Cybersecurity's Class Conundrum: Winner-Take-All Market Dynamics

The cybersecurity industry isn’t winner-take-all, but its markets are.

That's the part I was missing when I wrote Cybersecurity's Class Conundrum three weeks ago.

The core observation from the original piece was clear: the cybersecurity industry has a growing class divide between its companies, and the gap is only getting wider.

Okay, great. But what now?

I was still missing the punch line about why this matters and what it means.

Class divides are one of the most common outcomes in capitalism. The winner-take-all market dynamics that cause them are really common, too.

Cybersecurity just hasn't experienced many of these dynamics yet, even though our industry has been around for a little while.

When industries are at this point, one of two things usually happens.

People are totally unaware the dynamics are happening and keep doing what they're doing — which is easy to do because their effects aren't very obvious yet.

Or, people are aware of the dynamics and deny they're happening. I've seen enough renditions of the "cybersecurity is special" argument to know this belief is common.

Either scenario leads to bad outcomes, or at best sub-optimal ones. Consciously or unconsciously, they've missed a powerful force and how it's going to impact them. It's the business version of not seeing the weather forecast for a hurricane or catching the forecast but deciding to stay put.

The good outcomes come from people recognizing the dynamics early, making high-probability predictions about what will happen, and taking action. It's really hard, but doing all of this right means you, your company, or anything else you care about comes out ahead.

I think this is the point we're at right now in cybersecurity — the "not too early, not too late, but better hurry" inflection before serious market dynamics take over. We need to have a practical discussion about the effects winner-take-all market dynamics are going to have on our industry.

Let me start with a quick story about how I learned market dynamics dynamics the hard way.

Why you're reading this instead of shopping at my grocery store

In a parallel universe without strategic forces and market dynamics, I would probably be helping my extended family run a small chain of grocery stores in Iowa.

My grandpa opened our family's first independent grocery store in 1973, just one year and 70 miles apart from the first Wal-Mart in the state. The family business thrived in the 1970s and 1980s, growing to four stores across eastern Iowa and employing hundreds of people.

That's where the winner-take-all markets part comes in and bends the arc of my life dramatically.

Walmart went public in 1970. They had 38 stores at the time — ten times more than my family's modest chain of four stores, but not orders of magnitude larger in size or scale.

You know where the Walmart part of the story goes from here. They had 1,400 stores and $26 billion in revenue by the end of the 1980s. They also spent these two decades developing and refining their business model, including the most sophisticated logistics system in retail. This period was the foundation that eventually made Walmart the largest retailer in the world.

By the end of the 1980s, my family's business had...four stores. This was the same local-first, long-tail strategy that worked wonders for all kinds of retail businesses before Walmart came along.¹

Before Walmart came along. That's how stories like this happen. Everyone thinks an industry works a certain way — until it doesn't. By then, it's too late.

Market dynamics are powerful and brutal forces. Walmart was playing a winner-take-all game while everyone else was following the playbook of decades past.

I never worked in my family's grocery stores. It's fortunate I didn't. The last store was sold in 2023, ending a 50-year era of the family business at the 2nd generation. Being a 3rd generation independent grocer on the wrong end of winner-take-all dynamics is not a strategic position I'd want to be in.

Next, let's talk about how tech made the forces behind winner-take-all markets even faster and more severe than old school businesses like my family's grocery stores.

Winner-take-all markets in tech: like grocery stores, but bigger and faster

Marc Andreessen originated the current version of thinking around winner-take-all markets in the tech industry during an interview back in 2013:

In normal markets, you can have Pepsi and Coke. In technology markets, in the long run, you tend to only have one…The big companies, though, in technology tend to have 90 percent market share. So we think that generally, these are winner-take-all markets.

Generally, number one is going to get like 90 percent of the profits. Number two is going to get like 10 percent of the profits, and numbers three through 10 are going to get nothing.

You know this intuitively if you've been around tech long enough. Winner-take-all markets happen all the time in tech: search engines, social media, e-commerce, music streaming, ride sharing — on and on. The effects are pretty easy to see in retrospect.

