The cybersecurity ecosystem mapping project I launched in September 2021 has been (by far) the most popular article on Strategy of Security so far. There was something extra special about the project that resonated with thousands of people.
In the months since the original mapping was published, many people have told me it was how they first found out about this publication. For others who have joined later, this could be the first time you've seen the mapping outside of passing references I've made in other articles. Regardless of your starting point, I view the ecosystem mapping project as a foundational activity for my work.
Today's article is different type of piece than I've been writing recently. Instead of looking outward at cybersecurity companies or topics, I'm looking inward at the cybersecurity mapping project. We'll cover a few topics this week:
Reflection and analysis: A bit of reflection and analysis on the cybersecurity mapping project with highlights and interesting observations.
Mapping updates: The main objective — I made some significant updates to the ecosystem mapping. This article summarizes all of them, along with some additional commentary.
Future plans: I have a few different ideas about the direction this project could go in the future. It's too early to share them all yet, but I would love your input on how the project has been useful to you.
It feels like these updates to the mapping are long overdue. Needless to say, an updated version has been building for months. I'm excited to finally bring it to you.
If you want to skip straight to the updated version of the mapping, you can find it at the link below. The URL is the same, but the page has now been updated with everything we're about to discuss in this article.
Reflection and Analysis
To say I'm surprised about how popular the cybersecurity ecosystem mapping project has been is a huge understatement. I thought it would be a useful reference but never expected it to be shared so widely or viewed so frequently for months on end.
My plan was to publish the initial version of the model, use it myself, and see where it broke in practice. That definitely happened — a lot more often than I expected. I thought I did a relatively comprehensive job in the first version, but I was surprised at how many omissions or "this doesn't make sense" moments I had after publishing it.
What I take away from my mistakes is that understanding and defining the cybersecurity ecosystem is hard. I have worked in cybersecurity for basically all of my working years, and I still missed basic things when building this mapping. Looking back, I have just accepted this is going to happen. The mapping gets better and more accurate with every new iteration.
Bigger picture, I still don't understand exactly why people are so interested in the topic of cybersecurity industry mappings. I've developed a few working theories as I've talked to people, looked at the data, and explored the ecosystem in more depth after the article was published.
In general, I think mappings like this one are useful because cybersecurity is so vast. It's a legitimately confusing field, and that's...unnerving to people. We're all on our own version of a search for understanding about what's happening and how we fit in. The combination of uncertainty and our desire to find our own place is why industry mappings are useful.
There also seems to be a lot of value in defining the industry at a granular level. I think a lot of the mapping's value comes from the taxonomy, both depth and breadth. Sometimes this doesn't matter — a general grouping of companies by domain is fine. In other cases (like venture capital), the nuanced differences matter a lot.
Finally, there seems to be a lot of value in the cybersecurity ecosystem visual itself. I spent a lot of time designing this, and I'm happy with how it turned out. It's definitely a busy visual with a lot of improvements that could be made. However, it's proven to be useful for many people in ways I couldn't have imagined.
I expect that I will continue to learn more and evolve my thinking and understanding over time. It's been a useful project for me personally as I've stretched the boundaries of my understanding about the ecosystem I work in.
Cybersecurity Ecosystem Mapping Updates
Now, on to the important part — the updates. The punch line is that I made a lot of updates. This wasn't a total overhaul, but far more updates than the few minor changes I've made in the seven months since it launched. In Semantic Versioning terms, it's like a minor update to v1.1.0.
All of the updates are summarized in alphabetical order to keep things organized. Some updates are more major than others (especially in Digital Identity and Privacy). I've tried to call out major updates while also keeping track of notable but minor updates.
Angel and Seed Investors
I added seed stage investors to the Investors category to make the distinction between early and later stage venture capital.
The seed rounds cybersecurity startups are raising keep getting larger. Operators and other less traditional types of investors have entered the picture as valuable investors at this stage. Angels and seed investors are clearly important enough to have their own place on the mapping.
