Don't call yourself a 'security' company (or a 'data' company)

I often pick on security companies for having undifferentiated positioning. Generally speaking, security products are among the worst offenders, but I’ve met enough ‘observability’ or ‘data’ companies to know that they aren’t the only ones. Don’t be a ‘data’ company, any more than you should be a security company.

These are broad categories. If you help users and customers improve their security posture, then yes, you are broadly playing in the security space. I’m not suggesting you should re-position your security product as a developer productivity tool (although in many cases, these two goals are in fact achieved by the same product). What I am saying, though, is that you need to be very, very specific about your value proposition.

When we talk about positioning and re-positioning products, we can be talking about completely changing positioning (that would be going from a security product to a productivity product) or simply improving and refining positioning, by which I mean getting more specific about which parts of the problem you intend to address, but not fundamentally changing the problem you’re addressing. Both are extremely valuable, but in my experience it’s the specificity that companies struggle with most. Even if you were to change your positioning from a security tool to a productivity tool, for example, the next step would be to get really specific about which part of the productivity puzzle you intend to solve. Because calling yourself a productivity tool is just as vague and ultimately meaningless as calling yourself a security tool.

Back to my beef with security products. I suspect we actually need more, not less, security products. But we need fewer companies calling themselves ‘cloud native security’ or ‘Kubernetes security’ and then expecting everyone to get it. Security is very complicated, involving everything from password hygiene to locking doors to post-incident forensics. No tool or platform or framework will ever accomplish it all, and security pros (as well as reasonably savvy engineers of any stripe) understand that. Calling yourself a security platform just comes off as confusing — and ultimately makes the company sound naive about how complex security is.

So the bottom line: be specific in your positioning. Be an open source software supply chain vulnerability scanner, or a software bill of materials compliance tool, or AI-powered incident remediation; don’t settle for a generic ‘cloud security’ position.