What cybersecurity founders should know about marketing
Part 1: Most buyers aren’t in-market… act accordingly
I wanted to write an article for cybersecurity founders to help them understand what marketing can and can’t do for them.
Nearly 4,000 words in, I realised it would need to be a series.
This article takes a simple truth — that most of your potential buyers aren’t in-market right now — and explains the implications for business growth and effective marketing.
In future articles, I’ll cover more exciting topics. But as Dale W Harrison points out:
“Nothing in marketing makes sense except in light of the 95:5 rule.”
With that, let’s get to it.
The 95:5 rule: Most buyers aren’t in-market
The 95:5 rule states that during any given period, only a small fraction of buyers in your market (usually ~5%) are in-market to buy whatever you sell. The rest (~95%) are not.
The precise ratio can be calculated if you know two things:
The inter-purchase period. How frequently the average buyer is willing to enter the process of making a purchasing decision.
The decision period. How long the average buyer takes to decide.
The inter-purchase period is not the same as a typical contract length. Many buyers prefer to continue using a somewhat sub-optimal solution rather than engaging in a costly, time-consuming, and politically charged purchasing process.
Similarly, the decision period is not necessarily the same as your sales cycle, since some of the decision work will generally happen before you’re aware an opportunity exists.
Also, note that decision periods don’t always end in a new purchase. Research suggests that >40% of purchasing processes end in no decision. I suspect that buyers with an existing solution in place — as opposed to new entrants to a market — are disproportionately represented in these non-decisions, but that’s based on anecdotal evidence only.
Moving on.
If you know the inter-purchase period and decision period for your market, you can calculate the ratio very easily using this formula:
(Decision period ÷ inter-purchase period) × 100
For example, if the inter-purchase period is five years (60 months) and the decision period is one quarter (3 months), you get:
(3 ÷ 60) × 100 = 5%
Here, the ratio plays out perfectly: 5% of buyers are in-market this quarter, while 95% are not.
You may be thinking: “Well, you just chose those numbers to make the formula work,” … but they are the real average figures for B2B SaaS. They also play out pretty accurately for many cybersecurity tool vendors, and I can personally attest to that.
Naturally, the precise ratio varies depending on what you’re selling. If you sell security testing services, both the inter-purchase and decision periods could well be shorter. If you sell hardware, I’d expect the inter-purchase period to be longer, but I can’t verify that from personal experience.
If you don’t know the inter-purchase and decision periods for your market, the data is often available from analysts, or you can estimate using your own historical data and customer knowledge.
The 95:5 rule is the brainchild of John Dawes of the Ehrenberg-Bass Institute. You can read a reprint of his original article here. I learned most of what I know about it from Dale W Harrison, who has written extensively on the topic. This LinkedIn post of Dale’s provides an overview, plus a mathematical formula to calculate inter-purchase period using average annual churn rate.
You cannot make buyers come in-market
Entering a buying process sucks, particularly for high-priced solutions. It’s expensive, time-consuming, and depletes hard-won political capital. Worst of all, a buying process that “goes bad” (e.g., due to a failed implementation or a solution seriously underperforming) can be career-limiting for those involved.
Given all this — plus the fact that buyers are generally much less interested in your solution category than you are — do you really think some ninja marketing or sales tactics on your part will be enough to convince buyers to engage in a purchasing process that they weren’t already considering?
Now, of course, there are fringe cases. People do weird things from time to time. An organization that bought a new tool last year might be so frustrated that it’s already willing to engage in a new purchasing process.
These cases are still covered by the 95:5 rule. Why? Because the inter-purchase and decision periods are averages. An average inter-purchase period of five years allows for one organization to purchase four times in a decade, while another sticks with the same vendor throughout. Statistically, these cases fall within a normal distribution.
Even if they didn’t, we aren’t interested in fringe cases. That’s not how you’re going to hit your growth targets. Your approach to business and marketing should coincide with how most potential buyers behave, not how individual organizations behave.
Crucially, even when buyers do strange things, they don’t do it because a vendor told them to. They do it because they perceive a purchasing process to be less painful than whatever fallout they are currently experiencing. They may or may not be right about that, but they’re willing to roll the dice.
Note: What I’ve just said is a somewhat unpopular viewpoint. While things are finally shifting, the cybersecurity industry has been buried in “demand generation culture” for some time. Still, the fact that — across a market — it’s impossible to influence how frequently buyers buy is borne out by enormous quantities of real market data.
Okay… so what?
First, founders (and marketers) intuitively understand that not everybody is in-market.
