Why security is a bad business

It's competitive and fragmented.

Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.

Photo by CHUTTERSNAP on Unsplash

In the past decade, we have seen a huge increase in cybersecurity products. CISOs and security leaders have been struggling to navigate a convoluted and changing landscape. There are tools with overlapping functions, and security sales and marketing have ramped up. A day doesn’t go by when a security leader doesn’t receive a cold call. One of the major struggles is to keep up with the tooling and solutions out there. Many times, security teams spend the majority of their time researching the right vendor.

How did we get here?

It’s a combination of changes and trends. In general, technology has become a more prevalent part of organizations. With the rise of the cloud, it’s much easier to use technology with relatively low infrastructure costs compared to the past. In this more digital setup, organizations have become larger targets for cybersecurity threats. It doesn’t help that technology stacks constantly evolve as companies aim to stay competitive. The result is that there is more exposure and threats, which have led companies to invest more in their cybersecurity organizations. All these effects have led to the market growing. Therefore, there has been more activity in the space with VC funding, acquisitions, and increased market caps of public security companies.

It also helps that security has been a consistent spending category historically, and it seems like a persistent problem, i.e. security will never go away. Especially to investors, security as a category feels like a required spend rather than a discretionary one.

Finally, security for a technology typically lags behind the technology itself. This makes sense. There’s no reason to develop security for a technology when its success and use cases are unknown.

Cybersecurity is a tough business