One of the biggest breakthroughs in cybersecurity has nothing to do with products or services.

It's happening in purchasing.

Yep, purchasing.

Cloud security and name-your-favorite-category are cool and all, but purchasing is cybersecurity's hundred billion dollar problem.¹

I lived the pain of buying and selling cybersecurity products and services for over a decade. Nobody likes buying or selling things the way we do today...yet here we are.

If you've had similar experiences in your career, you understand exactly what I'm talking about. If you haven't, let me tell you: it’s brutal.

We're at a crucible moment in time, caught between the past of top-down sales and steak dinners, reeling from the illusion of Product-Led Growth (PLG), and more discontent about buying and selling cybersecurity products and services than ever.

A shift is underway. The early signals are visible, but only to savvy observers.

That's why I'm joining Ken Yao and the team at Cyberse as an advisor. They're uniquely capable of understanding the nuances of cybersecurity purchasing and the needs of the buyers and sellers of tomorrow.

To say I'm amped to help bring a company like this into existence is an understatement.

Let me tell you the reasons why I think cybersecurity purchasing is going to change dramatically and why marketplaces are the best way to do it.

...okay, okay — I need to tell you. It's cathartic. I have a lot to say after living this pain daily for more than a decade.

Let me start by telling you a quick story about my favorite thing I've ever bought.

My gold standard for major purchases

I just bought my first Tesla a couple weeks ago. You know what else I want to be like buying a Tesla?²

Everything.

Seriously. The process of buying a Tesla is how every major purchase should work.

Every step in the process is meticulously thought out.

Test drive? Book the exact time you want online. No schmoozing with salespeople. There isn't even a key. Just get the app, head to the store, hop in, and drive.

Shopping the inventory? It's all there on their website. No clunky dealer or third party aggregators needed.

Buying the car? The purchase is basically complete before you ever set foot in the store. No need to block off three hours of your day to haggle with salespeople or sign a five foot stack of paperwork. The car costs what it costs, and you can buy it right in the app.

Anything in the process that went sideways was my fault (expired driver's license...whoops). But even when something did go wrong, their process handled it gracefully and kept on moving.

I'm not saying I never wanted to talk with a human during the purchasing process. I had questions about which home charger to choose, and it really helped to talk with someone.

But talking with someone wasn't the default. I had all the information and process available to me if I wanted to make all the decisions myself. The inventory was clear. The price was clear. The steps were clear.

What a huge difference that makes.

I have seen the future, and there's no going back. Any lesser experience than this one isn't good enough.

This is exactly the problem. Other major purchasing experiences (ahem cybersecurity products and services) aren't like Tesla.

You can barely see a product without booking a live demo. Pricing? Ha – “Talk to Sales.” Need help deciding what to buy? You’ll need a consultant for that.

Tesla isn't a marketplace, of course. The important idea here isn't explicitly a marketplace — it's a flawless purchasing process.

Cybersecurity does not have a flawless purchasing process. Far, far from it.

This critique is so widely accepted that I don't even need to say anything about it. I'm only going to because it's entertaining.

Tales of cybersecurity purchasing inside the world's largest enterprises

Let me give you a few quick examples from my own career about just how wacky cybersecurity purchasing is.

A company spent three months evaluating a secondary technology for a major strategic program in their security organization. They flew in no less than ten vendors for in-person demos, got wined and dined weekly, and basically stopped everything else they were doing. They didn't buy any of the products.

Another company repeatedly bid out phases of a multi-year project with no intent of choosing any of the other participants. They leaked our full proposal to a competitor to help make their response better. The procurement processes ran for weeks, delayed the program, got someone fired, and saved no money in the end.

Cybersecurity companies can be pretty wasteful too. One of them flew in entire sales teams multiple times to meet with us — usually for "relationship building" (nice dinners and drinks) or potential deals even the most junior team members could call out as unqualified. No deals were closed, and most of the sales team was let go.

We don't have time for these shenanigans anymore. Not during the expense management era we live in today.

I'm not saying all sales meetings (or salespeople) are bad. Face-to-face is always valuable when it's high impact.

But doing 'things that look like work' isn't going to cut it. You can have sales meetings, procurement processes, whatever — but they'd better be a good use of time.

I know this sounds cranky. That's the point. My generation of buyers is divinely discontent. Let's talk more about why.

The next generation of cybersecurity buyers is divinely discontent

My Tesla buying story is off-topic, but it's a critical insight into where cybersecurity purchasing is headed.

People like me (30 and 40-something-year-olds, now at Sr. Manager/Director/VP/CISO level) are the next generation of security leaders and buyers. Tesla is the way we want cybersecurity purchasing to work.

