Why I Reinvented Myself: My Life as a Cybersecurity Content Creator, Influencer and Industry Analyst
Who Are Analysts
Before I introduce myself and the type of content assets I create as a cybersecurity influencer and industry analyst, I need to first explain what industry analysts are.
This article will demystify why I set out to reimagine myself as more than just an industry analyst and what that means to the cybersecurity industry in the type of content I publish.
But let's first start out with a definition of the role and industry. An industry analyst performs primary and secondary market research to assess market trends, perform competitive analysis and market sizing for vendors, and prepares forecasts and industry models for vendors wanting to enter a new market.
Some analysts perform consulting work outside of their market reports through bespoke research that is commissioned by a vendor, for example to discuss a particular problem their solution solves. There are currently over 700 analyst firms around the world.
The Problem We Solve
But why do analysts exist? What problems do analyst firms solve? It's simple really. Analyst firms solve problems for both vendors and buyers. Vendors leverage analysts differently than buyers, instead, to provide product and market validation -- effectively business decision support for go-to market strategies when entering new markets. For example, let's imagine for a moment that I'm the Chief Marketing Officer (CMO) for a company and want to bring a new product to market we've never been in before. But before I do that, I reach out to an industry analyst firm to get a better understanding of my total addressable market (TAM), competitive landscape, and development of a go-to market strategy. Nothing wrong there and a clear return on investment (ROI).
Buyers rely on analysts in a different way. Instead, buyers look to analysts to provide guidance before technology investment decisions are made and to get an understanding of what best practices other peers in their group are adopting. For example, when a company wants to invest in a $500,000 SIEM solution or move their data center to a cloud service provider like AWS.
The demand for industry analyst research is closely tied to the frequency of change in a particular segment. Meaning, the concentration of services tend to focus on industries that are experiencing the most flux and entropy making cybersecurity, for example (bias here), a target-rich (pun intended) environment for analyst firms.
When not out performing consulting (not all analysts consult), analysts are writing individual case studies on vendor products or market-wide reports on the vendors in that specific industry segment. Again, huge value here but only if the analyst has deep technical knowledge and experience in the space, which sadly isn't always the case in cybersecurity.
When consulting, analysts may be brought in by a vendor to produce go-to market strategies or perform product validation as I mentioned before. Or in my case, retained to perform penetration testing of financial services mobile apps and write a white paper as to how a particular vendor's solution protects against it. This is the fun stuff and where I think cybersecurity analysts should be creating the most content but unfortunately does require subject matter expertise (SME) by the analyst in the space -- something that should have been there in the first place, but I digress.
Buyers typically engage analysts for one-off projects, such as a white paper or subscriptions that provide them access to past and future research products and arms-length access to analysts. But these traditional business models for analyst firms are beginning to gain increased scrutiny and are undergoing a change, such as open source licensing concepts, new channels in which content is being ingested by buyers, and an increase in offshoring.
Deliverables can be syndicated and/or bespoke sponsored by clients, which includes market research, competitive intelligence and management consulting distributed as research reports, white papers, research notes, and newsletters. Some firms will provide advisory services, to include briefings inquiries, study findings, bespoke speaking engagements, round tables, panels, seminars, and market analysis such as quantitative market trends, forecasts, and market share analysis. Again, nothing wrong with any of this and provides tremendous value to vendors and buyers alike.
So there I was. Realizing in what may have been my mid-life crisis in September of 2018 looking for a change. Thinking I would be a small fish in a big ocean of cybersecurity analysts -- no more special than the analyst next to me who was an exploit writer, vulnerability researcher, or incident responder turned analyst, this ended up not being the case. It was shocking to me in coming to my current firm thinking the other analysts out there covering cybersecurity were cut from the same ilk as me -- former hackers, former forensic analysts -- people that used to do what it is they are now writing about. This couldn't be further from the truth.
I find myself now in an industry where vendors and CISOs are asking "where have you been all my life?" Shocked to the say the least, I had no idea walking into this that I would be such a rare commodity in the analyst industry -- a purple unicorn. A technical writer writing about cybersecurity who knows what network segmentation is and that zero-trust security was simply applying a marketing term to something that always should have been done as a matter of defense in depth for the last 20 years?
Many cybersecurity analysts only hold a theoretical or shallow depth of expertise in the areas that they are writing in -- again underscoring the concern over the technical accuracy of many reports since the analyst doesn't have much technical prowess or hands-on expertise in the area they are researching. I've met cybersecurity vendors who had to rewrite entire analyst reports simply because they weren't accurate.
So, being the hacker that I am -- I saw an opportunity to completely reinvent myself to address this need in the market.
A Content Creator, Influencer, and Analyst Walk Into a Bar...
So here I am. A hacker turned successful entrepreneur, turned venture capitalist, turned fashion photographer, turned illustrator and graphics designer, turned filmmaker, now turned analyst with an opportunity to completely reinvent myself -- to scratch that creative itch impelling me to do something creative. But how could I marry these three things of a passion for market analysis with being an influencer with credibility in cybersecurity, and a content creator with a passion for filmmaking, videography, photography, and writing short-form and long-form content?
After all, the numbers speak for themselves -- custom content is the future of marketing and advertising.
Why create a brand new type of analyst of course! Analyst 2.0! You see, my personal mission is to become an analyst that reports only on the technical merits of a vendor's technology, the empirical data I find out of my own review of the technology through primary research and to compare them only to the same, relevant technologies of peers in their space without rating them as to who's better. To simply be a communicator of capabilities and efficacy to buyers rather than my own personal opinion of who's "hot or not." The fact of the matter is, people don't care about vendor products, they only care about how it solves their problem.
We need to get away from this concept of B2B marketing and focus more on the fact that it's P2P or person-to-person and finding solutions to problems together. I see myself as a communicator of those solutions through storytelling and empirical data to back it up.
So here we are, one year later. The world's first analyst, content creator, and influencer in one. How am I fixing this industry? One content asset at a time. I'm redefining what an analyst is. I write reports on the best, sexiest technology in cybersecurity irregardless of whether or not they are a paying client. If it's sexy and cool, I want to take it apart and write about it! When I write reports, I hang up on vendors who just want to direct me to sales material to get the information I need to write my report. I disregard vendors who don't want to divulge details on their product that they should be obviously transparent about because its "intellectual property." For the vendors who want to leverage me as an influencer and content creator outside of the market reports, of course I want that responsibility -- but the market should understand that I will only put my name on something if I truly believe in the company's "why."
When vendors come to us to retain me, they know they're not just paying me to push paper.
You can throw a rock and hit an analyst that will write a paper for you. I do that, but it shouldn't be the only way to leverage me. I definitely belong on stage and out-front evangelizing the technology. Vendors retain me as their market influencer, to create a combination of different content assets, for the first time written by someone who understands beyond a superficial level what she is writing about. And finally, when buyers pay for access to my research, they know it will decompose the technology down to the plumbing, explaining in sufficient fidelity, how the technology is deployed, what the individual pieces are that make up the whole, what post-sales technical support and the customer relationship is like, how the components communicate -- over what port and protocol, how it works, how easily it really is to setup and install, that it really doesn't eliminate 100% of false positives, what care and feeding is really required to maintain its operational efficacy, and how effective it really is at what the vendor says it does.
Buyers know that I eliminate all the extra marketing fat from my reports, they know I sat down, implemented the technology in my lab, attempted to blow it up and see how it responds to both adversarial tactics and techniques and what the experience is like for the blue team on the other side of the UI.
Quite simply, I write no-nonsense, deeply technical content assets that tell a story worth sharing and most importantly, explains Why the CISO needs it versus What it does and How it works. After all, as Simon Sinek has immortalized in his book Start with Why "people don't buy what you do, they buy why you do it."