Cloud security is still a moving target and rapidly evolving part of the ecosystem. However, segments of this market have relatively agreed upon definitions now. The mapping was updated to reflect the ones I feel are accurate.
I updated the naming of Cloud Workload Protection Platforms (CWPP) and Cloud Security Posture Management (CSPM) to reflect current industry naming conventions for these emerging markets. I also updated the example companies within them, mostly to map companies in the original version to more accurate categories.
Cloud Infrastructure Entitlements Management (CIEM) was added as a new category. This technically could map to Authorization instead, but I included it in Cloud Security since the focus of this category is specifically on access within cloud platforms.
I expect the markets and mappings in this category to keep evolving at a faster pace than other parts of the market. The pace of change is a good thing — both because the pace of innovation is needed, and because our mutual understanding of the market and companies within it keeps improving.
I added DevSecOps as a category under Application Security. This seemed like an obvious miss in the original version. However, the term is so broad that it encompasses several areas of application security. It's actually hard to map companies/products directly into it.
Rather than forcing company mappings to work, I focused on the methodology itself and included links to resources in the mapping. Many of the products listed under other Application Security categories are a great fit for DevSecOps, but they didn't make sense to me for a direct mapping.
I might change my mind about this, but in general, there is no doubt that DevSecOps needs to be in the mapping.
The category formerly known as Access Control in my original mapping saw some major updates in this new version. It's totally revamped now.
Looking back on the original mapping, many of the categories felt academic and by-the-book. It was accurate but felt...out of touch with some of the awesome things that are happing in this part of the cybersecurity ecosystem.
The recently released Liminal Landscape had a major influence on this set of updates. Liminal's approach and methodology for defining the market are fantastic. Their landscape is a highly recommended read if you're spending time thinking about this part of the ecosystem.
In addition to the top-level name change to Digital Identity (much cooler), I made updates to several category definitions and company examples to modernize them.
I also added Password Managers, which was a huge miss from the first version — especially after I wrote nearly 7,000 words about a password manager in a single article.
File Integrity Monitoring
I renamed File Integrity Protection to File Integrity Monitoring to be consistent with current vendor terminology.
I also moved this category from Privacy to Endpoint Security. The market is more focused on the endpoint security aspects of file monitoring (e.g. malware and intrusion detection) than privacy, so this felt like a better fit.
Finally, I added CrowdStrike as an example company because of their recent File Integrity Monitoring product acquisition.
My original definition of "intelligence" was a bit fuzzy, so I defined it more clearly in this set of updates.
I created a general category for Intelligence, moved Threat Intelligence under it, and added OSINT. OSINT is its own domain, and an important one in cybersecurity.
I added Investment Banking under Investors. This wasn't included in the original mapping. That was a miss because investment banking plays a huge role in M&A within cybersecurity and tech at large.
For example, firms like Momentum Cyber focus exclusively on cybersecurity transactions. Cybersecurity is also a significant part of the deal portfolio for other firms.
Messaging Security has been a relatively busy area of the ecosystem recently. Cloudflare acquired Area 1 Security in February, and startups like Tessian are continuing to impress.
I moved Messaging Security under Network Security and added Tessian as an example company.
Privacy received the largest number of updates aside from revamping Digital Identity.
Privacy tech has become its own distinct market separate from Data Protection. As a result, I separated Privacy and Data Protection, moving Data Protection into a secondary category under Privacy.
Privacy has a maturing set of enterprise-focused products for privacy program management and enterprise privacy management. The International Association of Privacy Professionals (IAPP) helped a lot here with a full report on privacy tech vendors. The revisions bring the ecosystem mapping into closer alignment with the IAPP definitions.
Secure Web Browsers
I added new category for Secure Web Browsers to Endpoint Security. There has been lots of recent funding and innovation in this area after the original ecosystem mapping was published. Startups like Island made a grand entrance and put this market on the map. It's an interesting one to watch going forward.
Security Architecture was another glaring omission from the original mapping. I had a hard time defining this one because specific instances of security architecture — most notably Zero Trust Architecture (ZTA) — get talked about so much that they feel like their own category.
