As I wrote two weeks ago, in the medium to long term the winners in the OT SBOM market will be those who can effectively play the SBOM/VEXie middleman between vendors and asset owners. The ability to create SBOMs won’t be a determining factor. But competitors need to make it to the medium to long term. Last week I looked for lessons learned from the OT detection space. This week’s article closes the series with a look (an educated guess?) at what will determine the near term winners in the OT SBOM product/service segment.
Market Segment Focus
First, like the OT detection market, the OT SBOM market will require an OT focus in the early years. Even if the technology may not require this, the culture, marketing and sales will. OT still believes it’s a special flower. At this early stage, OT SBOM product and services will be dominated by those that treat the OT world like it views itself.
Second, the winners will focus on a small number of industry segments. This was not difficult in the early OT detection days as most of the interested parties were in the electric and oil/gas sectors. 2022 is different than 2016 with significant OT security interest also in water, food and bev, chemical, maritime, etc. Each one of these sectors has it’s own terminology, consequences, trade shows, and media. Small competitors can try to take them all on, answer every call, and do it poorly. The better strategy is to focus on two or three and tailor all the messaging and efforts on those. Let those sectors know we get you.
Executive Led Brand Awareness
Who is going to be the executive that is quoted in every article, gives compelling keynotes and interviews, woos the VCs and CEOs, uses their charisma and knowledge to win key reference accounts? It’s likely to be more than one person and less than five. Right or wrong, competence by the team and product is necessary, but not sufficient to make it through the early days.
Not only does this win the deals, it also provides cover for the person who selected the company. The executives and board who eventually ask about this will be comforted that they are with the company they read about as one of the market leaders every time the topic comes up. It’s a flywheel.
Statement Win: I Have A SBOM
As noted in my article two weeks ago, this will be table stakes. In the short run, there could be RFPs with bake offs to see who can create the more accurate SBOM. This assumes that the asset owner is able to understand what the correct SBOM is.
There is also the chance that previous experience with a vendor solution could give a competitor an advantage. The early competitors already have a number of SBOMs in their arsenal from previous projects and work. (who has the right to this data is often an interesting discussion)
Given the growing attention to supply chain concerns in general and requirements for SBOMs in particular, some asset owners will view it as a win if they can state they have SBOMs for their most critical OT cyber assets. Even if it doesn’t drive any action. Going back to the OT detection market, being able to say an OT detection capability exists, even when it wasn’t used / didn’t work was a win.
Real Win: Quick Answers To The Next Log4j
What will be the actual near term win? Similar to OT asset inventory in the detection space. I’m not sure, but my best guess is being able to answer quickly and with confidence the next time there is a disclosed vulnerability where everyone is scrambling to determine if they have Log4j or Solarwinds or whatever will come next.
It likely won’t be question where the answer affects risk, but it will be asked. If those responsible for OT security can answer this quickly it’s a win.
Asset Owner Reference Accounts and Vendor Partners
Early asset owner reference accounts should not be difficult for the founders and early employees to obtain. Achievable, as they find possible reference accounts and then go all out to mold their offering to their exact needs to win the account. As noted last week, even tier 3 OT detection vendors had impressive reference accounts.
Vendor partners are tricky. There is great temptation as the marketing win is immediate and the sales potential can be huge. Imagine if a Siemens, Schneider Electric or Emerson said all asset owners who wanted SBOMs needed to go through an OT SBOM vendor’s portal. Or even if one of these vendors just relied on the OT SBOM vendor to create and maintain the SBOMs in the two major formats.
Most of these partnerships bear little fruit and can be huge time sucks. Temptation to get the early wins can result in pricing that even if the partnership does scale means that there are more money losing sales. A hug of death.
Or they could result in a big investment or even acquisition. High risk, especially if a substantial part of the team’s stretched effort goes into the vendor partnership.
The competitors will need to determine where they put their resources the next 1 to 3 years. What’s the right mix between asset owners or vendors? Does one competitor zag and take a vendor focused approach?
There has already been multiple seed, A and B rounds in the OT SBOM space. The ability to raise the right amount of money at the right time will affect the ability to hire and achieve operational excellence.
It’s important to note in these early rounds that too much VC money can be a trap. For example, Claroty’s $60M Series B round may have been the beginning of their troubles.
Ramping Up Operational Excellence
When the demand increases, who will be able to hire, handle the sales inquiries, demos, pilots, and tech support well? A single sentence, but the item that crushes many competitors who have a good initial team and product.
In many ways this list is like any other technology market. Funding, reference accounts, niche focus, marketing, handling growth, … I look forward to seeing how these intrepid entrepreneurs do in this new and exciting product segment.
Next Week: OT Cyber Security Regulation (if I were omnipotent)