If a prospect just bought from your competitor last month, there's nothing you can do to convince them to buy from you today… Unless they've had such a terrible experience, they are willing to go through the painful process of replacing their purchase already (not likely).
Still, many cybersecurity vendors act as though they don’t know this. They pile resources into short-term performance marketing campaigns while ignoring the rest of the market.
But we’re not going to do that. We want to understand what marketing can and can’t do, so we can act accordingly.
There are several implications of the 95:5 rule. For now, we’re going to focus on two of them:
It helps vendors set reasonable expectations for growth
It should inform the way vendors approach marketing operations
Let’s go.
The 95:5 rule helps us set reasonable expectations for growth
The obvious implication is this: you can’t win more deals than are available during a period.
In reality, it’s tough to win more than your share — dictated by your market share — of those deals.
You may be able to boost your win rate for buyers who are in-market (within reasonable limitations). But you can't expect to win more than a percentage of the available deals within a period.
Let’s look at some numbers, using the same five-year inter-purchase period and three-month decision period.
If your TAM is 10,000 accounts, 5% (500) will come in-market this quarter, plus any new accounts entering the market. If you simply maintain the status quo, you’ll win a proportion of these accounts equal to your market share.
3% market share = 15 + 3% of new entrants
6% market share = 30 + 6% of new entrants
10% market share = 50 + 10% of new entrants
In this case, we can multiply the result by four to get an annual figure.
Note: TAM is not just organizations that have or plan to buy your specific product type. It’s all organizations that experience the category of problem you solve to a degree that it’s worth expending resources on a solution. Security testing providers, in particular, will know there are many ways to skin a cat. In reality, you’re competing with a range of solutions, often including home-grown tools and systems.
At this point, you might be thinking…
"But our win rate is higher than 3/6/10%"
I'm sure it is. Claimed win rates vary enormously — it should be easy enough to calculate yours. These figures don't reflect poor sales performance. They reflect that with a small market share, your sales team will not gain access to a large proportion of the accounts coming in-market.
For example, if you have 6% market share and your win rate is 20%, you're gaining access to 30% of opportunities (150 accounts) and closing 30 of them.
This follows the Rule of Market Share, which is explained very nicely by Dale W Harrison in this post.
If you follow this to its logical conclusion, you’ll notice large companies tend to win at every level:
They have access to a higher proportion of accounts entering the market
They win a higher proportion of the accounts they compete for
They win accounts with less relative effort
…and they do all of this while (usually) charging a higher price. Why? Because one of the greatest benefits of a strong market position is reduced price sensitivity, which I’ll write about in the future.
Story time: The joys of selling for IBM
Around 2016, I met up with some clients at InfoSec Europe. Among them were two senior sales guys who had worked together at IBM and were now heading up sales for a cybersecurity startup.
They described the effort required to close deals at their current company, which was significant and time-consuming, and compared it to their experience at IBM:
"We used to turn up and say 'Hi, we're IBM'. That was usually enough."
This is an extreme example. We’ve all heard the phrase “nobody ever got fired for buying IBM” and understood the implications. But just because IBM is an extreme example of market position (and brand) doesn’t mean we can’t learn something from this.
Specifically, this: your success in a period isn’t based on your marketing effectiveness during that period.
If it were, IBM would do no better than any other vendor. Instead, success is based on your business and marketing effectiveness in previous periods — the longer you’ve been going, and the more success you’ve had, the more and easier you’ll win deals as they become available.
IBM has 124 years of repeat exposure, product use, media prominence, and promotion under its belt. This is what marketers mean by brand, that sense of significance in an average buyer’s mind. If you don’t have it, you’ll forever be fighting tooth and nail for a small proportion of deals.
We see this happen constantly in cybersecurity.
If you’re in the endpoint protection space, you’re up against Microsoft, Crowdstrike, SentinelOne, and Palo Alto Networks — all companies with substantial market position and brand recognition.
Does that mean you’re doomed to languish in insignificance forever? No.
But it does mean you’ll need to do something significant — and be patient — if you want to grow your market share in a space they currently dominate.
The reasonable response: Market to the 95%
The 95:5 rule gives us a picture of how a market works and an indication of our likely success in a period.
If we want to do better than that, what options do we have?
Gain access to more of the opportunities coming in-market
Improve our win rate
Preferably, both.
Can you win more accounts by becoming considerably better at performance marketing and sales? Yes, to an extent, but there are hard limits on this… and a strategy that revolves around sales excellence is unlikely to be scalable. If every opportunity requires a huge amount of sales effort, you’ll still get crushed by larger competitors who don’t have to work so hard.