There's a great Jeff Bezos quote about this hard-to-nail-down sentiment. It's from Amazon's 2017 Letter to Shareholders. Bezos describes customers as "divinely discontent":

One thing I love about customers is that they are divinely discontent.

Their expectations are never static – they go up. It’s human nature. We didn’t ascend from our hunter-gatherer days by being satisfied.

People have a voracious appetite for a better way, and yesterday’s ‘wow’ quickly becomes today’s ‘ordinary’.

Divinely discontent.

Guess what? Thousands of cybersecurity buyers already have a voracious appetite for a better way. Thousands more are going to be in senior leadership positions during the next decade and beyond.³

Like it or not, we're going to get our 'better way' sooner or later. In the world of cybersecurity purchasing, marketplaces are one of the ways.

VARs are the legacy model. My generation of practitioners would rather not work with them.⁴

We don't want to deal with vendor sales or bake-offs either. A good marketplace is the right balance — just buy what you want and get started.

Millennials don't want to waste time buying things. We don't like dog-and-pony shows.

We want information, decision support, and low friction.

We want people to be available when we need them, but technology-driven workflows need to be the default option.

We want sales-assisted purchasing, not sales-led. You can buy my steak dinner after the purchase has been made.

This shift in cybersecurity purchasing behavior is playing out in plain sight. Cloud marketplaces are a big clue.

Marketplaces are already here, they're just not evenly distributed

You've probably seen a few marketplace-related announcements in passing from large cybersecurity companies:

Palo Alto Networks hasn't disclosed specific numbers about their cloud marketplace partnerships, but they may have given the most definitive endorsement of all:

"It’s not just where the puck is headed. It’s where the puck is now." —Prem Iyer, SVP, Global Ecosystems at Palo Alto Networks

It's easy to write announcements like these off as run-of-the-mill PR, though. I can't blame you. I did for years.

My wake-up call came when I found out PwC had quietly started selling cybersecurity services on the AWS Marketplace. I never thought this would happen when I left the firm five years ago. Like, bet my entire retirement savings, never. Good thing it wasn't a real bet.

Once I started paying attention to this marketplace trend, subtle hints started popping up everywhere. Here's another shocking example you probably haven't heard about yet.

Vendr, a YC-backed marketplace upstart, just shared this data about Wiz:

All of these numbers are surprising, but one stands out to me: mid-market buyers have an average Annual Contract Value (ACV) of $138k with Wiz.

Transacting 1% of Wiz's total revenue is pretty significant, too — that's $3.5 million annually at Wiz's most recent $350 million ARR disclosure.

The most staggering clue of all was buried deep in a random vendor webinar about Wiz: "As of today, roughly 50-60% of our revenue goes through the marketplaces."

Wiz, the fastest growing company in the history of software, is generating more than half of its revenue through marketplaces. They found a cheat code most cybersecurity companies haven't caught on to yet.

Now that our eyes are wide open, let's adjust the aperture. If we zoom out and look across the entire software industry, the marketplace numbers start to get wild. 

In a recent Canalys study, 80% of surveyed channel partners (read: product or services companies) have already seen customers buying from cloud marketplaces. Eighty percent. Today.

By 2025, they estimate cloud marketplace transaction volume will hit $45 billion with an 84% compound annual growth rate (CAGR).

It's hard to find a market in cybersecurity or all of tech with a higher growth rate. Yet we barely pay attention to this one because marketplaces aren't a typical product or service.

Forecasts aside, these anecdotes and data points can be taken as signals about willingness (if not straight-up preference) to buy and sell software and services through marketplaces. 

I think the trend is going to continue as the divinely discontented millennials inevitably assume leadership positions. We don't buy like previous generations of buyers. We’ll put up with the old way of doing things, but we’ll jump at the first chance we get for a better way. 

PLG, enterprise sales, and VARs will never go away, of course — but the better way is right in front of us: marketplaces.

There's just one problem. Cybersecurity is an infinite abyss. It's confusing to buy cybersecurity products and services on cloud marketplaces because cybersecurity itself is confusing.

Here's the part where Cyberse and cybersecurity-focused marketplaces come in.

Why we need a cybersecurity-focused marketplace

Why do we need a marketplace just for cybersecurity? Aren't cloud marketplaces good enough?

Head over to the AWS Marketplace and tell me which of the 4,621 (and counting) security products and services to buy. Go ahead. I'll wait.

Relying on a cloud marketplace for most or all of your cybersecurity purchasing is more theory than practice right now. You can buy products and services, and they'll give some information and guidance to help you — but you're mostly on your own.

Today's cloud marketplaces are the last mile of procurement. They're a centralized place you can go to execute transactions. This is a breakthrough in and of itself, but it's only a fraction of the end-to-end process for buying products and services.

A typical purchasing process for cybersecurity software or services.

