To truly understand the state of the security market, we need to look beyond our industry
There are other ways to look at the commonly accepted “truths” in security
When people talk about the state of cybersecurity, the three “truths” seem to come up again and again: 1) that there are too many startups, 2) that the industry is way too crowded, and 3) that CISOs are bombarded by vendor outreach more than any other executives. These narratives aren’t totally wrong, but they usually miss the bigger picture. If we zoom out and compare security to other industries, historical context to today’s reality, and perception to actual data, the story becomes much more nuanced and far more interesting. In this piece, I am addressing these three usual complaints and sharing my perspective on why they aren’t exactly fair. I am sure some people will disagree with the way I look at things, but that’s exactly why it’s interesting to have a healthy debate.
Stop AI Identity Sprawl Before It Becomes Your Biggest Risk
AI is everywhere, fueling productivity but also creating new blind spots. Shadow AI, prompt-based data leaks, API key exposure, and runaway agents are expanding the identity attack surface.
Permiso’s AI Security Cheatsheet shows you how to take control: spot emerging threats, respond in minutes, and govern AI identities with confidence. It’s packed with practical steps and key metrics your team can put into action right away.
Download the cheatsheet, and start closing your AI security gaps today.
“Too many cyber startups are being started every year”
Having lived in different cities and countries, I am used to hearing an argument that “Life used to be so much cheaper, but now everything (especially the property prices) in our city has made living completely unaffordable”. What’s interesting is that each time I hear this, people are generally right, but as soon as they start analyzing the reasons why it happened, in my opinion, they are generally wrong. The cost of living in most cities has indeed increased, and especially so in large urban centers, but it isn’t just because of evil developers or tech people moving in (though these certainly play a role). Instead, housing and urban living have become more expensive because of a mix of long-term structural forces that are often invisible in day-to-day debates, from land-use restrictions and zoning, underbuilding after past recessions, infrastructure and regulatory costs, the fact that housing in major cities all over the world has become an investment asset for global wealth, demographic and cultural shifts like the fact that we see more single-person households, delayed marriage, and the desire to live near vibrant urban centers have all raised demand for city housing. The bottom line is that the problem is real, but the reasons are much more nuanced than people think.
The startup world is no different. Every time I hear that there are “Too many cyber startups being started every year”, I think people miss the bigger picture. And that bigger picture is that over the past 20 years, entrepreneurship has been de-risked and democratized. Surely one of the results is that there are more startups today than ever before, but I think another way to see it is that more people can now start companies than, say, a decade ago. And, most importantly, these people don’t all have to look the same, come from the same socioeconomic background, or be based in the same place. While ecosystems continue to matter a lot and places like Silicon Valley or Tel Aviv aren’t going to decline in importance anytime soon, the fact of the matter is that founders no longer need to be based in these centers to build successful companies. While companies are calling employees back to the office, what isn’t changing is that founders can now raise money from the comfort of their home in Boise or Pittsburgh, without having to live in the Bay Area, or to physically visit Sand Hill Road.
Access to capital is another factor. There is indeed a lot of capital, but what’s also true is that today, almost anyone with a strong team and an idea can get someone to support them on their entrepreneurship journey. Two decades ago, it would have been unimaginable that some kid from a small town could start a successful tech company without having to move to a large urban center, but today, in the technology business, the only limits are someone’s ambition and imagination.
For all these reasons, there are more startups being built in every area, and it just so happens that cyber is one of the areas. If you are thinking “But there are now so many cyber startups trying to reinvent everything with AI”, I invite you to consider that there are about 100X more startups that are trying to reinvent marketing, sales, personal productivity, and you name it. The bar for starting the security company remains pretty high. With few exceptions, security founders need to have domain expertise, some connections in the industry, and an ability to navigate the ever-changing landscape. It’s pretty hard for some college kid to wake up one day and, out of nowhere, without any prior experience, to start a security company (I guess that’s also partly why there aren’t many great YC successes in security).
“Cybersecurity is the most crowded industry”
This leads us to another belief people have, that “cybersecurity is the most crowded industry”.
To use my poor real estate analogy, if you’ve lived in the same city your entire life, your perception of home prices is going to be tied to the historical perspective. If your parents bought a house in, say, Seattle, for $170,000 but now a similar house costs $1,280,000, then of course what you’ll see is an absolutely outrageous increase. This is an entirely reasonable perception. What’s also reasonable is to use other local benchmarks for comparison, like housing prices in Bellevue, Bellingham, and Kirkland (especially if you have a connection to these nearby places).
