Last week’s article covered analysis on how the SBOM market winners will be determined by who can best play the role of middleman between the large number of ICS vendors and the even larger number of ICS asset owners. This week let’s look at what will lead to sale’s wins prior to the arrival of the middlemen, something that will take at least two years, and likely 4-5 years, to be a reality.

Competitors need to survive in the interim years to even have a chance to win the endgame. The ICS Detection Market is a good case study. It began with about 20 companies who had raised seed money to go into this product segment, and six years later we are down to the big three independents (Claroty, Dragos and Nozomi). Most of the Tier 2 competitors were acquired by a larger company that has integrated the tech into a broader solution (Cisco, Forescout, Microsoft, Tenable, …) Here are some potential lessons:

  1. The best tech is not likely to be the deciding factor. The solution only needs to be good enough to appear competitive in a demo / pilot environment. There were ICS Detection solutions that were better than one or more of the big 3 remaining independents in the first four years of that market. Some of these better solutions got crushed. Some got left behind to Tier 2 and were acquired.
  2. You need to solve an immediate problem. Most of the ICS detection products pivoted in the early years to asset inventory as the primary sales pitch. Why? This was what the asset owners were most impressed with in the demos and what they would buy to solve an immediate problem. Is the immediate problem can I quickly determine if I’m affected by a specific high profile vuln? Is it can I meet a regulatory or insurance requirement to say I have SBOMs? Something we don’t know about yet? And the immediate problems are different for the vendor customers and asset owner customers.
  3. A zag can work if well executed. Almost all of the ICS detection vendors pivoted quickly to asset inventory; Dragos didn’t. They stuck with a detection / threat intel / incident response focus in product, marketing message and team composition. And quite frankly their asset inventory was worse than many third tier vendors in the early years. They lost deals where asset inventory was the priority, and they won most of the deals where threat intel and incident response were the priority. They won not just because their product emphasized this but also because their team was superior in these areas. This clearly showed up in their marketing content and face-to-face encounters with prospects.
  4. Sales will determine early survival more than product, especially if the market grows. In the early years of the ICS detection market most of the competitors had impressive reference accounts. The founders and top talent went out and did the sales calls and pilot projects. They listened. They were flexible to meet the customer where they were with what they wanted. Many of the early wins involved some customization, especially support for some of the more obscure protocols or systems. The vendors were committed to getting these early wins and making the customer happy. The shakeout started when the market grew and the vendors had to deal with 10’s then 100’s of potential deals, demos and pilots. A lot of the wins, and losses, were determined more by who was in the room than the product. (My best example is below the line in this article)
  5. An OT focus may be required to make early sales into OT. This is the lesson I’m most apprehensive about carrying over to the SBOM product and service segment. In the ICS detection space, all of the vendors positioned themselves as an OT solution. (Even though most of the R&D talent came from IT security) An approach of “we do IT and OT” lost to “we do OT”. Will this be true in the SBOM segment? I believe the vendor will need to demonstrate their OT bona fides, whether this can be done as dedicated team that is part of a company servicing both IT and OT is yet to be determined. (Note: from a pure product development standpoint the difference in the solutions is minimal, primarily support for different OS and development environments that would be in Level 1 devices and IIoT.)

Some of these lessons are universal for any tech start up market, and the ICS detection is only a near term, market specific example. In Part 2 I’ll break out how buying decisions may be made in the next 1 – 3 years in the OT SBOM space.


My best sales blunder example … the asset owner had purchased a product the year before for asset inventory and change management in OT. The team that had convinced senior management this was the right solution, and would be evaluated by its success, was also responsible for making the OT detection product selection. When asked if their detection product could integrate (send info back and forth) to the newly deployed asset inventory product, the detection vendor said the asset inventory product wasn’t needed because their product did that as well. The right answer, of course, was yes, because it could.

I tried to help out by asking again, pointing out that the asset owner was committed to using this newly purchased asset inventory product. The API’s existed and were there for just this type of integration according to the detection vendor’s marketing content. Unfortunately the sales team stuck to the line that this other product was unnecessary and shouldn’t be used. The asset owner was leaning towards selecting this vendor, and they lost the sale due to this approach, and failure to listen, in the final meeting.

Next Week: Part 2