Why TAG is Now Rating Cybersecurity Vendors

by Edward Amoroso

The first time I ever paid attention to an analyst quadrant – fully two decades ago, I found myself quite pleased. What I saw was that the Managed Security Service (MSS) my team was operating at the time for AT&T had been positioned at the top of this two-by-two analyst grid (see below).

Being highest-up on their playing field, above all those losers, meant that our “ability to execute” was unmatched. And that’s what I wanted my own management to fully recognize – namely, that my team was executing. Thanks, Gartner. Respect.

But I soon found myself in that uncomfortable spin cycle of having to keep our little grid dot up and-to-the-right, whatever that meant. To that end, I soon learned that the process was both highly unscientific and severely prone to bias.

And the more I tried to distance myself from what seemed an arbitrary ordering in the grid (actually, the grid implies a lattice), the more I kept getting pulled back in – mostly from Gartner’s marketing hype engine. Ugh.

Founding TAG

Skip now to 2016, when I retired from Big Telecom with a vision to disrupt. In fact, this was the defining purpose of TAG , the company I’ve been running now for almost nine years: We sought to disrupt and reinvent how industry analysts provide guidance to buyers on commercial cybersecurity vendors.

I think we’ve done that – even though it’s involved a bit more zigging and zagging than I’d ever expected. I’m pleased now to tell you about something new that we are doing – namely, Cybersecurity Vendor Ratings.

TAG Research as a Service (RaaS)

When I started TAG, I promised myself that I’d never do quadrants. I lampooned, for example, Forrester, which had created their Waves, which looked like Quadrants, but with slightly different shapes. They’d gone the ole’ if you can’t beat ‘em then join ‘em route.

And despite the fact that Gartner and Forrester report revenue in B’s, while we count our measly TAG Benjamins in M’s, I’m still glad we’ve been able to avoid this trap.

Instead, we offer reviews, guidance, and insight on cybersecurity vendors for our TAG Research-as-a-Service (RaaS) customers – and we package this information on a private portal. It’s an exclusive little club, which you are welcome to join, by the way!

Here’s a peek at what the portal home page looks like.

Over time, we found it helpful to review vendors in a more structured manner using our new TAG Navigator. Invented by the capable analysts who’ve been with us over the years, this Navigator is built from subjective determinations we make on vendors across ten factors.

Our development team at TAG, of course, started generating graphs of these Navigators (as spider charts), and the graphs were then quantified (using a modified Likert scale), and the numbers then compared (simple ordering), and yadda yadda yadda – before you know it, we were ranking vendors.

Not on a quadrant, mind you – but definitely on an ordinal scale, where vendor A will have a higher, same, or lower number than vendor B. It’s just how the thing evolved. I think it works – and I’d like to tell you more.

TAG Cyber Vendor Ratings

To start, it was easier than we’d expected to break down the cybersecurity industry into logical groupings – twenty in total, each with five subcategories.

For example, authentication is one of the twenty groupings, and its five subcategories include biometrics, MFA, passwordless authentication, password management, and SSO. It goes on and on for nineteen other similar groupings. Here is what it looks like in the portal:

From this breakdown, we were able to map roughly 4600 commercial vendors to at least one subcategory. For example, in the passwordless authentication subcategory, it was easy to map seventy-two (yes, 72) vendors who claim to support this requirement, in some way, shape, or form.

But we have quickly learned that sharing this many options with a busy security team is almost as bad as sharing no options – hence, we began to focus on creating our now-named TAG Top 5 in each subcategory.

In case you were wondering, Microsoft, Yubico, HYPR, Trusona, and Beyond Identity are the TAG Top 5 for passwordless authentication – a critical tool for addressing MFA phishing. The choice of which vendors belong in this TAG Top 5 was simply a matter of reading the TAG Navigator values we’d computed for each – and this is done on a 1-through-10 scale.

Our rubric follows that of your toughest math teacher in high school: Very few get in the 9’s, be proud of your 8’s, nice job with the 7’s, and 6’s should work harder. And yes, 5 and below are basically fails. Here is what the TAG Navigator looks like for Yubico:

I should discuss our bias: We have barely met with Yubico over the past few years, but our analysts have extensive information as buyers, users, and reviewers of their solutions. We’ve never taken a dime from this vendor, and I suspect when they read this article, several in their company might even say TAG-who? (OK, they probably know us, but you get the idea.)

How We Will Share the Top Five

Our plan for sharing the TAG Top 5 in each category will be as follows: Obviously for the many enterprise security teams who currently subscribe to our TAG Research as a Service (Raas), they will receive one-hundred detailed reports on the Top Fivers in each category. The reports will include descriptions of the area, overview of the vendors, and summary information such as in the picture below:

In addition, any vendor who agrees to license the report in which they are included can share this on their website or social media to let you know how much our TAG team likes their solution. (Our license fees, by the way, are golf ball-sized amounts compared with the beach ball-sized amounts charged by those older legacy analyst firms.)

We hope that many, many vendors choose to license the reports – which will help to make the reports ubiquitous across the public Internet. Hint to vendors: This is a good deal. You should do this.

But if they don’t – well, then you are 100% welcome to join our TAG community. If your enterprise security team might have some interest, I will personally meet with you to discuss our support. Just drop me a note in the comments – or you can contact me at [email protected] .

I hope to hear from you.