← Back to Library

Three critical but rarely discussed aspects of the security market

Ross Haleliuk · Venture in Security · ·10 min read
Commentary by Hex Index staff

Most security market analysis obsesses over the latest zero-day exploit or the next big vendor acquisition, but Ross Haleliuk cuts through the noise to argue that the industry's true drivers are fundamentally economic, not technical. He posits a provocative truth: buyers do not care about abstract data protection; they care exclusively about the uninterrupted flow of revenue and the avoidance of regulatory penalties. This reframing is essential for any executive trying to understand why certain security tools thrive while others, despite superior technology, vanish into obscurity.

The Real Currency of Security

Haleliuk dismantles the conventional wisdom that security purchases are driven by the "CIA triad"—confidentiality, integrity, and availability. Instead, he argues that the only thing business leaders truly care about is protecting their ability to increase shareholder value. "Regardless of the industry, I have observed that business cares about one thing: protecting its ability to increase shareholder value," Haleliuk writes. This is a sharp, necessary correction to the industry's self-indulgent focus on technical metrics. When a company faces a ransomware attack, the panic isn't about lost bits; it's about a halted production line.

Three critical but rarely discussed aspects of the security market

The author breaks this down into two distinct but overlapping motivations: business continuity and mandatory compliance. He notes that while some regulations simply allow a company to exist, others, like SOC2 certifications, are required to sell to certain buyers. "The difference between these two types of compliance is simple: the former allows the company to exist, while the latter allows it to sell." This distinction explains why some markets are saturated with vendors while others remain niche. The most lucrative opportunities arise where these motivations converge. "The Holy Grail of security are markets where the two buying motivations - compliance & business need - overlap," Haleliuk observes. This is where the market expands, as buyers purchase tools both to check a box and to solve a genuine operational threat.

However, this economic lens has limits. Critics might argue that by focusing solely on shareholder value, the analysis downplays the reputational damage and long-term erosion of customer trust that occurs after a breach, even if the immediate revenue stream isn't halted. A brand's reputation is a form of shareholder value, but it is often harder to quantify than a ransomware payout.

The Service-First Reality

Perhaps the most counterintuitive claim in the piece is that the most successful security companies are not pure software plays, but services-first organizations. Haleliuk points to industry giants like CrowdStrike and Dragos, noting that their dominance is built on human expertise rather than just code. "When you take a closer look at some companies that have been successful as pure-play security offerings, it doesn't take long to notice that these are often services-first companies." The logic is simple: customers lack the talent to operationalize complex tools on their own.

The author suggests that the "last mile of value delivery in security is services-centric." Even when a vendor sells a product, the actual work of securing the environment often falls to channel partners or the vendor's own professional services team. "Hands-on support (aka services and delivery) are the most important part of security, and they are (and for the time being, will continue to be) largely manual." This challenges the Silicon Valley narrative of infinite scalability through software alone. If the product cannot be configured and monitored by humans, it provides zero value.

Most customers simply have no idea how to secure themselves. They don't have talent in-house to understand what their security needs are, let alone to take care of them.

This observation holds up under scrutiny. The complexity of modern infrastructure means that a tool without an expert behind it is often just another dashboard to ignore. Yet, this reliance on services creates a tension for investors who prefer the high margins of pure software. The industry's need for human intervention may be its greatest bottleneck for rapid, capital-efficient growth.

The Shape of the Moat

Haleliuk delivers a stinging critique of the traditional "technical moat." He argues that in cybersecurity, technology is easily swapped because it sits on top of existing infrastructure. "Pure-play security companies don't have technical moat but they compensate for that with something else." The barrier to entry is low, and the time to value is short. If a product cannot show results after a few clicks, it is discarded. "Gone are the days when a CISO would be open to deploying agents or setting up gateways to onboard a security product; nowadays, unless a product can show value after a few short clicks, it will most likely never get adopted."

Instead of technology, the real moats are built on distribution and perception. Haleliuk highlights the power of analyst reports like the Gartner Magic Quadrant, creating a flywheel where success breeds more success. "Security is a market for silver bullets, and therefore being able to maintain the leadership status in Gartner MQ or Forrester Wave creates a flywheel where successful companies only become more successful."

In contrast, he identifies a different class of vendors—connectivity providers like Okta and Zscaler—that enjoy a much stronger moat. These companies are not just selling security; they are selling the ability to work. "Identity providers such as Okta are critical for employees to be able to access the resources they need to do their jobs." An outage here doesn't just miss a threat; it paralyzes the entire organization. This creates "insanely high switching costs."

The bar for displacing connectivity vendors is much higher than the bar for displacing security vendors.

This distinction is crucial for understanding market stability. While a company might swap a data loss prevention tool for a cheaper alternative, ripping out the identity infrastructure that connects every employee to their work is a risk few IT leaders are willing to take. Critics might note that recent breaches at major identity providers have shaken this trust, suggesting that even high switching costs may not be enough to prevent displacement if the perceived risk of staying becomes too high. However, the inertia of replacing core infrastructure remains a formidable barrier.

Bottom Line

Ross Haleliuk's analysis succeeds by stripping away the technical jargon to reveal the cold economic realities driving the security market: revenue protection, regulatory survival, and the indispensable role of human services. The strongest part of his argument is the redefinition of the "moat," shifting focus from code to indispensability and distribution. The biggest vulnerability, however, is the assumption that the market will always prioritize business continuity over the potential for cheaper, automated solutions that could eventually reduce the need for manual services. Executives should watch how the industry adapts as AI promises to automate the very "last mile" services that Haleliuk identifies as the current source of value.

Sources

Three critical but rarely discussed aspects of the security market

by Ross Haleliuk · Venture in Security · Read full article

I often discuss what makes security unique or different from other industries. Today’s article is another one in this series: I am looking at what the real drivers of cybersecurity buying are, how security is a services-first space, and how the moat has a different shape in security than it does in other industries. This week, I am doing something different and instead of writing a deep dive, I am publishing a brief take on three separate but very much connected topics.

This issue is brought to you by… Vanta.

VantaCon: Join the event in-person or virtually this November

AI is fast transforming every aspect of security and compliance—and no aspect of GRC will be left unchanged.

This year at VantaCon, join Vanta for a full-day GRC community event.

Be the first to hear exciting product announcements, discover how industry peers and leaders are preparing for big changes while uncovering unique opportunities for growth, and take part in new breakout sessions designed for collaboration—not just on what’s next for GRC, but how we’ll write its future together.Join Nov 19 live in San Francisco or virtually to:

Hear from the GRC and security leaders shaping the industry

Network with the best

Help write the future of GRC

There are only two real drivers of cybersecurity demand.

Why do companies buy security? Conventional wisdom is that it is to pretect the so-called CIA triad - confidentiality, integrity, and availability of data. I think this view is too simplistic, and it begs for more details.

Regardless of the industry, I have observed that business cares about one thing: protecting its ability to increase shareholder value. In practical terms, this means ensuring that the company can continue operating normally and therefore generating revenue, and ensuring that the company won’t incur unexpected monetary losses.

Ensuring continuous operations has two aspects:

Business continuity, or making sure that assets that produce value (people, equipment, etc.) are functioning as normal. This is why ransomware is such a big deal - when a business stops producing whatever it is producing, it stops making money.

Mandatory compliance requirements (SOX, etc.) are met and certifications required to establish trust with buyers (SOC2, etc.) are obtained. The difference between these two types of compliance is simple: the former allows the company to exist, while the latter allows it to sell.

Avoiding monetary losses also has two aspects:

Preventing significant penalties from being ...