Standing out in the crowded security market - technology is not enough

Profile picture for user kmarko By Kurt Marko September 3, 2020
Summary:
Cybersecurity is one of the few brights spots in the IT budget. But it's not a market with strong product differentiation - despite what marketers might have you believe. How can cybersecurity startups achieve wide adoption?

On the crossroads

As anyone who writes about or works in enterprise IT knows, the market for cybersecurity products and services is extremely crowded, highly competitive (dare I say, cutthroat), but only marginally differentiated.

Although there are several distinct product areas, like user authentication, intrusion detection and prevention, client antimalware and SIEM (security intelligence and event management), within these segments, there is significant technology and feature overlap and few genuinely unique ideas. 

Basic economics would predict that a market with minimal product differentiation would soon be commodified by a flood of similar offerings, creating a race-to-the-bottom price war as vendors cut prices and boost sales incentives to win customers that see little difference in functionality, quality and support. However, cybersecurity has resisted such market pressures for several reasons:

  • Vendors have successfully obfuscated similar products under a fog of marketing buzzwords, imprecise technology claims and cross-category feature overlap making it difficult to make direct comparisons.
  • The effective use of fear as a marketing tactic by hyping publicly-disclosed security incidents, generating a continual stream of push poll results and exploiting the general angst executives and IT leaders feel about taking the blame for a security breach.
  • An explosion of spending on IT security as business leaders look for silver bullet technological solutions to systemic problems within their infrastructure, development practices and administrative processes (see my recent column on IT security priorities for context). Indeed, IDC estimates that global spending on security products and services will increase by 40 percent over the next four years, hitting almost $175 billion in 2024. One of IDC's security analysts aptly sums up the mess this way, "Complexity abounds with security technology deployment and sprawl requiring assessment and design services."

IDC tech spending trends
(via IDC)

The result is a cybersecurity market that is simultaneously robust, disjointed and fragmented, with hundreds of players, but none large or dominant enough to control the market in the way Google does with search advertising or AWS and Microsoft do in cloud computing. 

Mordor cybersecurity market
(via Mordor Intelligence)

Source: Mordor Intelligence: CYBERSECURITY MARKET - GROWTH, TRENDS, AND FORECAST (2020 - 2025)

Despite the market complexity, product overlap and dearth of genuinely innovative ideas, there's a continual stream of new entrants to the security sweepstakes, capitalizing on the willingness of executives to prioritize spending on security even in tight budget years and the ready availability of venture capital. According to the National Venture Capital Association (NVCA), the so-called 'dry powder' ready to invest in a promising idea is a record high, as it details in a recent report.

"At the end of 2019, 1,328 venture firms were in existence (i.e., those who have raised a fund in the last eight years). These 1,328 firms managed 2,211 venture funds and had approximately $444 billion in US venture capital assets under management (AUM) and $121 billion in dry powder at the end of 2019. "

The steady stream of security startups raises the question of why VCs continue to invest in the arena and how they select promising candidates? For many years, VCs appeared to look for a company with enough technology or performance differentiation to establish a customer base allowing it to demonstrate a unique or superior method of solving a particular problem and where the exit strategy was being acquired by a large incumbent IT technology company. However, now that the Ciscos, Dells, VMwares, Microsofts, HPs and Broadcoms have filled out their security portfolio, the acquisition end game is much riskier. So, what else might attract investors to the security market? I recently had a conversation with Collin Gutman, Managing Partner at SaaS Ventures to find out.

US Venture Capital AUM by year
(via NVCA)

Source: National Venture Capital Association (NVCA) 2020 Pitchbook

Great technology is table stakes

As the name suggests, SaaS Ventures is an early-stage fund focused on enterprise technology delivered as SaaS since Gutman and his partners believe that the model offers "the highest likelihood of success and represents the best investment opportunities." Furthermore, Gutman says the firm targets companies in "second-tier markets, not Silicon Valley, San Francisco or New York," which he feels are saturated with VCs and thus less likely to produce investment opportunities. About 80 percent of the firm's funding goes towards "the new economy of goods," primarily in manufacturing, logistics, cybersecurity and e-commerce enablement. The firm's recent economic analysis illustrates the diverse markets its portfolio members call home.

: SaaS Ventures Monthly Economic Analysis August 2020
(via SaaS Ventures)

Source: SaaS Ventures Monthly Economic Analysis August 2020

When evaluating security startups, Gutman says that a solid technology foundation is table stakes, but developing a unique technical advantage isn't necessary. "Having good technology is no longer the investment thesis," he adds. Instead, Gutman says that most large enterprises are less discriminating when procuring security products, buying everything they see addressing one of their critical threats, whether those involve vulnerability detection, content filtering, DLP, DDoS protection, or identity management. 

When evaluating a pitch deck, Gutman says that "Slide one better be about good technology, slide two extolling founders' resumes and slides three through 10 detailing the company's go-to-market strategy," adding that "What makes a successful company is your novel go-to-market."

SMBs and the VARs and MSPs that service them are a particularly attractive target customer for Gutman's investments. He cites Huntress Labs, which provides breach detection and management services for MSPs, as an example of a company with world-class technology - its founders came from U.S. intelligence agencies - as a SaaS Venture firm targeting an underserved market. Gutman sees several other business plans and markets as opportunities in cybersecurity, including services designed for:

  • Retailers of all sizes and the consulting firms - he mentioned CDW and Deloitte - serving them. 
  • App marketplaces and ecosystems that complement established security giants with large portfolios like Crowdstrike, FireEye and Tufin.
  • Bottoms up organic sales to workgroups like DevOps willing to build a unique toolchain with services that enhance the productivity of an individual or small group.
  • The "modernization of Main Street businesses" needing online services to remain competitive in a post-pandemic world.

Within the broader security market, product categories Gutman finds particularly attractive are:

  • Data privacy
  • Secure data transmission in decentralized WFH and mobile environments 
  • Application ‘middleware' management such as API gateways, app federation and other services providing the glue between multiple systems.

My take

As business and society lurched into an online existence in response to the pandemic, an enterprise's online infrastructure and operations became critical to survival. As I have detailed in previous columns, the disruption of normal business accelerated many IT trends and only increased the need for a robust cybersecurity posture. The fact that cybersecurity is one of the few areas of IT largely unaffected by budget cuts resulting from this year's business disruption is further evidence of its criticality. 

Strong spending on security is also fueling the continued emergence of security startups despite the already crowded competitive landscape. Standing out in such an environment isn't easy, but VCs no longer expect unique technology. 

MBAs learn that the primary avenues of product differentiation are:

  1. Features
  2. Performance
  3. Proprietary technology (used to deliver the first two)
  4. Design (physical or UI) and user experience
  5. Customer experience and support
  6. Quality and reliability
  7. Price and pricing/monetization model
  8. Sales channel and target customer, i.e. go-to-market (GTM) strategy

In the crowded, mature market for enterprise security products, the first six items offer few opportunities to stand out, which leaves price and GTM as the primary means of competitive differentiation. However, since enterprises are throwing money at their cybersecurity problems, price is seldom a purchase inhibitor, which leaves choosing the right customer and sales vehicle as the main path to startup success.