Why is the Cyber Security Industry Addicted to Marketing?

The world’s largest cyber security firms spent startling amounts on sales and marketing last year, allocating 41% of revenue to their commercial activities. Indeed, some companies exceeded 50% and even 60%. When compared against other B2B tech firms such as Cisco, (19%) or Microsoft (17%), it’s clear that the cyber security industry is somewhat different in the way it carries out its business.

A brutal investment in persuasion

These are the top six cyber-security focused firms who submit publicly available annual reports. We can see they have a combined revenue of $9.8 billion, with a sales and marketing expenditure of $4.1 billion.

Top six cyber security firms by revenue FY 2016/17

Given the $90 billion or so spent globally on cyber security in 2017 we can estimate that somewhere around the $25 - $35 billion mark was spent last year convincing you to buy more cyber. That's up to $110 million per day in sales and marketing.

What is it about the cyber security industry that necessitates such a brutal investment in persuasion?

Cyber is a complex sell

Cyber security is the newest item on the boardroom agenda, and due to the media frenzy every time there’s a breach, it’s also the item where everyone wants to be a stakeholder. Indeed, with ‘cyber’ straddling security, IT, risk and compliance, there are multiple business areas that need to agree a purchase decision, which can make the sales process long, complicated and expensive (put your violins away).

It’s also worth considering that a cyber purchase is often made with a whole new budget, which generally comes under more internal scrutiny than a straight vendor swap, which again can slow down the sale and make it more costly to the vendor.

Nothing sells like New

Furthermore, the unspoken truth is that highly publicized breaches are generally considered a godsend to the cyber-security industry – indeed in the aftermath of WannaCry, cyber-stocks spiked by as much as 15%. It’s something of a paradox that the very events stopped by cyber actually serve to drive the industry forwards.

The only problem is, there aren’t enough high profile breaches to maintain the growth momentum to which investors in cyber companies have become accustomed. News cycles are short, and corporate focus quickly moves onto something else. This is where marketing steps in, filling the gaps between real breaches with ‘new’ threats that absolutely-must-be-stopped-immediately. Occasionally these are worth consideration, but the reality is that these are often simply existing threats with a new badge, or some obscure vulnerability that is only replicable under lab conditions. Still, $110m per day buys you a lot of influence, and these marketing-led devices are highly successful at driving the agenda. Indeed, the World Economic Forum at Davos recently proclaimed ‘cyberattacks’ as carrying greater impact than food crises, ecosystem collapse and the breakdown of government.

World Economic Forum Risk Report 2018

Lots of ways to skin this cat

What makes cyber security marketing so interesting is that lots of fast growing firms, all with a different approach, are spending a lot of money to convince you that they have the right answer ahead of all others.

The right answer, as any CISO will tell you, is a blended approach - five high-level buckets spanning Predict, Prevent, Detect, Respond and Recover. Firms cannot simply buy maturity in all these – and even if they could, likely couldn’t afford to anyway. Cyber budgets are limited, and in the face of incessant marketing and the power of ‘new’, firms often struggle to determine which bucket to allocate resource to – let alone decide which vendor is right for them.

In an immature and high-growth industry, marketing has becomes a disproportionately key influence in this decision making process. In today’s cyber-market, the louder you shout, the more you will sell.

The cyber-security industry is heavily VC-backed

A look at the finance structures of much of the industry is also telling. Every sub-category of the cyber industry is crammed with similar VC-backed businesses that are in a zero sum game – a literal race to either success or failure. Those that cannot capture customers quickly enough will fall by the wayside as the market matures – leaving their investors with nothing. Those that ‘make it’ will repay the investors many times over. Against this backdrop it is clear why some cyber security firms are encouraged to spend so much on sales and marketing – to not do so is to be left behind, thus putting the entire investment at risk.

A look to the future

The cyber security industry is growing quickly, and to summarise the points raised here, new business is expensive business regardless of the industry. Furthermore, cyber's finance structure, along with its reliance on new threats and solutions means that continual marketing is, for now, a cornerstone of the business model for much of the industry.

As the cyber security market matures, new business will transition across to customer maintenance, leading to a reduction of sales and marketing expenditure as a proportion of revenue.

For now though, the addiction is real.

This article first appeared on petercohen.me