It seems that every week a new cybersecurity vendor appears on the scene. How can these new vendors be creating new solutions to existing threats?
Everyday we see vendors that have no clear differentiation from one competitor to the next. Are vendors appearing because it’s a low barrier to entry?
Are they appearing because they see the success of other vendors and decide to copy that model?
In this article, we take a look at the world of cybersecurity vendors and the countries that are producing those solutions as well as the layers within cybersecurity to see what interesting patterns we can spot.
The number of vendors we are looking at
We took a random sample of 3000 vendors in the cybersecurity space around the world and looked for some common trends.
Of these 3000 vendors, 1652 are US based but that doesn’t necessarily mean that they are created in the US. A good proportion of these vendors were started by non US nationals and formed in the US due to the market size. A good amount of these vendors were developed outside of the US in places such as Israel and India.
318 of the vendors were formed in Israel which is punching well above its weight for the size of the country.
271 vendors are based in the UK which appears to be much less than Israel in comparison to the size of the countries.
Germany is home to 83 cyber vendors that are mainly coming out of Berlin and Munich.
There are 49 vendors in the Nordic regions which include Norway, Denmark, Finland and Sweden.
Australia and New Zealand are home to 43 cyber vendors and Singapore has 23.
So why such major differences between regions?
Why does the US have so many more solutions vs the rest of the world?
The answer is in the amount of capital floating around in the US and the low barrier to entry to start a software company there that is backed by investment. With North American being home to over 1400 startup incubators in comparison to the 900 in Europe, it appears that the US has an easier time of starting a company than Europe, with more access to startup equity.
The US are the biggest tech producers in the world with people relocating from their home country to start a company there. Purely based on the market size and opportunity to access further funding in order to excel. The vendors with the largest marketing budget and partner reach are the ones that win the race now. We talk about this later in the article.
So why all these cyber security vendors?
Cyber is one of the largest growing sectors within software with a market size of $167B and a compound annual growth rate of near to 11%. Everyone wants a piece of this market, which is just growing and growing and growing.
Looking at the market as a whole, we have layers within cyber security. Those layers consist of:
- Mission critical assets
- Data security
- End point security
- Application security
- Network security
- Perimeter security
- The human element
Of these layers, a high proportion of the vendors fit into the category of application security. Is that because everyone now has web applications and it’s a need or is it something else?
You will see that in the market, there are vast amounts of vendors that specialise in DAST, dynamic application security testing. There is at least one per country. On the other side of the coin, we have the SAST(Static application security testing) market and IAST(interactive application security testing), where there are very few vendors in the space.
So why is everyone choosing to become a DAST vendor and not a SAST vendor? They both hold similar market share but there are significantly more vendors in the DAST space than in the SAST space.
The answer is that the solutions are all based on the same open source technology which is Owasp Zap. It’s a very low barrier to entry with the need being to create a shiny front end that is run by the engine of the open source solution. This creates a problem. That problem is that there is very little differentiation between the solutions in this category of which there are around 50. Most of them are new players (on the scene from 2017 onward) and all producing the same added functionality that the open source version doesn’t provide.
What does that mean for the space?
It means that the market is flooded with “me too” solutions where the only differentiation is the price. Most of these vendors are selling through the channel and trying to use the same partners.
The ones that win the partner are the ones that support the partner better than the next vendor.
There is no clear differentiation in the solutions, so the differentiator needs to come from somewhere else.
The vendors that opt to create the easiest and smoothest partner experience and have the strongest marketing presence are the ones that win in the space. Not the one with the best technology.
If we take a look at the vendors that thrive in the dynamic application security space, we have the likes of Rapid7, Qualys, Tenable, Fortify, Web inspect etc. All companies who were early to the market and with mature partner channels. These channels have been grown over a long period of time and now the new vendors are coming through and differentiating on price which means less margin for the partner. Why would the partners move?
The answer can only be from the human element and ease of transaction.
End users could, if they wanted to, use Owasp Zap for free which would give the same results as most of the commercial scanners. So why don’t they?
The support and ease of use of the solutions is the answer. Owasp Zap is typically hard to use for a non-technical user. The commercial versions are built to integrate with existing processes, which they all do. Providing the support at partner level and vendor level for the commercial versions is the only main differentiation.
This is not only the case for the application security layer, but also the same across the board. Vendors are taking solutions from the open-source community that are licensed on Apache 2.0 or MIT license and branding it as their own solutions. There is nothing wrong with this, but it does create a market full of tools that do exactly the same thing.
Web application firewalls are the same. Under the hood, it’s open-source technology that is reworked by the vendor.
It is said that we will have 10,000,000 vendors by the end of 2030. How original could those vendors be? How many of them will be “me too” solutions? And how are they going to survive when they come up against every other vendor doing the same thing?
What we are seeing is that the “me too” solutions tend to perform well in their own region because they are the “home grown” solution. Try to push that vendor outside of their own market and it becomes a battle with the same solution that is made in the country they want to penetrate.
Could this mean that we are going to go back in time to where people buy local and boycott the rest of the options?
Introduction of the marketplaces means that these new entry vendors that are a “me too” offering are going to be low on the list of solutions wanted globally due to them being lost in a vast array of other vendors. Funding is the only thing that’s going to give them awareness.
Decline of the VAR’s
It’s said that the value added resellers are diminishing in favor of MSP’s. These MSP’s only generally offer one of each type of solution so that they don’t have competing solutions in their portfolio. Who is going to sell these new solutions to the market if the VAR’s disappear?
Would all emerging vendors sell directly within their own markets?
What we see is that the channel partner type is regional again. When we look at Southern Europe, LATAM and South East Asia, a lot of suppliers are still VAR’s as opposed to MSP’s. The answer could be to bring the emerging vendors to the emerging markets but this still has the issue of all of the same solutions being flooded into specific markets so the solution will be devalued on the price as all of the same solutions will be fighting for the same customers all of the same customers
That is a blocker on going global with the route to market currently being via partners in the country that the vendor wants to sell into. If the VAR’s disappear and the number of solutions far exceed the number of MSP’s then we are looking at trouble in the channel for the emerging players.
On the other hand, the vendors coming through that are creating unique technologies, which are built from the ground up are finding it much easier to enter foreign markets due to the “first to market” advantage.
How many of the “me too” solutions are going to be in the market in 2030?
How are they going to differentiate?
Is the market too flooded with technology that everyone can do with a little coding experience?
All questions that are going to be answered in the next ten years. What are your views on this?
The bubble will likely burst at some point and the vendors with the unique offerings will be the ones that thrive.