• Return on Security
  • Posts
  • The News of the Death of Cybersecurity Analyst Firms is Greatly Exaggerated

The News of the Death of Cybersecurity Analyst Firms is Greatly Exaggerated

Dive into an exploration of the rumored decline of industry analyst firms in the cybersecurity realm and discover the nuanced realities behind these critical market influencers.

Introduction: Debunking the Myth

I’ve noticed an idea around the demise of industry analyst firms has gained some popularity with some cybersecurity community groups.

For many in the community, this feels true because of the rise of security practitioners sharing their insights and experiences by way of blogs, videos, conference talks, newsletters, and social media. This made sense as someone who works independently in this field and sounded great. 

By the way, you should subscribe to my newsletter to keep up with cybersecurity market trends, funding, and M&As.

But as excited as I got when I first heard the argument, that excitement was quickly replaced with question marks. The argument felt incomplete, and I wasn't the only one who felt that way. 

There are several social media posts on this topic, and within them, you can see a firestorm of debate in the comment section. Reactions to the idea of analyst first going away can range from strong agreement to disbelief, a bit of incredulity, and even some name-calling.

While the strong responses don’t surprise me, what often surprises me is how different and opposed the reactions are. Some believe analyst firms have become outdated, while others couldn’t imagine working without them. Social media can be good at surfacing and highlighting divides on any given topic, and the feelings about the future of industry analyst firms in cybersecurity were no different. 

I suspect the truth of the matter lay somewhere in the middle. Having worked in large, established companies and startups at various levels, I knew there was more to this story. This led me to think more about industry analyst firms, the role they have played in the cybersecurity field, and why the opinions about them vary so much.

Has the influence of industry analyst firms truly waned, or are we just witnessing a divide that has always existed? In this piece, I attempt to explore some of the nuanced realities of analyst firms and their relevance.

Cybersecurity: A Complex Industry

Cybersecurity is a complicated industry. As I’ve written about before in On the Art of Selling to Cybersecurity People, I give a glimpse into what cybersecurity practitioners often face.

The field of cybersecurity is characterized by several distinct challenges:

  • Daily news of attacks, breaches, and failures: A constant stream of security incidents keeps the industry on its toes.

  • Overwhelming solution options: Thousands of potential solutions vie for attention in an already crowded market.

  • Psychological marketing tactics: Strategies leveraging fear, uncertainty, and doubt (FUD) create a high-stakes buying environment.

  • High-stakes decisions: The combination of marketing and real risks contributes to a pressured decision-making process.

  • Skepticism among practitioners: The saturation of marketing leads to an underwhelmed, skeptical, and sometimes reluctant audience.

Practitioners across the spectrum of company size have to sift through a lot of noise to get to the information in the cybersecurity industry. 

The adversaries practitioners go up against and the problems they try to solve are unlike any other. It’s hard to come by a field where you pour money into fixing a problem that only gets worse over time and requires even more money. Add onto this the fact that if cybersecurity practitioners do their jobs well, no one is any wiser. 

As a result, cybersecurity has higher stakes than other fields and a driven need to be right.

This leads me to look further into the dynamics of enterprise technology decision-making, and a key question came to mind:

How do companies find, evaluate, and purchase cybersecurity technology? 

How companies acquire technology and make decisions has evolved significantly over the years, influenced in no small part by analyst firms.

Central to this conversation is none other than analyst firms like Gartner. It’s hard to overstate the impact of Gartner on this buying dynamic, so let’s turn back the pages to see the origin story.

The Golden Age of Analyst Firms: A Look Back

Gartner's Origins and Rise

Gideon Gartner founded his namesake firm in 1979, setting off a ripple that would turn into a tidal wave of influence across the tech world. The company rapidly became a beacon for IT research and advisory services. 

In the last four decades, Gartner has expanded its reach across 100 countries, with a customer base of 73% of the Fortune 1000 and 77% of the Global 500.

Their growth and industry influence has been consistent, as evidenced by their reported revenue:

  • 2020: $4.1B

  • 2021: $4.7B

  • 2022: $5.5B

  • 2023: $5.8B

The Gartner Business Model Unpacked

At its core, Gartner's (and all analyst firms) business model sells confidence in decision-making.

This includes:

  1. Research: Reports on various sectors with insights into trends, challenges, and opportunities.

  2. Consulting: Specific advice based on Gartner's research and expertise based on companies that look and feel like yours.

