The cybersecurity trends to watch next: Shadow Security - Selling to the User, not the Buyer

After digging into a passwordless future and supply chain security in previous installments of my VC Diaries, this episode explores the paradigm shift in the go-to-market of security solutions. Selling security has been around for decades, but the sales model has remained relatively unchanged with its sole focus on the CISO. But today, we see an emerging bottoms-up sales model that focuses on constituents outside the security org, leading to better product adoption and collaboration between security and other teams in the workplace. While the common approach is to focus on buyer concerns and motivations, it’s time to move the spotlight to someone who is just as important — the user, and why he/she is relevant to the selling motion of cybersecurity products.

A top-down approach of selling directly to executives works well for established brands such as Oracle, IBM, and Microsoft, but in recent years we have seen the success of bottoms-up adoption with products such as Slack, Zoom, Dropbox, and Asana. These solutions appeal directly to users, who choose to use these technologies instead or on top of what’s offered by IT. The result is a new reality which management cannot ignore and in fact, about 50% of corporate technology spend comes from budget outside IT[1]. This phenomenon known as “Shadow IT” used to create clashes inside the org but is now considerably better integrated into workplace dynamics. Instead of enforcing technologies and paying for adoption, integration, and maintenance, execs now build on top of adoption that is created organically within the org. Put in different words, happy user; happy company.

This bottoms-up approach has also produced successful companies in the IT infrastructure and Development categories such as GGV portfolio company HashiCorp, as well as MongoDB, Elastic, Confluent, and Kong, to name a few. These companies help customers modernize and enhance their IT infrastructure dramatically through products that are first adopted by DevOps and developers, but are eventually purchased by a different stakeholder within the organization. This adoption model has been proven successful with extremely efficient sales fueled by viral and inbound marketing.

So, can bottoms-up selling work for security solutions as well? I believe so thanks to related undercurrents: First, the CISO’s role has evolved in recent years. Previously, the CISO’s primary goal was to reduce risk, and as a result the introduction of new technologies was slow. Today the CISO’s #1 priority is productivity, allowing the organization to be agile and move fast, in a secure way. Therefore, the modern-day CISO is much more receptive to what users think, and will often prioritize solutions that have been advocated from within. Second, security solutions today are often used by constituents outside the security group, creating a degree of separation between the buyer and the user. Solutions such as Endpoint Protection that can slow down machines or Network Access Control that can block legitimate operations and send users spinning can lead to a long sale cycle, difficult implementation, high support costs, and organizational rifts. Now, let’s combine all of those into a scenario: a marketing group is adopting a security solution to protect its marketing assets. The team loves it and wants the CISO to endorse it. This organic bottoms-up dynamic has just dramatically shortened the road to a “yes”.

If this bottoms-up sale seems like a one-off example, here are several cybersecurity areas that can benefit from selling to the user and not directly to the buyer, the CISO:

1. Application Security: As developers are taking more ownership over the applications they build, security must be implemented as a simple, educating, lightweight tool that augments developers instead of a chore that slows them down. Therefore, developers are perfect candidates to take ownership and utilize security solutions in the development lifecycle, way before the CISO gets involved

2. Remote Access: Hybrid and multi-cloud reality opened the door for employees to connect to dispersed services in various locations from anywhere around the globe, and from any device. There is a great opportunity for security solutions to be sold to users in different company departments, helping them break out from the VPN chains and seamlessly access company resources

3. Brand protection: Manipulative online campaign attacks carried out by bot fleets could inflict substantial damage to a company’s brand, affecting its public perception and revenue. Therefore, security tools that allow brand and marketing teams to respond and mitigate such attacks are likely to be in higher demand

4. Identity and Access Management: Okta and Duo were pioneers in focusing on end-user experience as a driver for their sales strategy. There is a great opportunity not only for the security group, but also for other company departments, to reduce password use and improve productivity in their day-to-day operations (See my previous post for more on a passwordsless future)

As a final thought, I don’t believe a successful bottoms-up GTM approach must get every employee hooked. But, it has to focus on creating an elevated end-user experience that will result in a warm embrace by the relevant business groups. Just like with Shadow IT, where employees and managers spend money on technology because they see exciting opportunities to improve the business, I believe that there is a great potential for “Shadow Security”, where employees seek technology to identify and protect their corporate assets. Vendors who recognize the power of these constituents are on a path to a tremendously efficient sales process and great growth in the crowded space of cybersecurity.

[1] IDC, Technology Purchases Funded by Line of Business —

📝 Read this story later in Journal.

🗞 Wake up every Sunday morning to the week’s most noteworthy Tech stories, opinions, and news waiting in your inbox: Get the noteworthy newsletter >

VC at GGV Capital focusing on enterprise software. Ex Chief Security Officer at Clicktale. Always a tech enthusiast.