What's harder is acknowledging the effects before they happen, especially the markets you work or invest in. This means us, cybersecurity people.

Harder still is doing something about it: things like putting your company in a position to be number one, investing in companies who are likely to be number one, and knowing when and how to change course, salvage, or bail if you're number three through 10.

Before we get into effects, let's make a quick distinction about the differences between markets and industries.

Cybersecurity isn’t winner-take-all, but its markets are

Andreessen's 90/10 profit split might be a little extreme for an entire industry, but it's been proven accurate repeatedly at the market level. Let's translate this to cybersecurity.

As I said when making my case for platformization, "There will never be a one-ring-to-rule-them-all cybersecurity platform all companies buy from a single vendor."

The concept of winner-take-all markets is the economics side of the cybersecurity platformization debate.

The same fundamental platformization idea applies for the cybersecurity industry: there will never be a winner-take-all cybersecurity company.

But at a market level, there are definitely going to be winners. Eventually. We're talking about a decades-long process here.

Let me show you what I mean:

In ecosystem terms, the entire domain of Cybersecurity, Privacy, and Trust is too large to win. It's an entire industry, not a market.

Really big markets like Security Operations might have multiple leaders because they're quasi-industries. Leaders will win the smaller markets that roll up into the large one.

Smaller markets like cloud security will have winners.² Those winners may eventually end up being acquired by mega-cap companies in larger markets — but they're still winners and still have great financial outcomes.

Now, let's talk about how a few powerful market forces are shaping the cybersecurity industry.

Revenue concentration

Cybersecurity's current market leaders are growing at a disproportionate rate.

In winner-take-all markets, the winners (and companies who are on their way to winning) grow at a much faster rate than everyone else.

In my grocery business example, it's Walmart jumping from 38 to 1,400 stores in a decade while my family's business stayed at four. "Disproportionate" barely begins to describe the difference.

Disproportionate growth happens in technology markets, too. You know, like cybersecurity:

The reason cybersecurity's top seven public companies (the "A-List" in the chart) are now worth more than the rest of the industry combined comes down to one thing: massive revenue growth. Their average growth rates have nearly doubled the rest of the industry's growth for over a decade.

"A-list" company revenue growth topped out at 46.7% in 2021 and has never been below 20%. Everyone else topped out at 27.6% back in 2011 and has only averaged over 20% growth three times in 13 years.

The same thing happens in earlier stage markets — it's just harder to spot because private companies aren't required to report financial metrics.

Revenue is concentrating among cybersecurity's market leaders.

Revenue concentration among market leaders is an immediate consequence of disproportionate growth over a long enough period of time.

Andreessen's 90-10 theory of profit concentration is faster and more pronounced in consumer technology markets. Concentration still happens in enterprise tech — it just takes longer and has a less lopsided ratio.

Revenue concentration among cybersecurity's public companies has been happening for a while:

Fortinet, our only current A-List company who was public in 2011, had only 1.6% of the total cybersecurity industry revenue reported at the time. Fast forward to 2023, and our seven A-list companies have already concentrated 23.1% of revenue.

But wait, other companies still have over 75% of the revenue?!

Remember, there are only seven A-list companies. 51 other companies are controlling the remaining 76.9% of revenue. And this is still excluding tech companies with massive cybersecurity businesses — Microsoft, Cisco, Alphabet, HPE, and others.

Ed Sim recently shared a variation of the same concept about cybersecurity revenue concentration that included Microsoft:

I'd bet the concentration would be a lot higher than 51% if we had enough data to include Cisco, Alphabet, and other large cybersecurity business units.³

Regardless of the exact percentage we're at today, cybersecurity's revenue concentration is compounding quickly (by the long, bending arc of market time horizons, anyway). Just look at what already happened in a decade and imagine how much more concentrated it's going to be in another decade or two.

Revenue concentration leads to all kinds of other effects. Let's talk about those next.

