provide advice to security teams about how to solve their problems.  

How industry analyst firms can stay relevant for the future

About two decades ago, some pundits declared that the Internet would kill analyst firms; at the time Gartner had under $1 billion in revenue compared to over $5 billion today. Will the analyst business be dead in a decade as many people believe? I don’t think so, assuming that the analyst firms will be able to respond to the demands of new time. Here are some of the most critical areas that need addressing. 

Addressing the problems of ethics and conflicted interests

To establish themselves as a truly unbiased source of industry insights, industry analyst firms would benefit from implementing an industry-wide practice code and keeping members of the professional community accountable to that code. Most of these are not new and have existed in other fields such as journalism for many years. 

There are several steps that, if taken, I think can address the problems of ethics and conflicting interests:

• At the end of each market report that ranks vendors or makes judgments about the vendor market, industry analysts should disclose both the relationship of their firm and their own relationship with each of the mentioned vendors (i.e., “Vendors X and Y are paying Gartner subscribers. Every effort has been made to ensure an objective review of their products. The analyst who authored the report owns X% of the equity in vendor Z. The analyst has not accepted any forms of direct compensation from the vendors mentioned in the analysis in the past X months”). I was reading an article on a random site today and saw this disclaimer: “We may be compensated by vendors who appear on this page through methods such as affiliate links or sponsored partnerships. This may influence how and where their products appear on our site, but vendors cannot pay to influence the content of our reviews. For more info, visit our Terms of Use page.” This is the kind of transparency we need with industry analyst firms; I think it's wise to be open and explain any potential biases so people understand where an analyst may be coming from.

Image source: ZDNet

• In the spirit of transparency, make it easy to understand information such as:

  • what percentage of vendors briefed for a particular report are paying customers

  • what percentage of vendors briefed by a particular research firm on an annual basis are paying customers

• Continue to refine the sales practices to eliminate questionable behaviors and make it easy for vendors who are not paying customers to access vendor briefings. Make the process of getting a vendor briefing transparent and easy to navigate. 

• Have all analysts be bound by the industry-wide code of ethics. While there is IIAR with its code of ethics, it does not appear to be as widely adopted as one would hope for. 

Theoretically, it would be great to separate the market research side from the vendor selection/sales side. After all, the best way to ensure that people do their best when put in a situation with a potential for conflict of interest is to have them end up in these situations to begin with. However, this is not feasible as analysts need to understand the market intimately to be able to work with both sides at the same time. 

Delivering relevant content in right forms

Decades ago when today’s leading industry analyst firms started, technology was a mystery, and quality information about IT was scarce. Today, we live in a world of abundance with the amount of information overwhelming to anyone making decisions. Most importantly, a few people have hours of free time to sift through endless pages of mostly irrelevant search results. This is why despite Google having answers about nearly anything, industry analyst firms will stay relevant, but only if they help people make sense of the abundance of information, not simply add to it.

In 2022, security leaders do not have time to read traditional research with charts and statistics or go over 100 slides summarizing market trends; they are looking for practical, hands-on advice from people they trust. They are looking for materials focused on day-to-day operations, not marketing buzz and new abbreviations. Most importantly, people want to see content that is practical and that helps them become better at what they are doing. 

Security leaders need the ability to access easily consumable content from seasoned security professionals on their own terms - when they need it, where they need it, and in whatever form they need it. This means short “how to” articles with links to relevant research, mobile-friendly infographics, and podcasts security leaders can listen to in their own time are more likely to be consumed than long-form reports. 

Reinventing the value proposition

The growing number of industry leaders openly sharing their thoughts in blogs and on social media, coupled with the democratization of knowledge, formation of communities of practice, and shortening attention span, make it apparent to me that there is little demand for traditional subscription-based research despite it being a notably large market. 

In the changing environment, industry analysts need to continue to reinvent themselves. 

