Customer segmentation - a model for cybersecurity market


Cybersecurity is a very attractive market these days, and at the same time, a very crowded and competitive space with many investors trying to understand the sources of growth and hundreds of startups are looking for strategies to ‘sell to the enterprise’. Working with some of them, I’ve realized that the source of truth for investors and the root cause of challenges for startups is the same and comes from market segmentation. Wrong segmentation is the most common cause of growth challenges and lack of desired profitability. Because of it, useless features and capabilities are developed, marketing budgets are wasted and sales targets are missed.

In this article I will share with you a segmentation model that I consider should be used as a starting point for all companies that address the cybersecurity market. I found it to be a good predictor of future profitability and a great model to uncover the main reason of growth challenges. Usually, the dimensions used to segment the cybersecurity market are size, with the 3 main categories: small business, mid-market and enterprise, and industries or verticals like finance, telecommunication, government, education, service providers, etc. But actually, not the size nor the industries are the factors that drive companies' cybersecurity behavior. At least not directly. You can easily find companies of similar size in the same industry having different cybersecurity behaviors. Those different behaviors trigger different needs in terms of tools, features, processes, knowledge etc., and those needs are many times divergent. Therefore, I do not recommend looking at the cybersecurity market from industry and size perspectives as you will end up striving to meet divergent needs.

So, if it is not size or industry, what are the factors that directly influence the cybersecurity behaviors?

Of course, there are many and no ‘one model’ can capture the entire complexity but, as usual, some models are useful.


After reviewing more than 1000 case studies, customers feedback and buying decisions criteria, I identified some behavioral patterns that can be grouped in a 4x3 matrix and form 12 distinct market segments using two dimensions that are easy to evaluate without having inside knowledge: Risk level and Net Profit Margin.


The Net Profit Margin of an organization is easily determined but the risk level is a different story. Many factors influence it and most of them are quite subjective. Anyway, two of them are more important than the others and we will just consider those. They are “the business impact of a breach” and the “probability to be targeted” and with these two, we define the risk levels. Low risk = low business impact + low probability to be targeted. Medium Risk = High business impact + low probability to be targeted or vice versa High Risk = High business impact + high probability to be targeted Critical risk = 100% Targeted As a rule of thumb, companies that build a business model focused on one of the segments (product/services and the business model) grow much faster than the market and have a better ROI, companies that try to cover all of them waste resources, struggle and ultimately fail in most segments if not in all. George E. P. Box said all models are wrong, but some are useful. I consider this one to be useful as a starting point for cybersecurity market segmentation initiatives and to identify the root cause of lower-than-expected results. It is easy to use by anyone with some knowledge about the cybersecurity market and it should be one of the ‘must-use’ models for product/marketing managers.

Sales and marketing effectiveness start with the right market segmentation.

If you need support to build a complete segmentation model specific to your organization, you can always get in touch with us.

Written by: Radu Mesa

Recent Posts

See All