The OT Visibility and Detection Market has consolidated to a big 3 of pure plays, a handful of enterprise vendors who have acquired their way into OT, and the niche players whose best hope is to get acquired before the music stops.
With the war chests full, this update focuses on the biggest challenge for each vendor in 2022.
The Pure Plays
With the big 3 companies raising over $100M in recent rounds and Dragos setting the bar with a $200M round and $1.7B post money valuation, these are the most successful OT security companies ever. The teams have accomplished great things, and most entrepreneurs would love to be in their position.
All – Growth
The three have the same challenge of using this unprecedented in OTsec influx of resources to quickly grow the company and manage that growth. They all have already passed over two or three of the traditional growth stage hurdles. Each hurdle brings unique challenges and requires new skill sets that need to be learned or added to the team.
Claroty – Sales and Channel Execution
2020/2021 showed Claroty shoring up their executive ranks after some troubling turnover, and trying to address some market perception issues. The question for 2022 is if these changes will flow down to the sales and technical support teams. So far the results are mixed and vary more than Dragos and Nozomi.
The Sales team answering the questions and doing the demos is always important in a complex sale. This market is not unique in that way. With the growing number of RFP’s and pilots, Claroty is suffering from a lack of consistent level of competence in their response. The challenge is ICS security sales and technical professionals are in high demand and competent talent is largely unavailable. Claroty needs to either poach them or grow them. Both are hard to do at scale.
To add to this challenge, Claroty is developing channels and trying to push sales and deployments through these channels. Channels take a lot of hand holding to get started, and the vendor often needs to do most of the work and give up margin to the channel at least in the first year. And then the competitors will offer direct access and deployments which is comforting to most asset owners.
Claroty’s product continues to be competitive if presented properly and their research team is capable and prolific.
On a side note, the Claroty Edge product will be an important addition to the product line. It’s not zero infrastructure and does not provide 100% visibility, as claimed, but it does offer visibility benefits for subnets deeper in the OT architecture without deploying a sensor on every switch. It is likely the others will have a similar product if the idea catches on.
Dragos – Product (Visibility and Vulnerability)
In the early years, Dragos fought the idea that an OT detection product should also be an asset inventory product. (I have also predicted that asset management, which includes asset inventory, will split off from the detection solutions) When they felt compelled to add that feature, they were far behind the competition. While they have narrowed the gap, there still is a clear gap. If having an asset inventory that includes complete vulnerability information (OS and applications, computers and devices) is a priority, then most will still prefer either Claroty or Nozomi. Dragos needs to either find a way to close the product gap, which has eluded them, or convince more of the market that this is not the key decision factor.
If the priority is identifying and responding to incidents, then Dragos shows much better, and in terms of service is the clear choice. With their incident response retainer, talented team, and reputation I sometimes think that Mandiant is a more direct Dragos competitor than Claroty or Nozomi.
Dragos is a marketing juggernaut that begins with their CEO Rob Lee. Rob is everywhere at events, in articles, in government’s ear, in industry organizations and is a compelling presenter of threat and solution. However the marketing effort is much broader than Rob with a cadre of experts who carry their personal brand along with Dragos in technical presentations. And on top of that they put out regular quality content on the threat and are always on top of the latest ICS incident with technical details and analysis.
Dragos has the potential to swamp the other two with the talent, marketing and resources. Particularly if the conversation and immediate asset owner needs can be shifted to where they are strongest.
Nozomi – Marketing
Nozomi and Claroty are most directly comparable from a product perspective. Nozomi’s execution is impressive, high quality, credible and consistent. Nozomi’s marketing lags far behind Dragos in quality and quantity, and to a lesser extent behind Claroty.
This likely causes Nozomi to start from behind in many competitive situations. In the future, could it mean they don’t get invited to compete? Yes the RFP process can overcome this in some cases. In others it can’t. If a key senior executive is convinced that Dragos is the best before the competitive procurement, there often is not enough of a difference to overcome this.
