Since I started working in cybersecurity PR six years ago, one of the most common questions posed by cyber marketers is “what are your thoughts on analyst relations?”
The request for Alloy's cyber public relations team's two cents on the matter is not limited to curious cybersecurity startups - we’ve heard it from infosec companies at all stages, and even from those that have previously or are currently engaged with a cybersecurity analyst firm in some capacity.
Cybersecurity analyst relations have traditionally fallen under PR’s purview. However, the practice has become somewhat more complicated for cybersecurity PR pros in recent years as:
analyst firms expand their cyber domain expertise with multiple hires
established firms enter into the cybersecurity arena for the first time
individual analysts have broken off from larger organizations to work independently or start their own firms
Analyst-driven category creation has also proved challenging for cyber marketers to navigate from time to time, too.
Are cybersecurity PR leaders becoming bearish on analyst relations?
Over the past year or so, I’ve witnessed a sentiment shift surrounding cybersecurity analyst relations. Historically, the questions posed to us about analysts would focus around return-on-investment, when to start an engagement and relationship building. Recently however, the questions have begun to more closely align with, “do we need analyst relations at all?”
There are a number of reasons that could potentially explain this shift in thinking. For one, while the ongoing retainer fee has always been an issue, venture capital’s heightened scrutiny on marketing burn rate could have companies, especially those in the growth stage, thinking twice about the recurring costs of an analyst partnership. Additionally, the micro-targeting capabilities now readily available through digital and social media advertising present another avenue to engage with the buyer personas that once upon a time only analysts could help connect vendors to.
Or perhaps some companies are questioning the cost-benefit analysis based on a previous experience at another cyber company. The truth is, I don’t know with any certainty what’s driving the change. I only know that one exists.
To understand more about the current analyst landscape in cybersecurity, I reached out two leading industry analysts, Jon Oltsik, a senior principal analyst and fellow at Enterprise Strategy Group (ESG), an analyst, research, validation, and strategy firm Rik Turner, a principal analyst at Omdia, a global technology research powerhouse.
Here’s what they had to say:
QUESTION: I’ve heard from several cybersecurity companies an increasing skepticism around analyst partnerships. Instead, perhaps these companies are choosing to invest more in online advertising and PR then in analyst relationships. First, do you agree that this is in fact happening? If yes, why do you think that this is occurring? Is it strictly a financial consideration?
ANSWERS:
Jon Oltsik - “I don’t think it’s an either/or but rather both. Of course, investments will be different based on objectives. If you are trying to reach a broad and targeted audience, web-based advertising would be best. If you want to push on thought leadership, analysts can help. Remember that security is a very confusing and rapidly changing area so advertising may not work if the market is already confused (which is often the case).”
Rik Turner - “There is certainly a degree of fatigue eating into vendors regarding analyst relationships, particularly with the larger houses, one or two of which have reached a scale that can lead to complacency/arrogance, we hear (of course, I would say that as Omdia is still a challenger to the big incumbents). There is also a certain chagrin in the fact that, much as they may dislike one or two of the Big Guys, they cannot afford to tee them off too much.”
QUESTION: Cyber companies have traditionally tapped analysts for lead generation support, persona identification and messaging/positioning testing. Has that evolved in recent years? What else are cyber companies more frequently asking analysts to help with?
ANSWERS:
Jon Oltsik - “They still do but there is more discussion on things like roles, industry-specific marketing, and campaign support. I view my personal role as a proxy for a CISO and try to help customers in their CISO messaging.”
Rik Turner - “It is definitely a major part of what vendors need from us, in addition to the more data-oriented side of things where the analyst has market sizing info and the vendors use it in their planning for the coming year(s).”
QUESTION: There are now at least 50 different categories of cybersecurity companies. While the bigger ones (e.g. Palo Alto Networks) transcend into several groupings, startups and mid-market vendors often have a difficult time identifying where best they fit. From your perspective, is the industry suffering from an over-classification problem or are all of the different categories needed?
ANSWERS:
Jon Oltsik - “The over-classification is really a product of history although analysts have something to do with this. Security professionals come from a culture of best-of-breed technology which led them to specialize and budget on a tool-by-tool basis. I do see some consolidation however in areas like ESG’s security operations and analytics platform architecture (SOAPA) and elastic cloud gateway (ECG). Other similar consolidation trends include XDR and SASE (Gartner).”
Rik Turner - “Yes, the different categories are unfortunately a necessity. Cyber is a unique sector within IT because 1) it is the only inherently adversarial one, and 2) this drives technical innovation on both sides of the attacker/defender divide, such that there is a continual need for the “good guys” to keep up. Since the dozen or so industry heavyweights like Palo Alto, Cisco etc. cannot possibly develop everything in house, they adopt a “let a thousand flowers grow” approach (note my subtle Mao Tse Tung allusion there…), picking which startup best fits into their portfolio (and which they can get for the best price) whenever they feel the time is right to add a new capability.”
“As for the startups, since they are often breaking ground with a new tech approach, they need folks in the analyst community (usually Gartner, but Omdia is also getting into the nomenclature game these days) to come up with a new acronym which, as it gains currency, facilitates the conversations with potential customers who may never have dealt with their company before. Equally, as Wall St. analysts become aware of the new acronyms, they begin to pressure the big guys at the top of the cyber pyramid to buy one, asking “So when are you going to add an XYZ capability?”
QUESTION: What's your advice for how cybersecurity companies can work best with analysts in today's industry landscape? Is there anything that you look for when deciding what companies to partner with?
ANSWERS:
Jon Oltsik - “First, go to analysts early so they can help you with go-to-market support in the early stages. Second, work with analysts with good research and relationships with actual customers. Finally, think about the big picture and where you need help in the sales funnel.”
Rik Turner - “We try to be accommodating to vendors, which means we don’t put strict limits on how much time they get with an individual analyst. We definitely want to work with vendors who understand that we are not pay-for-play merchants and don’t try to introduce overt “marketing-ese” into any of our deliverables, such as describing themselves as “market leaders” if we don’t have objective data to prove that, or calling their product/service “unique” when it clearly isn’t. And finally, please don’t expect 12 or 15 opportunities to review the text of a white paper!
A very big thank you to Jon and Rik for sharing their insights into the current cybersecurity analyst relations landscape.
To learn more about how ARPR can help prepare your cybersecurity company for briefings, keep analysts informed of client news, evaluate paid partnerships and participate in the decision-making process, click here.