There's a reason why consultants, VARs, and industry analysts are some of the most powerful players in the cybersecurity industry. Planning, buying, and implementing a full security stack is hard.

Buyers need advice and guidance to make the right decisions. They rely on third parties a lot of the time, who sometimes have misaligned incentives. Or, they just buy the "safe" product everyone else is buying. Nobody gets fired for buying IBM.

Capturing the transactional part of the value chain is important, but it's incomplete. The opportunity hiding in plain sight is to vertically integrate large parts of the value chain for a specific industry — cybersecurity, in the case of Cyberse.

Done well, a vertically integrated marketplace for a niche domain will always be more relevant and valuable than a cloud marketplace could ever be. It will also be more objective than consultants, VARs, and the smattering of decision support resources companies rely on today.

Cybersecurity is still too specialized for cloud marketplaces and technology resellers to have the domain expertise buyers truly need to make good purchasing decisions. Because of this, the marketplace needs to be semi-opinionated to help buyers architect solutions, narrow down their options, and help make sure the products and services they buy meet their objectives.

We need a single place to do market research, assess and gather requirements, discover and evaluate recommended products, and make purchases. No expensive consultants, VARs, or analyst subscriptions — just exactly what you need to buy the right cybersecurity products and services for your company.

This is exactly what Cyberse is building, and why I'm so excited about it. 

Cyberse cuts through the exceptionally loud cybersecurity marketing noise and gets straight to the point: giving you the industry knowledge and data you need to make the best decision for your needs.

Reimagining the cybersecurity purchasing process for the divinely discontent, Tesla-buying, millennial leaders-in-waiting has huge consequences. Let's finish by talking about what's at stake once this behavioral shift actually happens.

What's at stake: growing the TAM of cybersecurity

McKinsey wrote a research report that bent my brain in a way that hasn't happened in a while. The punch line: the cybersecurity industry has only reached 10% of its overall TAM yet because large portions of the market are under-served.

...wait, what?

Yeah, that caught my attention too. The article goes on to explain:

Currently available commercial solutions do not fully meet customer demands in terms of automation, pricing, services, and other capabilities.

...

This does not imply the market will reach such a size anytime soon (current growth rate is 12.4 percent annually off a base of approximately $150 billion in 2021), but rather that such a massive delta requires providers and investors to “unlock” more impact with customers by better meeting the needs of underserved segments, continuously improving technology, and reducing complexity.

Here's a visual to go along with it:

McKinsey cybersecurity TAM gap analysis.

Even if you don't buy into the exact numbers (I don't, but they're only estimates), anything remotely close to this situation is astonishing.

How did this happen?!

A partial explanation: our products, services, and purchasing processes are all very enterprise-focused.

The traditional top-down sales model doesn't work for Small Business (SMB) and Mid-Market (MM) customer segments. Most cybersecurity companies can barely afford to support this model for enterprises. There's effectively zero chance of doing it profitably for smaller customer segments — and even if we most could, buyers in this segment don't have time to run enterprise-grade procurement cycles anyway.

Serving the SMB and MM customer segments is a problem we can tackle right now. As the McKinsey report shows, this alone is a big opportunity. But it's not the full story here.

What happens when the divinely discontent millennial cybersecurity leaders are the majority of buyers in cybersecurity? 

Marketplaces will become the de-facto model for how cybersecurity products and services are bought and sold.

That's why we need a cybersecurity-focused marketplace: to address both under-served market segments and the new generation of buyers in our industry.

It's a gradual, compounding transition — but it's going to be so, so impactful when the rapidly approaching inflection point hits.


Acknowledgements

Thank you to Ken Yao and the team at Cyberse for patiently hashing out multiple iterations of this thought process with me.

Also, thanks to Jonathan Cran for sharing the stat about Wiz's marketplace revenue percentage. No way I would have found this on my own.

Footnotes

¹Relatively speaking as an order of magnitude statement, not a precise estimate. I say this based on Gartner's latest Global Security and Risk Management Spending forecast and a McKinsey report we'll get to later in the article.

²I mean this literally — as in the process of buying, configuring, and operating the car, not the drama and nonsense created by Elon Musk himself. I don't condone or agree with a lot of his behavior, but I also think credit needs to be given for his inventions (and many other more decent people at Tesla).

³Statistics about millennials in the workforce and leadership positions are fuzzy, so I'm not going to cite specific data. Roughly speaking, we've been the largest generation in the workforce by percentage for several years now, but it's still a minority percentage. We'll be a majority percentage by ~2025. Leadership positions (VP+) will follow shortly after. Some of us are already in them today.

⁴Nobody really does today either, but they tolerate VARs because they make the traditional procurement process just a shade less miserable.

Startups
You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Strategy of Security.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.