Let’s get one thing out of the way – the market opportunity for cybersecurity as a whole – in the next 5 years, is humongous. Gartner predicts it will reach $267 billion in 2026, with an annual growth rate of 11%. If there is one domain where you find it difficult to find experienced professionals, it’s cybersecurity. Still, according to Layoffs.fyi, 85 companies categorized as purely security companies have laid off a part of their employee base since 2022 alone, 300 of them from Secure Works as recently as yesterday. This seems counter-intuitive, and I decided to understand the reason for this.
Recently I took an accelerated certification course for Product Management (from Product School – that’s another in-depth article, coming soon) – and the biggest take away is, for the last 6 years that I have worked in the cybersecurity domain, I have seldom seen security companies follow robust product principles, especially considering the fact that – most of them directly or indirectly go for the product-led growth strategy (where the security software is the biggest or sometimes the only selling point) – except with incomplete, sometimes counter-productive, and shockingly sometimes with zero product sense. You would be surprised to know how many teams in legacy security companies actually work without a single product manager.
The Problem of Plenty
Cybersecurity marketplace is extremely crowded. There is no single dominating company, like many other domains – which in itself is actually a good thing, you have a healthy competition and a continuous drive to innovate and excel. But when the pot becomes muddled with too many ingredients, in this case thousands of companies over 18+ categories, according to this cybersecurity market review for H1, 2023, it becomes a tasteless puddle of goo. Most startups keep afloat using the venture capital investments for as long as they can sustain and then get acquired for equal to or less than market value, essentially for a good engineering product but where the company essentially couldn’t tap the market share due to poor product and marketing strategy.
This problem of plenty of very narrowly focused niche security vendors results in business customers using plenty of them at a time, to provide bandaid security to their business. The entire security posture of a company is built using patches of bandaids provided by 100s of vendors. A 2020 threat report from KPMG and Oracle says 78% of organizations use more than 50 cybersecurity products to address security issues, and 37% use more than 100 security vendors! This is mind-boggling, considering these patch work security services themselves increase the attack surface area, partly due to all the good insights getting buried under 1000s of alerts per day, and also due to multiple misconfigurations of 100s of products.
These fragmented solutions can hinder effective threat detection and response. The lack of a unified view across the cybersecurity ecosystem can make it difficult to detect and mitigate threats in real-time, as security teams grapple with managing multiple interfaces and dashboards. This challenge underscores the importance of adopting a more holistic approach to product development that focuses on integration and collaboration.
The Role of Product Management in Cybersecurity
Product management is the linchpin that connects customer needs, technological innovation, and business strategy. In the cybersecurity domain, effective product management is crucial for developing solutions that align with market demands and provide real value. However, the complex nature of cybersecurity products requires a nuanced understanding of the threat landscape, user behaviors, and technological advancements.
A Lack of Product Sense
The term “product sense” refers to the ability to comprehend user needs deeply, translate them into product features, and make strategic decisions that drive the product’s success. In the realm of cybersecurity, many vendors have fallen short in cultivating strong product sense. Instead of focusing on developing solutions that address concrete security challenges, some vendors chase trends, buzzwords, or attempt to emulate competitors without a clear understanding of their own unique value proposition.
This lack of product sense can result in products that are either overly complex or insufficiently comprehensive. An overly complex product may overwhelm users with features they don’t need, leading to a steep learning curve and reduced usability. On the other hand, an insufficiently comprehensive product may leave critical security gaps, failing to provide robust protection against evolving threats.
The Love-Hate Relationship of Cybersecurity and AI
Artificial Intelligence (AI) has emerged as a game-changer in cybersecurity, enabling the automation of threat detection, rapid response, and predictive analytics. However, the integration of AI into cybersecurity products requires a deep understanding of both disciplines. Simply bolting AI onto existing products without a thoughtful approach can lead to false positives, false negatives, and a general lack of trust in the solution’s effectiveness. A comprehensive product sense involves understanding the capabilities and limitations of AI algorithms, as well as the specific cybersecurity challenges they can address. This enables product leaders to design solutions that harness the power of AI while providing actionable insights to security teams.
The biggest pain point in the cybersecurity community, is the bias for or against applied AI in traditional cybersecurity space. There are strong opinions in the community, which many times stem from a lack of awareness of the latest developments and existing best practices in the AI space. We need to come out of cybersecurity gatekeeping and collaborate with latestI technology domains to move forward in tandem and not be left behind – it’s staggering to look at how ineffective the AI teams are at lots of legacy cybersecurity companies, just coasting over academic research work and counting conference talk acceptances, instead of building immediately useful and revenue generating AI security products. This again emphasizes the lack of product sense in AI teams at cybersecurity companies.
The Way Forward: Fostering Strong Product Sense
- User-Centric Approach: The cornerstone of strong product management is a deep understanding of users’ needs. Cybersecurity vendors must prioritize user-centric design and actively engage with security professionals to understand their pain points, workflows, and requirements.
- Clear Value Proposition: Vendors should focus on articulating a clear value proposition that sets their products apart. This involves identifying the unique problems their solutions solve and communicating the benefits in a relatable manner.
- Holistic Solution Design: Vendors should aim to develop holistic cybersecurity solutions that seamlessly integrate with existing tools and processes. A cohesive ecosystem reduces complexity and enhances the effectiveness of threat detection and response.
- Continuous Learning: The cybersecurity landscape is ever-evolving. Vendors must commit to continuous learning, staying updated on the latest threat vectors, attack methodologies, and technological advancements to ensure their products remain relevant and effective.
- Partnerships and Collaboration: Collaboration between vendors can lead to stronger, more comprehensive solutions. Rather than trying to cover every aspect of cybersecurity, vendors could specialize in specific areas and collaborate with others to create integrated, best-of-breed solutions.
Conclusion
The cybersecurity landscape is at a crossroads where the abundance of vendors and the complexity of threats necessitate a renewed focus on product sense. Vendors must prioritize understanding user needs, articulating clear value propositions, and designing holistic solutions that harness the power of AI. By fostering strong product management practices, the cybersecurity industry can navigate the challenges posed by the crowded marketplace, ultimately providing more effective, integrated, and user-centric solutions in the battle against cyber threats.
References:
https://ventureinsecurity.net/p/why-there-are-so-many-cybersecurity
Infinite Couch 
One thought on “The Plentiful Cybersecurity Problem: Too Many Vendors, Too Little Product Sense”