I believe that industry analyst firms are incredibly well positioned to add value on the strategic level, helping mature vendors refine their market expansion strategies, acting as trusted advisors to later-stage investors making financing decisions, helping startups define their customer acquisition strategy as they move up-market, and being active players in the M&A space. Industry analysts are the ones who can validate the establishment of new market categories, estimate the total addressable market size of a specific mature sub-segment, or estimate the growth rate for the industry. 

We have been seeing several industry analysts moving on to take leadership roles at vendors (most commonly around strategy and marketing). Examples include Brian Kime (ex-Forrester analyst and now VP of Intelligence Strategy and Advisory at ZeroFox), Ian McShane (ex-Gartner analyst and now VP of Strategy at Arctic Wolf after having served in similar leadership roles at CrowdStrike and Elastic, to name a few), Anton Chuvakin (ex-Gartner analyst and now Security Advisor at Office of the CISO, Google Cloud), and Tyler Shields (ex-Forrester and now Chief Marketing Officer at JupiterOne after having served in similar leadership roles at Sonatype and CA Technologies, to name a few). This trend is a perfect illustration of the point that corporate strategy and marketing are two areas where analysts add the most value. Given that working for a vendor presents an opportunity for a substantial financial upside, especially compared to modest compensations in analyst firms, we will be seeing more analysts moving to the industry in the upcoming years. Analyst firms, including top-tier Gartner and Forrester, are already facing extraordinarily high turnover. 

Lastly, if industry analyst firms want to provide vendor selection and security strategy advice to enterprise customers, they need to continue to hire security professionals who have learned the fundamentals of securing organizations by being in the field. Simply focusing on the market and tooling is not sufficient and if used as the only advice - can even be detrimental to their ability to help enterprises secure themselves. In the same way, as we wouldn’t trust tenured journalists covering medicine to direct a heart surgery simply because they’ve talked to many doctors and observed many patients, industry analysts shouldn’t gain the right to be advising others on how to secure their organizations and with what tools because they’ve seen many demos and heard many customer pain points. While their input can be valuable, it is not a substitute for engaging security architects and tenured security leaders. 

How startup founders can work with industry analysts

There are generally two ways you can engage with industry analysts: by holding vendor briefings or by reaching out for an inquiry. The latter is only available to paying clients; I will assume you are not and focus on the former. 

Firstly, it’s important to note that vendor briefings are free, and available to any vendor (not just to those who are paying customers of the industry analyst firm). A vendor briefing is a way for you to talk to the analyst and explain, among other things, who you are, what you do, what problem you are trying to solve, and for whom. Briefings are one-way (you briefing the analyst); they will generally not answer questions or provide any kind of advice (that’s what inquiry is for). Be open and transparent, and pay attention to the questions they ask - if they don’t understand something, it may be a sign that your messaging needs some refinement. Note that you might need to schedule calls 3-4 months in advance so be sure to plan well ahead.

Here are some of the tips about engaging industry analysts: 

• Make sure you are talking to the right analyst - the one who covers your (or adjacent to your) market segment.

• Be clear about your vision, your place in the market, and what makes you different. 

• Show, not tell: show a product demo instead of long slide decks.

• Be open and don’t try to lie or overestimate reality.

• Turn this into a regular (quarterly, biannual) update, not a press-release-like statement when you need something. 

• Be helpful, be respectful, and focus on building a relationship - it’s a long-term game for everyone involved. 

It may surprise you, but industry analysts do like talking to startups, especially if you’ve got some funding and paying customers, and if you are selling to SMBs and especially - large, enterprise customers. If you are targeting startups or consumer segments, industry analysts will be much less useful. If you engage with industry analysts regularly, over time they can become your spokespeople whenever you need an independent party to talk to the press, potential investors, customers, or even acquirers. 

Here is how tl;dr sec, a large security-focused newsletter, talks about industry analyst reports in the context of buying security:

“Industry analysts have a mixed reputation, with the Gartner Magic Quadrant a meme in many circles. That being said, if you’re in the type of organization for which analysts hold a lot of sway, turning to Gartner, Forrester, or another advisory is a reasonable option. You’ll need to pay for access to these reports. Based on those I’ve reviewed, they at least won’t steer you terribly wrong. More importantly, just like “nobody ever got fired for buying IBM,” if your company respects these rankings you benefit from following suit. However, you should accept that in using these recommendations you will be directed at the top of the market. The only companies in most of these analyst reports are those that are large enough to afford the inefficiency of directly courting inclusion.”

