Frankly Speaking 3/30/21 - Why are there so many security vendors!

A biweekly(-ish) newsletter on random thoughts in tech and research. I am an investor at Dell Technologies Capital and a recovering academic. I am interested in security, AI/ML, and cloud.

If you were forwarded this newsletter, you can subscribe here. For more regular updates,

Follow me on Twitter

It’s starting to seem that more and more people want vacations. I feel like I’ve been working non-stop since last year since we didn’t really have a “real break” for the holidays. However, I do feel like my weekends are less busy than before given the lack of social engagements. I feel like I’ve done 3 years worth of meeting in the past year. We really lose a lot of time to traveling and commuting! I definitely hope the “efficiency” created by the pandemic will allow us to have more free time.

LET’S BE FRANK

Many people ask where I come up with ideas for my newsletter. It started as something mainly for myself to crystallize thoughts from my conversations through my network. I wrote a lot in my PhD, so I feel comfortable using a medium to collect and communicate my thoughts.

This week’s post is inspired by a conversation with George Tang from JupiterOne. He asked me why there are so many security vendors. I’ve given a variety of answers over the past couple of years, but I believe I gave George one of my more coherent answers. So, he encouraged me to turn it into a blog post. Thanks George!

Here’s the heart of the problem. Security companies are suffering what enterprise infrastructure companies were suffering about two decades ago. They have too many problems and too little time/resources to solve them. However, they do have budgets to solve these problems, and many of them buy products to do this. Most startups try to find product-market fit. In cybersecurity, startups struggle with product-GTM fit!

So, what do you get with this type of market dynamic? There are many very similar products/technologies that solve different problems. That’s why so many people talk about consolidation because many of the products can be merged into a platform. Unfortunately, doing this in practice is pretty difficult.

How did we get here? In my opinion, the industry has given security an impossible job. They are always forced to react to IT and infrastructure changes. Security is being asked to work with engineering in addition to IT with whom they traditionally collaborated. Before they fully understand the cloud, they are asked to figure out containers and Kubernetes security. Then, they are asked to shift left. Now, they are being asked to integrate more security into the product. The list goes on, and COVID has only made things worse. All this while trying to deal with fundamental issues that don’t seem to be getting better such as email security, vulnerability management, etc.

Security is overloaded! It’s easier for them to have a well-defined problem statement and find a product that solves it. They just don’t have time to think about how to use a product, develop it, and apply it to another problem. This seems more sustainable as there are more problems than resources to solve. You solve one problem so that you can move onto another. Very few security teams have the luxury of thinking strategically about how to solve multiple problems. The public cloud and increased speed of development have only made this worse.

It’s also difficult and distracting for security to try to target multiple use cases because it results in higher sales and marketing costs. This cycle is self-perpetuating. More products come out and target new problems. Existing solutions fight for mindshare with sales and marketing, but they have to pick their battles, leaving room for new startups to capture the white spaces that others leave. That’s why you see the number of products grow, and startups disrupting other startups.

I do think we will see consolidation in the industry at some point but not any time soon. As long as security is overloaded with problems, we will only see more products. The research analysts like Gartner have created categories that attempt to define and standardize security products. However, in some ways, this has fueled startups to create even more categories, resulting in more products.

There seems to be a glimmer of hope with the public cloud with less heterogeneous environments, simplifying the standardization of security workflows. With more standardization, we can consolidate the number of problems in security, and maybe it’ll lead to the consolidation of security products. We are already seeing this a bit in the middle-market as organizations turn to one vendor to solve many of their problems despite not being the best in class

Trust me. I want to see fewer security products. I believe the industry will benefit from some consolidation so that security teams can spend more time solving problems rather the evaluating products.

As always, my email is open to discuss more!

TWEET OF THE WEEK

Controversial!