McKinsey & Company completed a fascinating study in the fall of 2022, concluding that the small and medium business market offered a $2 trillion opportunity for cybersecurity vendors who can shift their architecture and selling models to meet SMB needs.
The report states, “As a result, the gap today between the $150 billion vended market and a fully addressable market is huge. At approximately 10 percent penetration of security solutions today, the total opportunity amounts to a staggering $1.5 trillion to $2.0 trillion addressable market. This does not imply the market will reach such a size anytime soon, but rather that such a massive delta requires providers and investors to “unlock” more impact with customers by better meeting the needs of underserved segments, continuously improving technology, and reducing complexity.”
The study is fascinating on multiple fronts and well worth a read. First, it shows that the SMB market is terribly exposed to cyberattacks and that this exposure will lead to an even more significant increase in successful attacks across all enterprises due to the interconnectedness of the digital economy. Second, it uncovers a truth I have long written about, security vendors, both large and small, have focused so intently on large enterprises that their product architectures, product operations, and go-to-market models are useless to SMBs. Third, the horrendous talent shortages in cybersecurity will be around for a while and significantly affect SMBs. And finally, the only way out of this problem, and the way to open up the $2 trillion in potential market size, is to deliver cloud-native, AI, and automation-driven solutions that are easy to operate and offer a significantly lower TCO. Let’s take a closer look at each of these findings.
SMB Market is at extreme risk, and that puts us all at risk
The SMB market is at risk of attack because they lack the tools and people to defend their environments. Most SMB organizations do not have a Chief Information Security Officer or dedicated cybersecurity staff, and they are a soft target for attackers. As McKinsey points out in the example of a Texas steel structure manufacturer that was forced into bankruptcy in May 2019, SMB organizations are susceptible to ransomware and other attacks. What ransomware attackers lose in payout size, they quickly make up in volume.
But there’s another side of these SMB attacks that McKinsey only touches on: the repercussions of these attacks up and down the supply chain. The steel manufacturer created $100 million in revenue creating business for their suppliers and customers, all of which was lost after they closed. Then there are the supply chain attacks, where the weakest link in the supply chain ecosystem is attacked to bypass the defenses of a more prominent player in the supply chain. Examples of this include Comm100, CircleCI, ASUS, and SolarWinds. Regardless of the attack target being a smaller organization, the effect ripples across all the vendors in that Company’s supply chain ecosystem, multiplying the attack’s damage and losses as it unfolds.
Cybersecurity vendors are focused on large enterprises
Behind Mckinsey’s reports finding is a long-standing go-to-market strategy endorsed by venture capitalists and followed by IT and cybersecurity firms whose aim is to get adoption of new technologies with the “early adopters” of large firms. Large firms because only these organizations can adopt nascent technologies and work with the vendor to adapt them to the market (e.g., Geoffrey Moores’ “Crossing the Chasm” model). While utilizing this model, I have worked with General Electric, CitiGroup, Wells Fargo, JP Morgan, and CIBC. The problem is that the model creates a self-fulfilling prophecy – the product we sold, like all the others, was built for and defined by the large enterprise operating model. Add analysts like Gartner to the mix, and the prophecy is fulfilled in the Gartner “Magic Quadrant” reports, an enormous, complex product that will be operated by a large team with all the bells and whistles. A considerable direct sales force will sell the product, and the deal size will average six figures, with million-plus dollar deals being much more common than deal sizes under $100K.
The simple truth is any cybersecurity product built to be used in a Security Operations Center (SOC) is almost useless to an organization that does not operate a SOC. Threat-hunting capabilities are a great example. Small and medium organizations cannot afford to hire threat hunters, so the capability and cost have no value to the SMB market. The creation and evolution of these feature-rich, overly complex tools have played out time and time again across hundreds of hardware and software products.
Talent shortages around cybersecurity are not going away
There is no doubt that there are not enough trained security professionals to meet market demand, and the numbers are staggering, with 465K open jobs in 2021, growing to almost 700K in 2023. Small and Medium Enterprises cannot hire because they cannot afford the salaries large organizations offer. The talent shortage is a limiting factor regardless of company size. Still, it is exacerbated by high wages, with SMBs not even attempting to fill roles like threat hunter or forensic analyst. The lack of skilled workers will be around for a while, which means AI and automation must fill the gap.