  3. Conferences: Where new research is unveiled, businesses can network with peers and technology providers.

  4. Peer Insights: Reviews and ratings of software and services by business professionals.

This multi-pronged approach allows Gartner to cater to diverse clients and industries.

Gartner's Significance

Gartner's influence lies in their research methodologies, frameworks, and visuals. Armed with its lists of "Cool Vendors," the "Magic Quadrant," and an ever-growing number of acronyms.

These kinds of charts alone were where many enterprise technology buying decisions started and stopped. In many organizations I have worked in, if whatever technology you're evaluating was not on a Gartner chart or report, you cannot pass GO and collect $200.

Even though most security practitioners know that the Magic Quadrant or any new acronym research report from Gartner is "pay-to-play," companies still find them useful for industry navigation. It’s a “known known; things we know we know,” and the industry deals with it anyway.

It’s the Process, Not the People

It’s worth noting that the conflicts I mention here are not about the people and individual analysts doing the work at analyst firms. Instead, it is about the inherent conflicts of the business model of analyst firms themselves.

It's more apt to say that the mechanics of analyst firms make what they do sometimes a conflict of interest by nature. Vendors and startup founders will pay for analyst reports favoring their solutions over others and will commission new categories and new buzzwords to be created, and this is typically where the rub is with security practitioners. Too often in the past, this combination of activities has created cycles of marketing gimmicks, which creates confusion and FUD for buyers to wade through.

It's more about the business model and less specifically about the people doing the work. I believe the people doing the work are trying to do it well and without bias.

Gartner has also positioned itself as the bridge between technology providers and consumers. Their conferences, attended by tens of thousands globally, offer a platform for networking, learning, and technology showcases, further solidifying their position as industry leaders.

These conferences are almost always attended by people who work at large firms. Let’s explore why that is.

The Great Gartner Paradox

Big Companies Love Gartner

Larger companies have different challenges and demands and require a whole other set of skills. 

Many large companies rely on cybersecurity vendors to inform and drive their cybersecurity program strategy. Larger cybersecurity programs think about their strategy regarding cybersecurity frameworks like the NIST CSF, regulatory requirements like PCI DSS, and a broadly balanced, defense-in-depth set of security capabilities.

Larger companies really care about peer comparison. 

How is XYZ bank’s cybersecurity program in terms of maturity, headcount, and spending to ABC bank’s cybersecurity program? What areas are my peer set of companies spending in that I am not? What does our cybersecurity program need to close this gap?

Countless hours and dollars get spent with market research firms and industry groups on finding the answers to these. Sometimes this is driven by the CISO, but the executive team and the board more often drive it. More budget dollars for cyber programs get allocated this way than many realize in a Keeping Up with the Joneses capacity.

On the one hand, this lets larger firms grow their cybersecurity budgets, tools, and teams, allowing them to go much deeper into the industry, creating niche disciplines like Detection Engineering, Purple Teams, and Malware Reverse Engineering.

On the other hand, this very same coverage and range that allows large companies to go so deep also binds them to need external help. Security decision-makers at large companies have precious little time to sort through all the various bits of research, whitepapers, and webinars to discern what is “good” without help. Much like "expert networks" have taken off for the investment community to distill insights they could not find otherwise, analyst firms bridged a gap.

For Fortune 2000 companies, the value of analyst firms like Gartner is significant. These companies are complex machines with a lot of people making decisions. Choosing a tech vendor or adopting a new technology isn't simple math; it's multivariable calculus

Lage companies are fraught with political, operational, and financial bureaucratic complexities. In the large company world, decisions around technology can involve intricate calculations and risk assessments.

Analyst firms can facilitate connections that some companies would otherwise struggle with. All a Gartner customer needs to do is make a request, and their reps hit the ground running to find other clients or analysts that meet the customer's needs. Analyst-approved and backed answers offer a seal of approval that helps security leaders at large organizations navigate their internal company red tape and win favor.

And yet, despite Gartner's undeniable success in the industry, there is a big divergence in how people feel about them.

Some may see this as an age or generational divide. The more senior and established a person is in their career, the more they may find value in or rely on firms like Gartner.

It's similar to the old saying I have heard 100 times in my career:

No one ever got fired for buying IBM.

Although it was never an official tagline of IBM, it captured what it meant to work in tech at large companies. It created a technological hedge and an ingrained mindset for decades.