Some might think that it is easier to solve a Marketing Challenge than a Sales and Channel Challenge or a Product Challenge. Not necessarily. Ramping up the quantity of marketing materials is not terribly difficult. The problem is 1) quality of those materials and 2) to have a voice consistent with the brand and promise.
Like them or not, Dragos has a brand. A thought pops into your mind when you think of Dragos, and it is usually a similar thought across a variety of people. Almost all of the content they put out supports this. What is Nozomi’s brand? Their promise? How are they driving the conversation?
My view is they have fallen behind in marketing in 2020/2021. You could say this is an unfair criticism since I’ve praised their product, sales and execution. This is now a market filled with billion dollar companies so the challenges and stakes are higher.
On a side note, Nozomi’s cloud offerings are promising but currently immature and won’t withstand scrutiny by those responsible for cloud architecture and security. This however is easier to solve, and I predict they will in 2022.
All – Channels
One item I’ll be watching in 2022 is how much product is sold, deployed and managed through the consulting channels. Accenture, Deloitte and others don’t want to be locked into a single vendor, but they will naturally move to prefer one or two.
Will asset owners go to their enterprise consultant and say, we want you to help us with OT detection and ask for a proposal? If they do, what solution will the consultants lead with?
Cisco – OT Network Infrastructure Upgrades (And Channels)
The main benefit to the
CiscoVision Cyber Vision solution is it can be deployed in containers in the latest Cisco switches and routers that run IOx. You don’t need to deploy a sensor. You don’t need to pay for a sensor. You can run it on all your switches and pay based on the number of devices. If you want visibility across your entire OT environment, you deploy it on all your switches.
The challenge is most OT network infrastructures already have switches and don’t upgrade these often. Even in new systems Cisco or the asset owner would have to plan for this ahead of time and demand these IOx capable switches be used. They are not typically deployed and some DCS vendors are very particular on what switches are used.
Can Cisco get asset owners to do a joint network infrastructure upgrade / OT visibility and detection project?
Some of the pure play vendors say they can also run as containers on these Cisco IOx switches. Cisco has told me they will likely have performance issues due to CPU limitations in these switches, and that
CiscoVision Cyber Vision was designed to work with these limitations. I’m curious if this will prove to be true.
Cisco sells through channels. Most of the channels don’t have cybersecurity expertise. Most of those that have cybersecurity expertise don’t have OT / ICS security expertise. Will loyal Cisco customers push through this like they have in some of the successful enterprise security products? Will Cisco be able to develop and use a subset of channels with OT security skills?
Forescout and Tenable – Expand Existing Clients To OT
Nothing has changed here. If you’re a Forescout enterprise customer looking for OT visibility and detection, then Forescout should have a big advantage. If you’re a Tenable enterprise customer looking for OT visibility and detection, then Tenable should have a big advantage.
The problem, as we all know, is that the teams responsible for IT and OT often don’t get along. Forescout, Tenable and others proposing IT/OT integration need to deal with this dissonance.
In theory these products could compete for OT only projects, and the companies will tell you they do and they win projects. From a corporate perspective, incremental OT revenue was not the primary reason for the acquisition. The OT capability is to better win and maintain all business with very large customers whose OT is critical, for example ExxonMobil.
Other Pure Plays – Acquisition
There are a number of other pure play OT visibility and detection solutions. They will have a very difficult time competing with the Claroty, Dragos and Nozomi. Not because of the product. The product is often competitive with, but not differentiated from, the Big 3. It’s because they lack the resources, and there are questions about their long term viability vis-a-vis the Big 3. They can still win some business, but the revenue gaps will likely increase.
It’s not time for panic as long as they have enough cash to continue. It is time to look for a good exit. Radiflow and SCADAfence are two examples of companies with solid tech and some market presence that could be of interest to an enterprise security vendor or an ICS vendor wanting to offer ICS security services.
As always I give full credit to those in the arena battling in this marketplace rather than analyzing and commenting from the cheap seats. Good luck to all in 2022.