Looking at some of the most prominent reasons why there are thousands of cybersecurity vendors, and why saying “we don’t need 200+ products in the same category doing the same thing” doesn't help.
Ross, another addition: it’s my opinion that we have too many cybersecurity vendors because customers are constantly asking for ‘point products’ that address specific ‘point problems ‘…. Most customers don’t have a holistic view on cybersecurity and therefore they just choose a pint product every time they face a problem!
100%, definitely one of the challenges. I'd say the problem goes both ways: while many customers as you say don't have a holistic view of security, an equal number of vendors are all to happy to preach that all you need it is X where X is what they are offering :)
I think personnaly it’s possible to have a hollistic view of what has to be done (by following the PPT principle) and in the same time like to have « point products » that will address specific problematic(s). I will take one example: if I need a tool to do CDR on attachment files into the corporate emails, I will go ask to a specific player simply because I will know that it will be its core business and not an additional feature just putted in into another product. There are many examples of that.
What I would like to say here is, point products are not evil when they are used for what they are thought about and certainly when they are easy to implement and integrate with other tools.
100%! The way I think about it - there will always be companies that specialize, and those building more generic solutions across different use cases. In most cases, it will come down to making smart buying decisions. What I don't believe is going to work is stitching 200 tools into one monster-architecture.
I am dreaming about the world where data is aggregated in one place, and different tools "plug" into that common fabric and do what they can do best without duplication. Something informed & enabled by the data gravity I've discussed before https://ventureinsecurity.net/p/game-of-thrones-in-cybersecurity
Interesting, I agree with you regarding the possibility to finally have too many products to manage in the end, it’s definitely something to be careful in.
I know that it’s not exactly the kind of tools you suggest, but what do you think of the CAASM product like Axonius, Sevco or Armis, I mean not them specifically but the idea behind ?
Good question, Audry! One thing I try to stay away is recommending or sharing my opinion on specific tools - I'll recuse myself here :) There are many great sources out there that analyze specific market categories :)
Great article Ross. There are many vendors chasing many problems yet a large number of security incidents could be prevented with basic hygiene. And as Fred points out, most organization from SMBs to F500 struggle to prioritize security investments relative to enterprise risk. The paradox of choice is real.
True. Any time we talk about security, it's tempting to get into generalizations - like "most issues are because of X and many companies can do Y". In reality, every company's risk profile is different, and so is its environment, business operations, stakeholder groups, etc. So while there is certainly a need for technical solutions, solving the problem effectively shouldn't start with technology. The paradox of choice is real, indeed, and so is the temptation to get a "magic tool X where you can just press a button and activate safety shield" ;)
Hi Ross, another very inspiring and truth telling piece ! Although I do have a question about the "18 pure-play cybersecurity companies listed on the US stock exchange", some of the companies are not included in it , such as IronNet, Cyren, is there any standard they don't fit?
So far that's all I got :) I do notice there are some cybersecurity related ETF( such as CYBR,HACK,BUG) and all seems to have over 30 companies in their baskets, but might not be pure cybersecurity.
Ross, another addition: it’s my opinion that we have too many cybersecurity vendors because customers are constantly asking for ‘point products’ that address specific ‘point problems ‘…. Most customers don’t have a holistic view on cybersecurity and therefore they just choose a pint product every time they face a problem!
100%, definitely one of the challenges. I'd say the problem goes both ways: while many customers as you say don't have a holistic view of security, an equal number of vendors are all to happy to preach that all you need it is X where X is what they are offering :)
I think personnaly it’s possible to have a hollistic view of what has to be done (by following the PPT principle) and in the same time like to have « point products » that will address specific problematic(s). I will take one example: if I need a tool to do CDR on attachment files into the corporate emails, I will go ask to a specific player simply because I will know that it will be its core business and not an additional feature just putted in into another product. There are many examples of that.
What I would like to say here is, point products are not evil when they are used for what they are thought about and certainly when they are easy to implement and integrate with other tools.
100%! The way I think about it - there will always be companies that specialize, and those building more generic solutions across different use cases. In most cases, it will come down to making smart buying decisions. What I don't believe is going to work is stitching 200 tools into one monster-architecture.
I am dreaming about the world where data is aggregated in one place, and different tools "plug" into that common fabric and do what they can do best without duplication. Something informed & enabled by the data gravity I've discussed before https://ventureinsecurity.net/p/game-of-thrones-in-cybersecurity
What do you think?
Interesting, I agree with you regarding the possibility to finally have too many products to manage in the end, it’s definitely something to be careful in.
I know that it’s not exactly the kind of tools you suggest, but what do you think of the CAASM product like Axonius, Sevco or Armis, I mean not them specifically but the idea behind ?
Good question, Audry! One thing I try to stay away is recommending or sharing my opinion on specific tools - I'll recuse myself here :) There are many great sources out there that analyze specific market categories :)
Great article Ross. There are many vendors chasing many problems yet a large number of security incidents could be prevented with basic hygiene. And as Fred points out, most organization from SMBs to F500 struggle to prioritize security investments relative to enterprise risk. The paradox of choice is real.
True. Any time we talk about security, it's tempting to get into generalizations - like "most issues are because of X and many companies can do Y". In reality, every company's risk profile is different, and so is its environment, business operations, stakeholder groups, etc. So while there is certainly a need for technical solutions, solving the problem effectively shouldn't start with technology. The paradox of choice is real, indeed, and so is the temptation to get a "magic tool X where you can just press a button and activate safety shield" ;)
Hi Ross, another very inspiring and truth telling piece ! Although I do have a question about the "18 pure-play cybersecurity companies listed on the US stock exchange", some of the companies are not included in it , such as IronNet, Cyren, is there any standard they don't fit?
Thanks Bruce, that's a great comment! Frankly, these slipped away my attention - great find. Any others you'd include to the list?
So far that's all I got :) I do notice there are some cybersecurity related ETF( such as CYBR,HACK,BUG) and all seems to have over 30 companies in their baskets, but might not be pure cybersecurity.