Apparently, there is a massive cyber-security market waiting just 'round the corner this year. Or was it last year? Or was it the year before that? The perennial theory is the cyber-security market being on the verge of blowing up due to consumer demand. I have a much more dire synopsis. What the market currently is, is what we will always have; relatively speaking.
I know this is a fairly bold assertion. I say "relatively speaking" because general marketplaces have the tendency to grow as population and wealth grow. Specific marketplaces, such as the one from the old buggy whip story in "Other People's Money" can shrink or expand depending on current technology/desires. Danny DeVito used the "buggy whip" parable to illustrate obsolescence destroying thr company he was brought in to liquidate a la Bain Capital. If you haven't seen his speech to the stockholders from that movie, go watch it now. I'll wait. Okay, are you back? Good. Moving on then.
While I was doing a podcast, SAHASays, I stammered into an analogy about starting a business for the homes in my neighborhood I thought neatly explained the current cyber-security market. When I grew up, all of the houses I saw had some sort of screen door. However, my current house does not have one. The last one I lived was also absent a screen door. Then, I looked around at the houses near mine. Surprise, surprise - they had no screen doors either! My first thought, being the Devil's advocate that I am, was, "My God, the screen door market here must be huge since there are none on these homes!". Immediately I suggested we change gears from cyber-security to screen door sales. The homes would clearly benefit from the addition of such a door. It allows for a breeze through the house. You can have the paperboy put your dailies between the two doors. Oh, the possibilities!
Sad to say, this venture was failed from the start. Even though there are benefits to having a screen door on their houses, no one wants one. Barring the aesthetic reasons, my neighbors simply don't think they need one. Any perks they receive are not worth the cost of the purchase. It didn't matter how many marketing slicks I had. No sale. I tried showing them my shiniest doors with all sorts of bells and whistles. No interest. I even tried to bundle every door sale with maintenance and training on how to use said door. No takers. Then, I went on the speaking circuit, touting the overall necessity of screen doors. Still, no phone calls. Finally, I phoned my congressman, demanding screen door mandates. The chortles on the end of the line suggested my demands wouldn't make it on the agenda.
My screen door fallacy is actually a very apt way of explaining how the cyber-security market has evolved over time. We started with seeing an obvious issue, every one needs some level of our service. We tried to explain to them how much they needed it. After the explanations failed, we moved on to jazzing up the offering with items like "we'll do it for you". Then comes the lecture circuit, where we all slap one another on the back over our own technical prowess and chat about how bright the future looks. Those clouds forming on the horizon? Don't worry about those. They'll break up before they hit us.
My belief, is we have an imbalance of capital in the cyber-security field. The accessible money is heavily on the company and product creation side instead of the direct consumer side. Due to the complexity, and relative newness of the field, it is easy to pair an engineer with a technical sales person with the goal of pitching a novel idea or platform. The sales person gives a beautiful overview. They make the potential investor feel comfortable in the room. Once the talk turns to "how does your product work?", the engineer is there to plow enough facts down their throat to halt any further doubts. Both engineer and sales assure the investor that this is a growing market. They pull out reports stating "Cyber-security market to grow by infinity billion dollars by year 2XXX". The investor hears a good pitch, sees an incredibly technical solution, and decides to plow their money from selling .com domains in 1999 into this new market.
The imbalance noted above, explains the hiring free-for-all for security engineers. All of these new companies need labor, as do existing companies when pushing a new product.What happens when the promises of an expanding market never come to fruition? Security engineers are expensive. Maintaining a team of good security product developers is an even greater cost. When the invoices don't come in, and the investor needs to do a cost-benefit analysis, they are going to correct that mistake. No one wants to lose all of their money. Most hate losing even the first dollar.
The key to success in any venture is a consistent separation of a consumer from their money. As it has been in the past, it is very difficult to get a client to make room in their budget for your new security product or service. Currently, we have the additional over-investment driver that comes along with being the "best option available". Out of all the options for investment returns right now, funding a new product line or start up looks better to a large swath of investors than the alternatives. Get the company, sell the company. Does anyone remember the game of hot potato we played with the subprime mortgage market? The first groups in line were able to pass along bad paper to the next groups. Last firm in line bore the cost of not having any value in their investment. This is the same in the cyber-security market.
While we have several good companies and products in our field, those items need clients willing to fork over their hard-earned dollars. If no one is buying the peace of mind we are selling, it's the same outcome as owning portions of worthless mortgages. Sure, there are different reasons that the investment is worthless, but the result is the same.
I'm not trying to assail my entire industry with accusations of malfeasance. The only thing I am outlining is an increased need for business discipline. The traditional investment model incorporating whether or not the company you wish to buy has the correct formula for separating customer from cash needs to remain the largest factor in your decision. If you are not tech-savvy, make sure you have access to a good technical adviser who specializes in cyber-security. They will be able to tell you if what you just heard had merit and marketability. Getting such an adviser who also has a bit of business and sales background is even better.