If you choose to become a paying customer, analysts can help you with marketing, go-to-market strategy, sales, product, and more. I personally believe that these services are geared towards large enterprises and are of very limited value (in fact, they can be detrimental) for most startups. A startup by nature is trying to do something new, something that has not been done before (at least that’s the hope). To succeed as a startup, founders must learn by doing, stay in close contact with their customers, and not look for shortcuts like analysts or market research firms. Having said that, it is useful to understand the broader industry context, what other companies have tried, what has worked for them and what hasn’t. It is worth noting that some analyst firms are open to offering a free inquiry session as a trial - something you can and most definitely should take advantage of.

Conclusion

The nature of industry analysis is undoubtedly changing. It can be tempting to dismiss the need for analysts altogether saying that “there is Google for everything”, the truth is much more nuanced than that and has to do with the way purchasing decisions in enterprises are made. While security leaders can call their friends working in other companies and gather feedback about tools that work and tools that don’t, they can’t submit this feedback to procurement, finance, and compliance teams as a justification for their decisions. While some of it has to do with bureaucracy and risk aversion, a lot is the side effect of confusing marketing, thousands of vendors, overlapping tools, and limited time to make purchasing decisions. Nobody has time to go through countless pages of search results authored by unknown people. Professional advice commands a high premium. 

While the need for industry analysis is not going away, its scope and business model will change. With few people reading the research they produce and seeing their subscription as a way to pay for access to experts instead, the business model of industry analyst firms cannot remain as is. Additionally, with the ever-growing complexity of security, industry analysts are not always equipped to provide advice about how to secure company networks. When security was thought of as a tool problem, the high-level “vendor recommendation” approach worked well. Today when that is changing, industry analysts can’t predict the new cyber attacks and new vulnerabilities, - and companies have to think beyond “what product do I buy to be safe”. 

Industry analysts add a lot of value on the higher-level, strategic layer such as in helping vendors better tailor their messaging to what the market is looking for, or advising startups about moving up-market. 

To a large degree, the misunderstanding of how industry analysts add value comes from the misunderstanding of their role in the ecosystem. Contrary to some startup founders’ assumptions that “analysts don’t understand innovation”, it is simply not the role of analysts to look for disruptive innovation; they are analyzing the top-market trends and matching top-market buyers with top-market sellers while also predicting the direction for innovation. As cybersecurity is getting more and more complex, and threat vectors move faster than Gartner releases its Magic Quadrants, talking to the leadership of large cybersecurity tech companies is not going to uncover the ideas of tomorrow. Analysts that want to anticipate the future, need to attend cybersecurity conferences, read online forums, and talk to security practitioners - something that early-stage investors have been doing for a long time. 

I think it’s important as we look into the future, to be constructive, respectful toward each other, and as objective as possible. The space is indeed changing, and the industry analyst space tomorrow will look different than it does today. However, smart people in the industry will stay - we will see them again tomorrow as influencers, investors, M&A advisors, founders, executives and strategic counsel at large enterprises. It’s important that instead of playing a blame game and making statements about who is corrupt and who is not, we assume positive intent and work together to shape the future of cybersecurity. 

Thank you

Thank you to industry veterans for sharing their thoughts and for providing feedback about the draft of this article - Carmen Harris, Director of Product and Technology Communications at Sumo Logic, Mary Yang, Chief Marketing Officer at LookingGlass Cyber, and several current and ex-analysts from leading firms. I have learned a lot about the industry analyst space by reading Curmudgeon: How to Succeed as an Industry Analyst by Richard Stiennon. I am grateful to Richard for a great discussion and for reviewing and sharing his feedback about the draft of this article. Opinions are my own.

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as it’s dumb and I have better stuff to do. Thank you!

Share