“It is not the customer’s job to know what they want” rings true in cyber
And also, there has never been a billion-dollar security company built based on Gartner’s insight alone
Ever since I embarked on the founder journey and started working on my own startup, I’ve developed different perspectives and some strong opinions about founder life. In today’s issue, I am going to share one of them - about the fact that there has never been a billion-dollar security company built based on Gartner’s* insight alone. I strongly believe this has been the case, and this will continue to be the case, not because Gartner is wrong, but because it is usually right.
*I am using Gartner in this article as a way to generalize about “industry analyst firms”; you can substitute Gartner with Forrester or any other of your favorite companies.
This issue is brought to you by... Endor Labs
Discover security that scales with AI-driven development.
AI is accelerating how engineers ship code, but security reviews aren’t scaling with it. AURI by Endor Labs changes that: autonomously surfacing business logic risks and the “unknown unknowns” that manual review and traditional AppSec testing miss. Discover security that scales with AI-driven development.
It’s not the industry analysts’ job to come up with winning startup ideas
There’s one mistake I see over and over in our industry: people assume that an industry analyst’s job is to predict the future. This is not at all the case. Let me explain.
Firms like Gartner make the majority of the money from serving enterprises, and despite what some people in our industry assume, their role extends far beyond recommending security solutions. In fact, Gartner isn’t usually an expense that comes out of the CISO budget, and CISOs are just one of the many kinds of executives that rely on their offerings. While Gartner does sell vendor subscriptions, it is generally a smaller area of their focus. The majority of their time is spent working with the enterprises, helping them navigate complex challenges surrounding different kinds of large-scale transformations, advising them on making hard decisions, and so on.
Given the types of customers Gartner serves, its coverage tends to be very well-researched, and some might even say somewhat conservative. Gartner analysts aren’t jumping on random trends or new ideas - they are looking for patterns, and the evidence that some of the customers out there have bought into the new idea. In other words, Gartner’s job isn’t to predict trends or predict what categories of products are needed on the market. Instead, their job is to declare trends that are already unfolding, and declare which problems they are hearing from customers will need new solutions.
Let me be very clear: all the analysis out there can be very helpful to understand where the market is moving. However, it’s important to keep in mind that these reports don’t predict the future; they declare things that are already happening or that someone would like to happen. It is not the job of the analyst firms to identify opportunities for startups to pursue: as we’ve established, they work for the enterprises or existing vendors, and not for future founders.
Even more critically, I think founders need to know how to properly read analyst reports so that they don’t become harmful to them. This isn’t because the reports are wrong, it’s because they’re too high-level. Firms like Gartner serve enterprises in just about every industry vertical, in most countries, and with different tech stacks. When a founder reads that “Fortune 500 companies need a different approach to data loss prevention”, they have to keep in mind that “Fortune 500 companies” won’t become their customers. Their targets are going to be much more specific - “Financial institutions between 15,000 and 25,000 employees who use AWS as their primary cloud and who do not have a third-party DLP solution” (or something like that - something very, very specific, and not “Fortune 500 companies”).
Trends don’t “just happen”; someone makes them happen
Here’s the main point about trends: trends don’t “just happen”; someone makes them happen. One wise person once told me that there are three types of people: those who make things happen, those who let things happen, and those who wonder what just happened.
I am sure someone can point to exceptions (there are always exceptions), but in the majority of cases, things happen because someone works really hard to make them happen. Was there a trend where companies were migrating to the cloud? Of course, but people didn’t just wake up one day and say, “We need to move to the cloud”. Cloud service providers invested a lot in marketing their approach. Investors at venture firms started betting on founders embracing the new approach. Service providers educated their customers about the benefits of the cloud compared to data centers. Someone inside the company became interested in the opportunity and decided to explore how these potential benefits would manifest themselves inside the organization… Eventually, too, the pandemic did more to convince companies to embrace the cloud than all consulting firms combined. Things happened because many, many people in different capacities and roles worked hard to make them happen.
When you see an analyst firm or some market insider say that they see a “trend”, it means someone (likely a few founders) is working hard to make this trend a reality.
It’s not the CISO’s job to know what they need
Another common misconception I often hear is that winning ideas come from asking CISOs what they need. I know it may be counter-intuitive to suggest that this is a bad approach (after all, don’t we have to be customer-focused?), so hear me out.
I strongly believe the cybersecurity industry is blessed with a great number of innovators and people truly passionate about the future of our industry. We are used to taking it for granted that security leaders and security professionals are usually happy to share their perspective on problems or help founders refine their ideas. If you have never worked in another industry, you’ll probably not be able to fully grasp how rare and amazing this is.
At the same time, talking to CISOs about their problems does have its limitations. ”We don’t know who discovered water, but we’re certain it wasn’t a fish”. These words by Marshall McLuhan have critical lessons for cybersecurity founders who think they can just ask CISOs what they need and go build that. Security leaders have a lot of problems, experiences, and perspectives, but it’s not their role to articulate them in a way that makes it obvious what needs to be built. Founders can’t just take orders from CISOs - they need to take in all that knowledge, experience, and perspectives, and envision a better future.
The key in these conversations is to dig deep to understand the problems, not to look to CISOs to shape the idea of a solution. Another important bit is to ask about the specific problems they are dealing with themselves, not for what they hear from others, or ideas for what they would like to exist. As Steve Jobs once said, “It is not the customer’s job to know what they want”. In the end, founders have to understand the problem space in depth, but it is their responsibility to synthesize the data, make sense of all the learnings, and to decide what to build. This brings me to the most important message of this article.
It’s the founders’ job to understand the problem, envision a better future, and make it a reality
I have previously talked about customer and problem discovery, so I won’t dive into that here. In general, I don’t think there have been many billion-dollar companies in cyber where founders would just look at trends or ask CISOs about their problems and voila - they got a winning wedge. It is simply not how it works. Okta struggled for a number of years and nearly went under before the product took off. CrowdStrike had to educate the markets about nation-state attacks at a time when most assumed that they were protected because they had McAfee. Jay Chaudhry, founder of Zscaler, explained on Inside the Network that when he pitched for the Zscaler idea, 9 out of 10 prospects would say they are not interested. Despite all that, he pushed through by inverting the reality and saying, “Well, this means that 1 out of 10 is to say yes”. As a side note, the reason I find Jay’s story so fascinating is that in 2026, most founders would have killed any idea 9 out of 10 CISOs said “No” to. Sticking with it requires the power of vision and conviction.
It’s not enough for the founders to understand what the problems are. They have to process all the competing insights, immerse themselves in the problem space, but then they have to put forward a perspective. They have to take a stance and envision a better future. This vision cannot simply be the result of a collection of feature requests. This vision cannot be simply an outcome of Gartner research. It has to be their insight, their perspective, and their bet. Every startup is a bet on a vision of the future that does not yet exist. It is the funder’s job to make this vision a reality.
At the core of every company is a bet - a bet that a better feature isn’t just possible, that it absolutely needs to happen. Sometimes, people hit it big, stars align, and tailwinds are so strong that it feels like things just happen. Most of the time, however, things happen because someone makes them happen. Or, in other words, it’s the founders’ job to understand the problem, envision a better future, and make it a reality. As Jobs said, “It is not the customer’s job to know what they want”.
Image Source: Navigating the Security Technology Landscape