If, however, you moved to Seattle from, say, New York or London, or if you’ve developed familiarity with other housing markets by, say, traveling or researching housing costs in other areas, your perspective is going to be different. Suddenly, that $1,280,000 may feel very reasonable or even cheap. That difference in perspective comes from differences in absolute value (New York is certainly more expensive than Seattle), but even more so from different reference points. Those raised in Bellingham are going to think, “Seattle is a bigger metropolitan center, and I can shorten my commute to work, but the price is pretty steep”. Those moving from New York will say, “Seattle is a great global city with a decent international airport and connectivity to both major US and Asian transportation hubs, and for that, it’s worth the price”. Compared to Bellingham, Seattle may be pricier, but if the choice is between Seattle and New York, it surely is not.
People who say that “cybersecurity is the most crowded industry” look at it from a historical perspective. They go back in memory to the time when they started in security some two decades ago, and acknowledge that there were an order of magnitude fewer vendors, and a lot less noise. Some of my friends have shared stories about the time when security was more or less about choosing a firewall and an antivirus, which surely sounds like a simpler time with less complexity.
While this historical view is not entirely invalid, I think in most cases it’s pretty unhelpful. A lot has changed over two decades. Sure, there was less noise in security, but also, twenty years ago, there were no iPhones, Facebook, YouTube, Twitter, Instagram, TikTok, cloud computing (AWS had barely launched), Google Maps was new, and most people still used flip phones. I think most will agree that comparing where we are today with where things were two decades ago is not quite helpful.
What is much more interesting is comparing security to other industries of the present. If we do that, our perspective about how crowded the security industry is will change immediately. As someone who’s been fortunate to work in other markets before, I still remember my time in financial technology, and I can tell you that was an experience in a truly crowded market. If we are to compare the number of security vendors to the number of vendors in other industries today, our perspective changes momentarily:
There are over 30,000 financial technology startups.
There are over 20,000 (or even 30,000) marketing tech startups.
There are over 20,000 (or even 30,000) HR tech startups.
There are over 50,000 climate tech startups.
If we truly believe that “cybersecurity is everyone’s problem”, I am struggling to see why having some 6,000 companies would be “too much”. There’s, of course, much more to it, but at the high level, that 6,000 number isn’t as outrageous as some may think.
“CISOs are being bombarded by the vendors much more than other executives”
Back in 2023, my friend Corin Imai and I wrote an article that explained what’s going on: “There is one truth that many people, regardless of the industry, have yet to fully internalize: everyone is selling something. It is the nature of business - it isn’t just about building something cool and paying people’s salaries; it’s also about returns to shareholders, growing the market share, and making money.
When I say “everyone is selling something”, this very much includes companies that employ security practitioners tired of being sold to. When we hear security teams on social media complain that they are being constantly bombarded by sales messages, here’s what we picture.
The reality looks more like this.
Not only security but also all other teams (finance, operations, human resources, customer success, product, engineering, etc.) are constantly bombarded by GTM motions. Not only that, but the GTM teams at the very company security people work for are using the same methods to sell to their customers that security teams hate. Or, to put it differently, in the B2B (business-to-business) space, salaries of security practitioners who are tired of traditional GTM motions, like cold calling, are being paid from the money their company earns through traditional marketing tactics.
Welcome to the world of GTM in 2023, a world of fierce competition, short attention spans, and oversaturation of the market - a world in which the most persistent and persuasive win, and those waiting for someone to find them typically get outcompeted (especially those with less capital).”
A lot has changed since 2023, but the world has only become more, not less, competitive. While CISOs certainly are now being bombarded with sales outreach more than before, for better or for worse, so are heads of marketing, finance, engineering, and other functions (and let’s be honest, the wave of AI SDR doesn’t make buyers’ lives better).
Closing thoughts
Cybersecurity doesn’t exist in a vacuum. Many of the things people like to complain about (more vendors, more noise, more competition for attention, etc.) are the byproduct of a world where entrepreneurship has become accessible to more people and where the speed of innovation has greatly increased. Sure, there are times when this can feel overwhelming, but it’s also a sign of a healthy, maturing market. The fact that more founders from diverse backgrounds can now build, raise, and ship products without needing to be in Silicon Valley is not a weakness, it’s a strength.
Instead of getting sentimental and talking about the past, we can embrace this complexity with better frameworks and clearer thinking. That means broadening our perspectives and comparing across industries instead of only looking backward and inward, and recognizing that competition and noise are normal signs of growth. Security is evolving just like every other technology sector, and this noise and complexity are full of opportunity for those willing to look beyond the surface.
Love this broader perspective.
Great context with comp numbers of other industries.