Market Maturity and Security Competitive Advantage

By Mike Rothman

One advantage of my background is that I’ve used and marketed/sold security products, as well as followed the industry for a long time, so I see patterns over and over again. But before I jump into that, you all need to head over to Lenny Zeltser’s blog. He’s doing a lot of writing, and given the general lameness of the rest of us security bloggers, it’s nice that we have a new victim thought leader to peruse.

Lenny is doing a series now on defining Competitive Advantage for Security Products. The posts deal with Ease of Use and Price. As you would expect, I have opinions on this topic. I see both as indications of product/category maturity. I don’t necessarily want to delve into the entire adoption curve for security products, but suffice it to say most innovative products are narrowly defined and targeted towards an enterprise-class customer.

Why? Enterprises have the money to pay way too much for way too little capability, which half the time doesn’t even work. But they’ve got small problems on large enough scales that they’ll write big checks on the faint hope of plugging in a box and making the issue go away. Over time, products/categories either solve problems or they don’t. If they make the cut, interest starts to develop in smaller companies that likely have the problem (though not at the same scale), but not the money to write big checks.

Smaller companies also tend to be less technically sophisticated than a typical enterprise. Of course that is a crass overgeneralization, but at minimum an enterprise has resources to throw at the problem. So a product with a crappy user experience usually doesn’t deter them. They’ve got folks to figure it out. Smaller companies, not so much.

Which is why as a product/category matures, and thus becomes more applicable to a smaller company market segment, the focus turns quickly to ease of use and price. Small companies need a streamlined user experience and don’t want to pay a lot. So they don’t.

I lived through this in the anti-spam business. In its early days, customers (mostly on the enterprise) wanted lots of knobs and dials to tune their catch rates (and keep their people busy and employed). At some point customers got tired of endless configuration, so they opted for better user experience. Early leaders which couldn’t dumb down their products suffered (yes, I still have road rash from that).

At the same time, Barracuda introduced a device for about 10% of the typical price of an anti-spam gateway. Price wasn’t just a differentiator here, it was a disruptor. $50K non-competitive deals because $10K crapfest. It’s hard to grow a business exponentially when you have to compete for 20% of the revenue you previously got. Right, not a lot of fun. And now managed anti-spam services provide an even easier and more cost effective option, so guess where many customers are moving their spending?

I agree with Lenny that ease of use and price can be used for competitive advantage. But only if the market is mature enough. A low-cost DLP or SIEM (as opposed to log management) tool won’t be successful because the products are not easy enough to use. So for end users buying a lot of this technology, keep your expectations on price and ease of use in alignment with market maturity and you can find the right product for your environment, regardless of what size you are.

No Related Posts

@mike, I agree that simple regex checks don’t really qualify as “DLP”. I’m talking about detection technologies well beyond simple regex.

From a security vendor perspective if the main customer use cases are around PCI compliance and PII / PHI detection then the definition of critical data, discovery and control aren’t in themselves difficult problems to solve.

Some of the main challenges for endpoint DLP are deployment, offline enforcement and centralized event monitoring. Here there is a huge ease of use advantage in leveraging existing endpoint security infrastructure.

Of course many organizations - especially those in finance and health care sectors - will feel that the investment in “Enterprise DLP” is justifiable but many more organizations will be able to implement effective DLP controls and employee training for a lot less by investigating what their existing security vendors can provide.

BTW from a technology perspective I am fascinated by the idea of machine learning. If the technology is implemented well then there is a great deal of potential for making the detection of intellectual property or organization specific data sets much easier.


By John Stringer

@john, that’s a good point. I guess it gets back to how you define product categories like DLP and SIEM, as opposed to subsets of that technology like content monitoring or log aggregation.

Clearly doing something simple like a regex check on outgoing email is easy, and also built-into pretty much every email gateway out there. I don’t really consider that DLP. Don’t think our own DLP maven (Rich) would consider that DLP either.

Right now doing DLP, which involves definition of critical data, discovery (finding it) and control (through monitoring at the gateway, in motion, and at rest) isn’t going to happen with a low cost offering. Just finding the data is a major endeavor. That was really my point.

But thanks for pointing out that I didn’t sufficiently explain what I meant by DLP.


By Mike Rothman


I usually agree with the sentiment of your posts but I thought the following statement: “A low-cost DLP or SIEM (as opposed to log management) tool won’t be successful because the products are not easy enough to use.” - was quite bold.

The definition of success is really dependent upon what the DLP technology is being used to achieve. For example, if your main use case is finding credit card data either at rest or within outbound communications then “low-cost” DLP will almost certainly do the trick - as long as it is accurate and has a good event management work flow. There is no fundamental reason why low-cost or integrated DLP cannot be easy to use.

There are some similarities between HIPS and DLP. Both started off as “science project” solutions which only well resourced IT teams could (barely) implement. HIPS only received wide spread adoption when the core functionality could just be turned on with a manageable number of false positives. DLP appears to be following a similar pattern in terms of gaining wider adoption.

To put this in context the vast majority of Sophos email appliance customers use the integrated DLP functionality. Perhaps not surprisingly the main use cases are identification of financial data, clusters of PII and document classification markers. If there was no value in “low-cost DLP” it would simply be turned off (or never turned on).

John Stringer (Sophos Product Manager)

By John Stringer

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.