Understanding Cyber Markets and Buyers: A Guide for Cyber PMMs

Introduction

Now that we've gone through an overview of the industry, Cyber PMMs need to understand the markets and buyers within the industry. Who/what are they? What are the key spending drivers? These questions and more are important to consider because at the end of the day we are marketing… products. And products require… buyers. And buyers… sit within companies. And companies… sit within markets. And markets create… industries.

Defining every industry, market and buyer would require more time than I have, so I will try to distill this down to the basic principles.

The Importance of Market Segmentation

Let's start with the basics. At a 30,000 foot level, all companies in every industry have IT to protect with someone building cyber programs. And this can be a single IT person that is wearing 15 hats and doing security on the side for a 8-person small business in Tulsa. It doesn't matter. At some point, there are decisions being made about cybersecurity; even if a company decides to neglect it, that's still a cybersecurity decision, however unwise. And there's a lack of time and bandwidth, so I get it. But the point here is that every organization in any industry now has to deal with cybersecurity at some point.

I'm assuming there aren't any companies left without a digital component to their operations. By the way, if someone thinks of a case where this isn't true, please post a comment, I'm genuinely intrigued by this question. Is there any organization left without some digital component to their operations? I mean, is anyone not using email or a website at this point? Does anyone not have digital files stored on local devices or in the cloud? I was thinking that blue collar companies are immune, but then I recently hired a contractor to fix my backyard fence. And while everything he did during the project was with his hands, we still communicated by email, and I paid his invoice by credit card with a link he emailed me.

I suppose you could argue that it wasn't his problem – and that really Google/Gmail was responsible for cybersecurity, and that the payment processor secured the transaction. So I can see that position. But won't that contractor also have to file taxes at year end, and save a 1040 PDF on his machine? I mean, there are all kinds of ways we can dissect this problem, but ultimately I think we can say that the vast majority of organizations are making cybersecurity decisions. Again, even if those decisions are to neglect cybersecurity altogether, that's still a decision.

The reason I'm starting here is because we can assume that every industry is going to be a potential market for cybersecurity products and services. Now the nuances of each industry from financial services to healthcare to manufacturing are going to vary, but we can say up front that market segmentation will require a broad view.

Ok, with that baseline aside, it's also important to understand a few other demographics for the companies within industries. For example, geographic considerations matter in terms of which countries certain specific industries mainly operate in, which IT tools they mostly use, how many employees they have – to name a few important demographics. Geography for example matters in terms of local regulations, however I would argue that most industries are global; we can assume that every country has a banking system that needs cybersecurity, even if the regulations governing them differ.

Then each industry has a list of top 500 or so firms that dominate that industry. IN some cases this is really much lower, say a top 100, 50, 10 or 5. There are banks like JP Morgan Chase, but then there are small regional banks in each city in the US, right? So targeting a whale like JPMC would be a much different process and conversation than Bank of the Rockies or whatever. But that doesn't mean both banks don't operate in the same industry. This is why we need more demographic factors such as revenue, employee count to rank stack organizations in each industry.