This Hacker News post sums it up well:

The thing about "nobody ever gets fired for buying IBM" is that going with an unknown alternative is a risk to you personally and most of the benefits go to the company. When you over-spend on a well-known brand, the company suffers the costs and they barely even notice. The only time they care is if something goes wrong, and then they want to know why you chose an unknown brand.

IBM and companies like it became the "safe choice" in the corporate world. The safe choice is obvious for people who want to avoid risking it all on some upstart's unproven software.

In the golden era of Gartner and similar firms, their word was the gospel in tech decision-making, guiding the hands of CEOs and CISOs alike. 

Gartner has carved a niche for itself, but it's populated by big companies, their employees, and vendors catering to them. The leadership in these organizations often prioritizes maintaining the status quo over embracing innovation.

Analyst firms became the proxy for the safe choice.

I don't see this as a generational issue, either. I see different worlds informed by a company's size and business model.

There seem to be two schools of thought when it comes to analyst firms and their perceived value:

  1. You work at an agile startup or smaller company and think analyst firms are useless

  2. You work at a larger, more established company and can’t live without analyst firms

Gartner probably isn't for you if you're at a nimble startup or a smaller, more tech-focused company. People must operate differently at smaller and early-stage companies than at larger, more established ones.

At smaller companies, every discipline focuses on making sales and supporting the product teams that make the product you are selling. The goal is to make more sales, hit revenue and customer milestones, raise more money with their investors, and repeat this process on and on until they go IPO or get acquired.

Every business function at smaller companies has this in mind, and everyone has to operate with fewer people, fewer tools, and fewer budget dollars. Whether or not a piece of technology gets purchased, a security problem gets solved, or a compliance certification is pursued, it is driven by customer and partner demands.

I believe this is for a few reasons: 

  1. The cost is far too high for the level or

  2. The offerings are too vendor-centric

Gartner’s value proposition is information, connections, and confidence to would-be technology buyers. Gartner and other analyst firms have depths of knowledge for mature cybersecurity programs stocked with the people and the budget to utilize technology for tried and tested cybersecurity problems.

The Future of Cybersecurity Decision-Making: What Lies Ahead?

The landscape of cybersecurity is in constant flux, and there is a constant barrage of problems, both new and old, that need to be solved. The complexity of the cybersecurity market necessitates expertise, and in years past, only analyst firms could bring that to the technology masses.

The irony here is that analyst firms and cybersecurity vendors sometimes feed each other complexity, much to the chagrin of security practitioners. But security practitioners have been sorting out this complexity for many years now, often in isolation. They either had to conduct their own first-hand experiments, which can be costly and challenging from a time and resourcing perspective, or they had to rely on marketing claims (some of which didn’t add up).

Organically and through curated efforts, a new information avenue has become more available in the last three to five years. This avenue comes from the power of peer networks.

Side Channeling - The Rise of Peer Networks

There is a growing information avenue worth its own section here. The rise of Side Channels that security leaders and practitioners alike are a part of. Today, more security leaders rely on private networks, WhatsApp groups, and Slack or Discord communities, often with few or no vendors.

Here is where more and more security leaders prefer to get honest feedback about the market, speak freely about vendors, and talk through problems. Security leaders often want approaches to solving problems, not just a list of vendors or products to buy. They like to know about the “How” and the “Why” of solving a problem, not just the “What” of the vendors picked. These peer networks are getting stronger and more common by the day.

The true value of cybersecurity analyst firms lies not in their exclusivity but in their ability to synthesize diverse insights. The cybersecurity practitioners of today have far more options, resources, and opinions than those of us who started 10 or more years ago. A growing wave of those resources is practitioner-driven, but analyst firms remain strong.

To bring it all together, scrutinize your organizational needs against what analyst firms offer. It does not mean that what Gartner and other firms provide isn't helpful; they really are valuable to the right company at the right time for the right technology domain. 

It’s also not an all-or-nothing approach. Most security professionals use all the options listed above to their advantage, and you should, too. Be discerning and tailor your approach to intelligence and analysis based on your unique challenges and structures.

Consider where you’re starting from. Be discerning and take in a broad view of information. Adapt to what you need, and choose wisely. Test and learn.

Additional Resources

If you’re into NIST-y type things, I have a GitHub repo you might find helpful in your program building:

Thanks for reading this far! If you like my blog, please subscribe & share it with your friends. 🙏 

If your company is interested in sponsoring Return on Security, please check out the Sponsorships. 🍻 


or to participate.