Endpoint security has a funding problem. Endpoint security is no longer a market where best tech wins. Now it’s deepest pockets.
(Disclaimer: We invest in security companies. Our portfolio includes Rapid7, Blue Coat, InAuth, Network Intelligence, ObserveIT, Attivo, and Evident.io.)
Endpoint security companies have raised over $800M, and that capital is being deployed mostly on sales and marketing. Buyers, inundated with overlapping and competing messages, are confused. It’s not longer enough to have best-in-class technology. You also must have best-in-class funding.
It’s ultimately bad for the industry: It means VCs are anointing the winners. You know that war for security talent? Well-funded vendors have hired security talent away from enterprises, and the enterprises have little ability to independently evaluate technology. They must rely on the vendors. And the best funded vendors have the best talent and the best ability to convince buyers of their worth…you get the point.
Don’t believe me? Look at this guy, this guy, and this guy. All Crowdstrike employees. All formerly had roles where they would’ve been Crowdstrike customers. (To be clear, this is a great vote of confidence for Crowdstrike. I love it when portfolio companies hire their customers…provided there are multiple champions in the account.)
Let’s say you have an investment decision to make between two companies in a given market space. You can invest in the company with the best technology and the second best marketing or the company with the second best technology and the best marketing. The choice is obvious–go for the company with the best marketing.
Where it gets complicated is that marketing spend is no indicator of marketing effectiveness. A big marketing budget only correlates with a louder marketing budget. But if you are saying the same things louder than others, you only raise the noise level in the market as a whole without standing out as a positively differentiated alternative.
The lesson is that when you invest in marketing, invest in being different. In the 2015-2016 security market being different means talking about the reducing cost and complexity of security and not exciting stories from Cybersecurity True Detective.