It can be very easy to become completely immersed in your work “bubble” and go along with the hype and rhetoric, but for those of us with a few grey hairs, the lessons of history still linger.

At the time of writing, I have just finished my current round of recruiting ,and I ask every candidate the same questions when I first speak or meet them – “what do you know about us, and why do you want to work here?” 9 times out of ten, the answer contains something along the lines of “Cyber is a hugely growing industry and I want to be part of it” – like the folks joining the Californian Gold Rush. But does the hype match the reality? I’ll call it out right now and say NO!

Brave? Stupid?? I’ll let you decide at the end of this piece.

There’s a storm a-coming…..

I’ve been predicting a storm for a couple of years now. It started back in 2017, when walking around Infosec and saying to a couple of guys at my last gig, how a lot of the vendors with their “silver bullets” would probably not be around in a couple of years. My view then – and still now – was that this sector is hugely over-invested, which is having an effect on the number of vendors in the space, the “noise” being created, the salaries, and the “silver bullet” fatigue that customers must be feeling.

This view was also given by Kelly Shortridge on Risky business in Jan 2018, where she took time to explain the prices paid for vendors versus their revenue. One area she focussed on was Cloud Access Security Brokers (CASB), which arguably still hasn’t delivered in terms of market take-up. Subsequent guests, in particular the awesome Haroon Meer, have also said the same in later episodes in April and again in November this year. I also referenced this in an interview with Jenny Radcliffe on her podcast “The Human Factor” earlier this year (Episode 93, if you’re interested)

Who cares?

In some respects, you could say “so what?”. But there are in fact 2 distinct types of person that should care; Technology buyers, and technology salespeople. I’ll explain why…..

Kool-Aid © Kraft corporation

The first people that will feel this will be the sales people – in to some extent, its their own fault. Having been at the pointy end of trying to recruit, I have seen first hand the challenge of trying to recruit – not least because there is a mis-placed sense of what people are worth, fuelled by the “Cyber is hot” mentality. I have lost count of the amount of people I’ve encountered, who are either in the industry – or were drawn to it – because they saw it as a hot, growing place to make some money.

All too often, the quality is mis-matched with the salary expectation and I place this problem squarely at the investors. There are too many jobs out there, offering basic salaries approaching (or passing) six figures, which leads some salespeople to think that they are worth more than their true market value. And I’m not alone in calling this out. One recruiter who I respect (Jonny Graham at IRC) recently posted about “the hypnotic trap of the big salary and the big ego“, which very neatly sums up the issue I see. In short, ego drives salesperson to take “higher paid” job, which they didn’t properly qualify (which in itself proves they were punching above their weight!), and ultimately can be hugely counter-productive – often damaging – to their career development. Note the “higher paid” in quotation marks – whats the point in chasing the big basic/OTE if it is completely unachievable?

My advice to anyone reading this, thinking of that “big move” is this: “Ask yourself why are they offering such a big uptick? What is their expectation? Is it a realistic one? What is the patience & tolerance level of the investors as you try and build the business?”.

Of course, there are some great technologies out there and the fact that no-one has yet “blown the doors off” the sales could mean that you are on to a unicorn, but all too often this simply isn’t the case. And if you are the person in that role when they run out of cash – or the investors run out of patience – you’re really going to struggle when you join many others like you looking for a job when you’ve sold almost nothing

Oh – and neither I, nor others like me, care about how big your pipeline is/was – trotting that one out is a sure fire way to qualify yourself out…

The problem

Courtesy of Jim Griffiths

The image above was shared with me by a CISO friend, which he had used to explain to the board why he was standardising on Microsoft. He gave a high-level explanation of the different tools and technology areas within infosec and thus the vendors that could potentially be used – the takeaway for the board being that he would have to have 3 people spending all of their time meeting the Kool-Aid spewing sales bods, trying to figure out if the technology is any good.

This is where the problem gets trickier, because it isn’t that easy to distinguish between vendors (in particular, their stability and efficacy) in a heavily invested marketplace. For example, if you happen upon a vendor at a trade show with a nice big shiny stand, it can give the impression that they are in a good place financially. They can rock up and deliver a slick presentation – maybe even a Proof of Concept that looks impressive. But then the midnight comes after you’ve placed the order and the carriage turns into a pumpkin; the PoC was clearly propped up by lots of sticking plaster, the support is woeful, and the Kool-Aider has disappeared into the night…. Now I’ll cut the salesperson some slack here, because they are often precluded from giving the after-sales support that they ought to because of the mandate from the business to deliver the next sale (or else!) – although you the buyer don’t care, because you want a service.

What’s the solution?

In simple terms, do your research – and this applies to both the buyer and the salesperson.

My first port of call before we consider a vendor is to research the management team and the investors; have they got a track record? If brand new, what is their background? When interviewed for Jenny’s podcast, I gave a caricature of “Bob the Investor” on the golf course with a mate discussing, “Getting into Cyber”. If the investors for this new silver bullet that is being punted to you don’t have a track record of investing in technology, Then give it a swerve. Or at least, approach with caution. The same applies to the founders – they may well have been A* students at MIT, but having a good idea and building a great business are two very different things

As an aside, we’ve built a methodology for assessing vendors that I’ll happily explain if you’d like – and this is where the oft-maligned “middle man” reseller can actually add some real value. We too are pitched almost daily, and having been around a bit, we can usually spot a dud – and a good ‘un.

Finally, to the salespeople – the same advice applies in terms of doing your research. Take this one further and speak to the existing salespeople – and the customers. If you are going to an established vendor, then ask the awkward questions like “what percentage of the team are at or above target?” and “why is this role available?”. In short, qualify.

I can’t say exactly when – or what – might trigger this correction. It could be a failed IPO, that cools the enthusiasm of investors – slowing the investment. It could be a collapse and firesale of a rising star of the industry.

Either way, the correction is looming….