Leverage

Larger profits and higher valuations give the largest cybersecurity companies more leverage.

"Leverage" means all kinds of things — pricing, partnerships, acquisitions, and more. Once a market leader has leverage, their advantages compound even faster.

Acquisitions are an interesting example to show the effects of leverage. Cybersecurity market leaders have multiple advantages over companies who aren't market leaders — cash, equity, and post-acquisition growth.

Here's how much cash each public cybersecurity company has on hand right now:

Cybersecurity's seven A-list companies have $17.6 billion of total cash, an average of $2.9 billion per company. All but one company (Cloudflare) makes up the top six companies with the highest amount of cash on hand. Splunk is the only other company with over $2 billion of cash, which now belongs to Cisco after their acquisition closed.

Cash is just one kind of leverage. Higher valuations for A-list companies mean the value of any equity they use for acquisitions is higher than other cybersecurity companies with lower valuations. This saves cash and gives them more leverage for other acquisitions or investments. It's a self-reinforcing feedback loop.

Speaking of feedback loops...

Feedback loops

Positive feedback loops make cybersecurity's most powerful companies even more powerful.

So far, we've been talking about effects related to money. Things really get out of hand with social effects.

The Matthew effect causes success and resources to gravitate towards people and companies who already have them. Colloquially, it's "the rich get richer and the poor get poorer" adage.

Companies like CrowdStrike and Wiz are famous for being famous. People want to buy their products, buy their stock, work there, and partner with them because they're already famous.

Another example is Okta's leadership in the Gartner Magic Quadrant for Access Management. They've been in the "leaders" quadrant for seven straight years. Positive feedback loops kept them on top, even after breach after breach ripped through the news headlines.⁴

It's called a feedback loop because outputs like these become inputs, and the cycle repeats itself. This is exactly why it's hard to overtake a market leader by competing with them directly — positive feedback loops are really strong, and they get stronger with compounding.

Talent concentrates to winners, and the rest do layoffs.

Another interesting example of positive and negative feedback loops in winner-take-all markets is talent. Talent concentrates among market leaders. Talent defects (or gets laid off) from companies who aren't market leaders.

Here's a wild stat from Cloudflare to illustrate the point. In 2022, they had approximately 400,000 people apply for 1,300 positions. That's an acceptance rate of 0.3%. Admission rates for Harvard and Stanford are both around 4%. In other words, it's over 13 times harder to get a job at Cloudflare than it is to get into two of the top universities in the United States.

The same thing goes for executives. CrowdStrike famously poached SentinelOne's Chief Marketing Officer and Chief Product Officer at the same time, using their leverage to stick it to a competitor while they were (briefly) down. Then, they literally put the executives in charge of building more advantages in channel growth and new product development, two of the biggest drivers fueling CrowdStrike's massive 2024 earnings.

The relationship between negative feedback loops and layoffs works in a similar way, but in reverse. According to Layoffs.fyi data (and my own company classifications), A-List companies have laid off 881 employees since tracking began in 2020. Other public companies have laid off 3,019 employees.⁵ Private markets are even uglier, with 5,922 employees let go by 71 different companies.

Negative network effects repel talent away from companies who aren't viewed as market leaders (or potential ones).

Let's finish by talking a bit about competition.

Competition

It's harder to IPO in an established cybersecurity market.

Late-stage cybersecurity companies are having an increasingly difficult time going public in established markets with clear leaders. This trend is still nascent, but you can start to see the signals based on cybersecurity's large-cap IPOs in the last five years.

Aside from endpoint security (the market that keeps on giving, apparently), companies who have gone public in established markets haven't lasted very long:

SentinelOne's 2021 IPO is the most recent clear example of a company who went public in a well-established cybersecurity market and succeeded. There will be others in the future, but this path is becoming more rare. Look no further than Cybereason.

Companies who have gone public in "new" markets (either markets they've defined or ones without another public company) don't have an unblemished record, but they're doing better:

Leading a market is hard no matter what, but it's a shade easier when you're viewed as one-of-one.