If we take a step back from the buzz, topics like ZTA, SASE, SDP, and the like are all different examples of security architecture. When I looked at it that way, the definition of Security Architecture as a category made sense.
As a result, I added it to Governance, Risk, and Compliance. The mapping to GRC might not be the appropriate long term fit, but didn't feel like Security Architecture was defined enough to be a top-level category yet. Regardless of placement, Security Architecture is an influential category in the cybersecurity ecosystem.
Spyware and Stalkerware
Unfortunately, use of spyware and stalkerware is an emerging issue within cybersecurity that merits its own category in the Cyber Crime portion of the ecosystem mapping.
This might be the most controversial update in that there is a fine line between commercial "parental control" software and legitimate malware. What matters is how it's used.
Technically, this software could be used for legitimate (albeit questionably legitimate, IMO) purposes. However, it can also be misused. Grouping this category and set of example companies under cyber crime isn't an indictment of the companies, per se — it's an observation about their potential for misuse in the hands of bad actors. I'm sure I'll get PR emails about this.
Organizations and companies are also emerging to mitigate threats posed by spyware and stalkerware. I intentionally didn't put them in the same grouping. A couple examples are Coalition Against Stalkerware and Malloc from Y Combinator's S21 batch.
Software Supply Chain Security
Software supply chain security has been one of the hottest, if not the hottest, topics since my original mapping came out. It was brought into focus with President Joe Biden's executive order on Improving the Nation's Cybersecurity. Guidance from NIST quickly followed.
I had originally included Supply Chain Security as a category within Phisical Security. In this update, I thought it would be best to focus on software supply chain security because this is now a specific market within cybersecurity that's well understood. Broader supply chain security in a physical sense is still important; it's just adjacent to cybersecurity.
To match the current thinking and terminology, I eliminated Supply Chain Security from Physical Security and created a new category for Software Supply Chain Security under Application Security. The updated mapping also includes a fresh set of newly-funded startups as example companies.
Trust and Safety
I added new category for Trust and Safety under Fraud and Transaction Security. This is an emerging category of tools that's closely related to cybersecurity. Cinder from Y Combinator's W22 batch is a good example that I've covered recently.
Zero Trust Network Access (ZTNA)
Finally, Zero Trust Network Access (ZTNA) is a new category under Network Security. This category has a formal definition from Gartner, which is plenty of validation to include it here. Companies like Appgate, Zscaler, and Palo Alto Networks all have strong offerings in this category and have been added as example companies.
Future Updates and Evolution
The good part about the ecosystem mapping project having some traction and feedback is that I now have options for where to take it next...and all of them are awesome. I'm not ready to make any major announcements yet, but know that I've been thinking a lot about how to take this project to the next level.
One specific update I'm committed to is making frequent, iterative updates instead of major updates like this one. If I spot a trend, error, or a great new company, I'm just going to make the change instead of accruing a bunch of updates to make later.
With this update, I'm launching a public GitHub repo with the Markdown under version control. For now, this includes the written portion of the mapping with category definitions and example companies. Any changes I make to the mapping will show up in the repo and get updated on the Strategy of Security site.
You're welcome to submit pull requests if you have changes you'd like to review and incorporate. I reserve the right to decide which ones I incorporate, but I'm definitely open to input that improves the quality of the project.
I have also created a survey to collect feedback about how you're using the visual and data (or how you'd like to use it). Any feedback I have collected so far has been anecdotal, so this is an attempt to be more scientific about it.
One final note: a piece of feedback that stuck with me came from talking with an investor shortly after the original mapping launched. They told me, "it sounds like this project was 20 years in the making."
I hadn't thought of it that way, but they're exactly right. It took me over a month to literally build the visual and data for the mapping, but the process of understanding the ecosystem has taken decades.
This observation is also telling about the future of the project: I'm still working on my understanding. This process could continue for the next 20 years. That's an exciting thought for me, and I'm looking forward to seeing where this project goes over time.