The cybersecurity market is heading for a reckoning without serious adjustments to marketing strategies. Recent reports, including one from Dimensional Research, showed large enterprises are planning significant cuts in budgets for security tools and services. Moreover, the vendors facing those cuts are ill-prepared to absorb them because they have ignored the largest segment of the market, small-to-medium enterprises.
Fortune 1000 companies represent $122 billion in revenue for security companies, while SMEs are less than a quarter of that according to Statista. But while large enterprises are considering cutting budgets, the SME security market has been growing at 8 percent CAGR since 2021.
Low-hanging fruit
What makes SMEs unattractive to customers is the difficulty and cost of making a sale. Large enterprises are low-hanging fruit. They have large budgets allowing them to buy any tools or services “just in case” they are needed. But according to the Dimensional Research study, more than 90 percent of those tools are little more than “shelf-ware”. Large companies lack the personnel to implement and maintain the tools. Many in the inventory came through mergers and acquisitions and are incompatible with products in current use.
SMEs lack large budgets and ask harder questions than big customers like: Does this solve my specific problems? What kind of manpower do I need to incorporate it? Can you document its effectiveness? Possibly, the hardest question asked is, “Who are you again?” These are hard questions for security companies to answer because of under-investment in marketing beyond sending out AI-generated press releases.
Identity Access takes first hit
The industry sector facing the initial hit may well be identity access management (IAM). Various reports say IAM represents the single biggest expenditure of large companies for security tools and services, as much as 40 percent of average budgets. There is a good reason for that. More than 80 percent of breaches in 2022 were identity-related, according to the Identity Theft Resource Center. Dimensional Research reported that 52 percent of all companies are managing more than 10,000 identities in their systems including employees, customers, partners, and machine identities (RPA, bots, etc.).
Protecting and vetting identities is not easy. Even though most companies (96 percent) say they have 10 or more IAM tools in operation across different systems, 32 percent say they have additional tools that are not even “unboxed”. Of that group, 9 of 10 were still impacted by identity-based attacks and almost 80% reported that “better tools would have mitigated the impact” of those attacks.
But that’s for large enterprises. Small to medium companies also struggle with identity attacks, but because they average less than 100 identities to manage the argument for IAM budgets is weak.
SMBs are untapped market
Richard Stiennon, founder and chief analyst for IT-Harvest, said SMBs are the biggest untapped potential market for cybersecurity. “It’s untapped because you can’t find them.”
Stiennon said every business needs to be concerned about some security, whether they are a bowling alley or a building contractor. They won’t have a LinkedIn page. Their website may have a contact address for their company owner president. That’s the only contact you’ll have is the president of the company.
“So you call the president of the building contractor. And you say, would you ask if he wants to buy a firewall? And he says they aren’t building any firesafe rooms today, so, no, I don’t need a firewall. It’s impossible to sell directly to them.”
That’s why small cyber companies sell to Fortune 1000 companies. It is just easier to do.
Stiennon is seeing many new companies getting funded that are going after the SMB sector. He said the owners and operators of small companies use Instagram and Facebook, but they’re not going to be looking for security. You have to somehow identify them as business owners and start hammering them with a message
Where the money is
One company following that pattern is Fletch. Founded in 2019, the company uses artificial intelligence (AI) to identify threats before they attack specific systems. Using their tool, a company can see where their weaknesses are well in advance of an attack and take steps to block hackers and malware. The company has penetrated the security markets in 18 countries and has raised close to $30 million in Series A funding.
Grant Wernick, CEO of Fletch said with that kind of information an SMB doesn’t need much in the way of specialty tools like expensive IAM packages. “They can just get started with Microsoft SSL or Google SSL. And then run LastPass or 1Password.”
Stiennon concurred. “Small businesses, wouldn’t have need for more than seven tools on the market today. More likely less than that.”
Rising tide, sinking ships
The coming tide of budget cuts is happening in large, well-known cyber companies, Rapid7, Secureworks, HackerOne, Dragos, and Bishop Fox all announced double-digit layoffs in August. In July, Qualys (NASDAQ: QLYS) stock was downgraded from buy to hold because it revealed that 97 percent of its revenue comes from current customers. CrowdStrike (NASDAQ: CRWD) was downgraded this week as analysts saw minimal prospects for growth.
Stiennon pointed out that large cybersecurity companies, like CrowdStrike, are moving to broadcast advertising to break through to decision-makers in the Fortune 1000 group, which significantly increases the cost of customer acquisition. That might be a mistake.
“If you look at the total addressable need, there’s an infinite pool to draw from,” Stiennon said. “The key is finding the people who will benefit the most from your product. It’s not blanket the world and it’s not only going after Fortune 1000. It’s the niches. It might be education. It might be state and local government. It might be manufacturing. And you dominate that before branching off into the other niches. Your product doesn’t change whether it is automotive or oil and gas. You have to hire expertise in your target market that can build those relationships. The problem is it takes longer.”
The longer sales cycle is a problem for cybersecurity companies. They are following the pattern of the Electronic Design Automation (EDA) industry 30 years ago, looking for cheap and fast solutions and hoping customers will pay attention to them. For several years the fear of getting breached overrode fiscal responsibility. But EDA has still not completely recovered from that downturn, basically, because they did not learn that cheap and fast excludes effective. That lesson still needs to be learned by the cybersecurity industry.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.