One of the biggest challenges of being a security industry analyst is finding when and how to define new market segments. We both had to do this recently — Jeff with managed detection and response and Allie with extended detection and response (XDR). The most common question we get from security vendors confused as to whether they fit into a market segment is, “If we deliver on the same outcomes, does the underlying technology really matter?” The short answer we give to vendors is, “Hold up, this isn’t about you.”

It’s about the practitioners that have to understand it, buy it, use it, and maintain it. Market segmentation is a taxonomy to describe a technology that solves a practitioner problem in a unique way. These terms emerge in two ways: one good and one bad.

The good way: We define a new market segment when a majority of our clients need to know about it. This segmentation is what level sets between us and you, the practitioner, as to what we are talking about when we suggest a technology. It gives us a common language by which to talk about technologies that may help solve your problems and then identify specific vendors that may work best for you within that market segment.

The other way: Through some combination of marketing budgets, search engine optimization pursuits, vendors desperately seeking differentiation, and other influential organizations (ahem) in the industry, an acronym begins to bounce around the internet and finds its way to your inbox. Your immediate reaction is an eye roll at the discovery of a new acronym, which is tossed aside within milliseconds as anxiety sets in — because you know that your destiny in the not-so-distant future will require you to understand this new term, define it, and discuss whether it matters. And no one needed more work (or more acronyms).

Whether or not a term manifests from the good it does or the hype it enables, you will undertake a similar set of activities. Your research needs to uncover the following:

  1. Establish the baseline expectations for this technology.
  2. Identify the questions that need answers.
  3. Decide if your team needs to prioritize it or put it aside for a later date.

We outline the baseline steps of your investigation below.

Why Do We Need New Acronyms Anyway?

Market segments exist for one reason: Practitioners need answers to specific questions when considering the adoption of any new technology. Market segments consolidate a like set of technologies into one category so practitioners can understand what to buy, with nuances by vendor. Complex topics require simplification before decisions take place.

New market segments should not increase complexity, and a minimum amount of sufficient differentiation from current offerings must exist. Creating yet another acronym to describe technology that already exists adds confusion.

Look for consistent answers to the following three market segmentation requirements when understanding a new market segment:

  1. Capability
    • What does the technology do?
    • How does the technology address issues I am having better than what I have now?
    • What, if anything, does the technology replace?
  2. Dependencies
    • What dependencies exist for the technology?
    • What maintenance do I need to perform for the technology?
    • How many full-time employees do I need to use it? Will this require new skills?
    • How is it licensed?
  3. Time-to-value
    • What is the time-to-value?
    • How do I deploy the technology?
    • What risk exists when migrating from our current toolset to a new one?

CISOs need answers to these questions because every enterprise purchase leads to a project, and every resulting project includes risk. They need to understand those risks, get their bearings on how to transition from their current state to the desired future state, and detail expected gains and losses whether the risk of change pays off for your security program.

If the definition of a market segment does not address the questions above, glaring dissimilarities exist, or it seems like every vendor describes an entirely different solution, your team has likely stumbled into the latter definition we mentioned. That does not mean that you should ignore the space entirely, as it may prove worthwhile to watch the space evolve, but hold off on making a purchase for now.

Trade-Offs Exist For Everything, Including Outcomes

Do outcomes matter? Absolutely. However, the most beneficial outcomes require security teams to administer, configure, deploy, support, and use a technology. Practitioners think of jobs they need to do, and vendors often think in features. Somewhere at the intersection of those two is where good things happen. Use the market segment questions above to find the areas of convergence, validating that the technology is worth adopting. Here’s an XDR and security analytics platforms example of how the answers differ depending on the market segment:



The bottom line is this: Buyer beware if a vendor says it fits into a market segment solely because of the outcomes it claims to provide. Tried and true may not be flashy, but it is the devil you know and may be the best fit for your security program. Be sure to evaluate capabilities, dependencies, future outlook, and time-to-value to understand the complete picture of a market segment and what it might mean for your security team.