It's also a mixed bag if we play out this trend across the late-stage companies in cybersecurity's IPO pipeline.

For example, Wiz falls into the "new markets" group as the first standalone public company in the cloud security market. Other unicorns are competing directly in markets with established public companies, which is extra difficulty on top of the already challenging conditions for IPOs.

The path to going public in cybersecurity is heading through market leadership in new markets more than it ever has before.

Cybersecurity companies who aren't viewed as market winners get taken private.

Companies outside of cybersecurity's seven A-list performers are being taken private at a staggering rate.

In Bigger, Faster, Stronger: The New Standard for Public Cybersecurity Companies, I analyzed the cybersecurity companies from various IPO eras who have since been taken private:

In the complete history of cybersecurity, we've had 117 companies of all sizes go public. As of today, 34 companies (29%) have been delisted due to acquisition or bankruptcy. The general trend among delistings is companies who haven't established themselves as a clear market leader.

The insatiable take-private trend is showing few signs of slowing down.

In the past year, we've heard rumors of Rapid7, SentinelOne, HashiCorp, and others being taken private. Rapid7 and SentinelOne both compete in established markets with strong competitors.⁶

You're either leading the market or regrouping until you can try again.

Survivorship bias causes more people to enter cybersecurity markets and lose.

This one hit me the hardest. It's the most tragic market effect by far. From Farnam Street:

Ironically, winner-take-all markets tend to perpetuate themselves by attracting more losers. When we look at founders in Silicon Valley or actors in LA, we don’t see the failures. Survivorship bias means we only see those who succeed. Attracted by the thought of winning, growing numbers of people flock to try their luck in the market. Most fail, overconfident and misled. The rewards become even more concentrated. More people are attracted and the cycle continues.

In winner-take-all markets, the success of winners causes more people to chase success and lose.

This is how we get the 8th, 9th, and 10th new company in hot cybersecurity markets. Founders and investors see success, and they can't help themselves from trying to replicate it. By the time a market is getting a ton of industry hype, it's probably too late.

You don't need to be the first mover, but cybersecurity's markets are efficient to a point where it's difficult for a multi-year, multi-million dollar head start to be overcome.

There can be only one

I'm not sure how long cybersecurity's winner-take-all market dynamics and their effects are going to take to play out. We're probably talking about a decades-long progression here, but it's inevitable.

Market dynamics like these can't be avoided. They're better to understand and accept than ignore or deny.

Cybersecurity has unique characteristics, but so does every interesting industry. Taking a contrarian stance against widely proven market forces happening in cybersecurity is an option, but probabilities are working against you.

If you're daring, you can take the bet — but do it with a clear understanding so you know which rules to bend and why.

In the end, there can be only one (NSFW).


Acknowledgements

Thank you to Logan Bartlett at Redpoint Ventures for casually dropping the timely 'there can be only one' comment in my Data Security Posture Management (DSPM) post on LinkedIn last week. It's a fitting way to end this piece.

Footnotes

¹This story isn't intended to imply the family business could or should have been Walmart, nor that anything Walmart or other large retailers did was unfair. It's just the best way I can think of to illustrate a visceral lesson in my life.

²An estimated ~$30 billion market size for cloud security isn't even small, but the point is it's much smaller than the overall infrastructure security market.

³Unfortunately, we don't. Large public tech companies aren't required to break out revenue by business units, so we have to rely on metrics they voluntary report at random time intervals. Some never volunteer to share security business unit revenue, or share it with serious questions about the math behind the calculation.

⁴Okta has been on the receiving end of negative feedback loops, too. It's definitely one of the causes behind their new customer growth stalling over the past two years.

⁵This data excludes layoffs at Cisco. They're a large, diversified technology company, so attributing layoffs to their security business unit isn't possible. The data does include Splunk since their layoffs were done before the acquisition by Cisco closed.

⁶HashiCorp is the "new market" exception here, although you could argue they compete directly enough with CyberArk to be viewed as an established market player.