Recently, ESG completed its second annual enterprise-class cybersecurity vendor research. The story behind this project goes something like this: Enterprise organizations (i.e., those with 1,000 employees or more) have too many point tools and are now engaged in projects to integrate security technologies while eliminating some tools and vendors along the way.
This sets up a security market where enterprises buy more products from fewer vendors, and this will have a big market impact: fewer transactions, more large deals, longer sales cycles, increased CISO oversight over procurement, intense competition, etc.
I realize that this is antithetical to the way the security industry has always worked in the past when large organizations bought best-of-breed technologies for every layer of a defense-in-depth architecture. The data indicates that this historical mindset is changing, however: 62% of survey respondents say that their organization would now consider buying a majority of its security technologies (as well as managed security services) from a single enterprise-class cybersecurity vendor.
Okay, so what qualifications are necessary to be considered an “enterprise-class” cybersecurity vendor? ESG asked respondents this very question and the top two responses are extremely interesting to me:
- 34% of respondents say that the most important attribute is a cybersecurity product and services portfolio that aligns with strategic IT initiatives.In other words, CISOs want to work with vendors with hands-on and deep cybersecurity knowledge of digital transformation, IoT applications, mobile applications, DevOps, etc.
- 27% of respondents say that the most important attribute is cybersecurity expertise specific to my organization’s industry. I’m particularly happy about this data point as it supports my thesis that cybersecurity is becoming a vertical application, driven by industry-specific IoT devices/applications, business processes, risks, regulations, etc.
The rest of the list consists of enterprise “motherhood and apple pie” attributes: enterprise-class cybersecurity vendors must offer broad portfolios of products and services, world-class threat intelligence, product scalability, manageability, integration, etc.
We are at the beginning of the “platform wars” where security vendors compete for a much larger part of enterprise spending. This means that a few vendors will break from the pack. We’ll see one or more $5 billion enterprise cybersecurity vendors within the next few years. To get there however, cybersecurity vendors will need to change their stripes a bit as follows:
- Vendors will need extensive business/IT chops, not just security acumen. Furthermore, cybersecurity vendors must move beyond horizontal security technologies and gain a deep understanding of risks associated with vertical business processes. To get there, security vendors will have to invest in business/IT training, industry marketing, recruiting industry experts, reorganizing their sales forces and channels, etc.
- Most security vendors have a transactional sales model today that is based upon what users are buying at the time. This month, it is a web security subscription renewal, next month its cloud workload security purchased by a different group with a different budget. As organizations seek out enterprise-class distributed security solutions, vendors must establish a sales model built for long sales cycles, engineering support, and lots of customer hand-holding. Think Oracle and SAP rather than traditional McAfee and Symantec.
- Similarly, sales strategies must continue to target technical buyers but should also be geared toward CISO communications, value propositions, and requirements. Once again, few security vendors know what CISOs do daily, let alone know how to communicate at a security executive level.
Enterprise CISOs have a tough job as things are changing quickly and the old ways of doing things are no longer adequate. This is changing what technologies they need and whom they will buy them from. Vendors that navigate through this transition will be rewarded handsomely while stragglers will be left behind. This means that the enterprise cybersecurity market is in play like never before.