Cloud, AI, and Automation are the future of cybersecurity
McKinsey points to new technologies will be a big part of the solution. Technologies that are seeing rapid adoption in IT and across all industries, namely, the use of cloud-native SaaS solutions that are intelligent and highly automated. This totally makes sense – easy and inexpensive to deploy, highly intelligent and automated systems help alleviate the talent issue, and can be offered at a price point that is profitable for the vendor and affordable to the market.
Business and finance applications have led the way with even smaller organizations utilizing accounting, supply chain management, sales and marketing, and shipping applications that operate in the cloud and use AI and automation to simplify operations and save money.
So why is an innovative industry like cybersecurity lagging?
Fear of the cost to re-architect and cannibalize sales and a desire to maintain a large direct sales force all play into a stubborn legacy mindset that prevails across cybersecurity vendors. Also, in the minds of these vendors, there is no urgency because large enterprises are paying out $150 billion a year in a market growing at over 12% annually.
A shift to cloud, AI, and automation means a shift away from on-premise hardware and software and a significant direct sales force selling to the SOC. Cybersecurity vendors are paying tribute to the idea of the shift to the cloud, with websites and marketing collateral touting SaaS, managed services, and cloud support. Still, at purchase and deployment time, the reality of the legacy models surfaces with high costs, required appliances ordered, hours of training classes scheduled, and consulting firms making thousands on customization and process improvement.
Seizing The Moment
“With billions of dollars of revenues set to flow into the market in the next three years, providers should seize the moment. That means optimizing engagement with the cloud, developing a pricing model for the midmarket, embracing innovation, and expanding managed-service offerings to create midmarket-friendly solutions. In short, it means finding productive combinations of product, price, and services that vendors can tailor to target segments and are flexible enough to scale. If the industry can meet these priorities, it can start to create the momentum that will increase its penetration across segments and put the $2 trillion prize in play.”
The above conclusion from the Mckiney report reads like the CyGlass product and go-to-market strategy documents we created back in 2018. The CyGlass team recognized early on that the mid and small-market segments were completely unserved, and it would not take attackers long to realize the opportunity. The challenge was to create a genuinely midmarket-friendly offering that could be delivered directly to the customer or via a managed service provider. To that end, our strategy started with creating and providing the most challenging part – “optimizing engagement to the cloud.” Our 100% cloud-native solution optimizes cloud engagement in three ways.
First, we uniquely eliminate onsite hardware and software, which are both significant costs and operational constraints for resource-constrained IT teams. By delivering our solution from the cloud, we reduced time to value from months to hours and reduced TCO by 60% over three years. We also made it possible to deploy the platform anywhere in the world in a matter of hours and to utilize the systems customers have deployed.
Second, we utilized a cloud architecture to optimize our AI stack. With a cloud (versus onsite hardware or software) deployment, we can scale up or down our processing power and costs to meet our client’s needs.
Third, our cloud architecture allows us to innovate rapidly. We are not tied to legacy models or rules; instead, we can embrace rapid innovation across areas like threat surface coverage where we started with North-South network traffic, added East-West network traffic, then added the Azure platform, Active Directory, and M365, and then AWS and AWS Workspace, Google and Google Workspace, and now we are expanding across EDR systems including Sentinel One and MS Defender. Architecture or legacy strategies do not limit our expansion; our customer’s requirements drive it.
We also strived to simplify pricing, delivering a value-based pricing model that was quickly consumed in the medium and small marketplace. We decided to utilize a per-user per-month model where users can operate multiple devices. This has the advantage of consistent pricing that is easily tied to the people and systems we protect. Product usage or consumption-based models were found to be inconsistent in monthly costs and intensely disliked by customers. Eliminating the need to purchase or rent and return hardware also significantly reduced pricing complexity.
Finally, small and medium businesses will struggle to hire cybersecurity experts; therefore, a managed service provider friendly platform is a must. From multi-tenant deployments to specialized management and reporting interfaces optimized for managed service providers, CyGlass delivers a highly effective and highly profitable platform for MSSPs and MDRs. We are happy to report that today, 60% of our revenues come via our managed service partners, and that number continues to grow.
The McKinsey & Company study is incredibly relevant based on the growing and shifting nature of cyber and ransomware attacks. There is a gap in the current delivery of compelling cybersecurity offerings, with the SMB market needing to up their defenses more than ever and offering to support them lacking in the market. CyGlass has a four-year head start in delivering on what McKinsey calls for and the market adoption and happy customers to prove it. We are looking forward to an amazing 2023!
Read the Full Report:
McKinsey & Company: New Survey Reveals $2 Trillion Market Opportunity for Cybersecurity Technology and Service Providers
To Learn more about CyGlass: