When you look at the cybersecurity vendor market, it's hard not to notice that most vendors don't make their products easy to access, requiring prospects to attend a series of demos, signs multiyear contracts, and commit to a minimum spend, a minimum number of endpoints, or some combination of these. This behavior of cybersecurity companies has several far-reaching consequences.
Gated Security Products Perpetuate the Security Talent Shortage
The sales model in the cybersecurity industry that forces practitioners to "qualify" by meeting the minimum spend requirements and signing long-term contracts is perpetuating the talent shortage. Entry-level professionals are effectively denied the opportunity to learn to use tools they for them to get a job, such as endpoint detection and response, identity management, asset management, security automation, orchestration, and others that have become ubiquitous across the industry. This creates a vicious catch-22: Unless you have experience using product X, you can't get hired, and you can't get experience with the tool unless you're already in the industry.
Today, eager young people can start a career in offensive security by watching videos on YouTube, participating in one of the thousands of capture-the-flag (CTF) competitions, or taking part in bug bounty contests. However, to accumulate the skills needed for them to get hired on a blue team, they require access to tooling that is not by any means accessible.
Gating Security Products Leads to Exclusion and Harms Diversity Efforts
Restricting access to security products creates situations where people from underrepresented groups are not able to easily catch up with their more fortunate peers who are already employed by enterprises with access to the latest tooling. In other words, companies publicly championing their efforts to increase diversity and get more people from underrepresented groups in the industry are actually making it harder for the same people to get into cybersecurity.
It's not uncommon to see motivated and driven people from underrepresented backgrounds spend their free time studying and trying to level up their skills so they can move up the career ladder. While scholarships and grants are certainly helpful, what can be even more impactful is giving them access to tools they need to learn to develop new skills, build résumés, and get hired or promoted.
Inaccessible Security Products Make It Hard to Defend Small Businesses
I have met many security professionals who are interested in starting their own services business — be it an incident response firm or a managed security service provider (MSSP). The problem is that for an aspiring entrepreneur, getting started is hard: Not only is the market incredibly competitive, but it's difficult to access the tools needed to get everything set up.
We like to talk about the fact that small and medium-sized businesses (SMBs) become victims of cybercrime because they don't know much about cybersecurity and where to get started with hardening their security posture. Large security firms typically ignore SMBs, as they are, by definition, small, and not as attractive as a business opportunity: They need a lot, but pay a little. This is where SMB-focused service providers can come in.
There are many security professionals with a strong desire to do their own thing and an ability to help companies in their area. The problem is that to access an endpoint detection and response (EDR), asset management, or cloud security posture management solution, they are required to sign multiyear agreements and predict and even commit to minimum spending. For obvious reasons, asking someone who hasn't even proven they can make the model work for a multiyear commitment is not reasonable. Unless the people trying to get started have enough knowledge to leverage open source, they are typically out of luck and have to give up their ideas before even trying.
Looking Into the Future
We have seen a lot of progress in the past few years to promote cyber defense: There are more communities for security practitioners, more blue-team-focused events, and more defense-centric capture the flags. We are also seeing the rise of open source in the industry, and a growing number of security vendors starting to open up access to their products. We refer to this approach as product-led growth. These changes are great, and we need more of them.
It seems like most security vendors today create thought leadership content about how bad the talent shortage is for the industry, yet few are making it easy for people to become job ready by learning how to use their tools. The real-life impact of gated products on the careers of aspiring security professionals is significant. The same is true about the problem of securing SMBs.
Making cybersecurity products more accessible won't solve all problems in the industry, but it will help us tackle a few of them, and hence, it is well worth doing.