What’s the alternative? I’ll get to that. First, we need to consider how buyers make decisions.
Not all buyers follow the same process. Suggesting they do would be absurd. Still, there are commonalities that we can learn from and account for.
When a buyer comes in-market for a high-priced solution to a painful problem, their first step will generally be to create a consideration shortlist. Think of this as their “day 1 list”.
This might be delegated to someone other than the decision maker… or not.
There may be research involved in the shortlisting process… or not.
They may reference Gartner MQs… or not.
You can’t influence any of this. It happens before you’re even aware an opportunity exists.
The important thing to remember is that if you’re not on this list, there’s a very high chance you won’t be getting that sale. Even if research is involved in creating the list, buyers will generally prefer vendors they already know.
I have a little insight here that might interest you.
Story time: Young Pete’s first lesson in professional risk
A long time ago, I worked for a large government organization in the UK. I spent two years in procurement, followed by two years as an IT project manager. During those years, I helped design the procurement model for large purchases, was on the buying group for a VERY large financial services contract, and was later responsible for several large IT system purchases.
Here are a few things I learned:
Buyers don’t want to add extra vendors to their consideration set — it adds more work.
The personal risk associated with major purchases is real.
Even when buyers use a points system vs. features to select a vendor, those systems are often “stacked” so the preferred vendor wins.
Here’s the thing. If one of the purchases I was responsible for had “gone bad”, there’s a very high chance I would have lost my job. At the least, it would have seriously harmed my career prospects.
Even as a clueless twenty-something with a high risk tolerance, I was acutely aware of this. I was far better off selecting a safe-but-sub-optimal solution over a potentially better but high-risk option.
Guess what I did. For the most part, I chose the safe option. I took one major risk, which thankfully worked out. This is a whole story, which I may tell another time.
Why is this important? Because it forces us to consider…
How to be considered by more buyers
So, we’re trying to gain access to more opportunities. To do that, we need to be on the day 1 list. How do we do that?
Simple: buyers must know who you are AND mentally link you to their category of problem.
This is where marketing to the 95% of accounts that aren’t in-market comes in. Specifically, we need marketing that creates long-term memory structures that link your company to the types of problems you address.
To understand how this works, we’ll turn to Les Binet and Peter Field’s book The Long and Short of It.
Note: I’m only covering Promotion here, and in a very simplified way. Product, Price, and Placement are all crucial, and they only become more important as your company grows. Still, since everyone loves Promotion so much, I thought I’d start here.
The first thing to understand is that long-term marketing effects are not an accumulation of short-term effects.
Short-term campaigns are generally fact-based and target logical thinking patterns. That’s System 2 thinking for fans of Daniel Kahneman. This works well for performance marketing designed to capture in-market buyers… but very poorly for instilling long-term memory structures. In practice, that means performance marketing does a poor job of helping out-of-market buyers remember who you are when they eventually come in-market.
Long-term campaigns are less factual and more emotional. They appeal to Kahneman’s System 1 thinking, and (with repeat exposure) are much more effective for building long-term memory structures. These campaigns produce some short-term effects, but are much more effective for producing long-term effects that build over time — particularly six months and up. Note that “appealing to emotions” does not have to mean FUD.
Source: The Long and Short of It, Les Binet and Peter Field
The graph above — reproduced with the author’s permission — shows two things:
Short-term rational campaigns are useful for short-term sales uplift, but do not compound over time to produce long-term sales uplift.
Long-term emotional campaigns, on the other hand, do compound over time, resulting in long-term sales uplift.
The “crossing point” between short- and long-term campaigns is around six months. So, if campaign performance is judged over less than six months, rational campaigns will appear more successful. However, over the long term, emotional campaigns are almost twice as likely to produce substantial profit growth.
We need both.
Even when buyers know who you are and link you to their problem category, they still need prompting. Short-term performance marketing is intended to influence buyers as they come in-market, and it’s markedly more effective when buyers have been “primed” through repeat exposure to long-term brand marketing campaigns.
Notably, companies should try to reach their entire market with long-term campaigns, while short-term campaigns are generally more targeted.
In The Long and Short of It, Field and Binet recommend a 60:40 budget split between long-term and short-term marketing. In more recent research, they concluded an ideal split may be closer to 50:50 for B2B companies.
That’s how your company can be considered by more buyers as they come in-market. But how do we get them to choose you?
Becoming a “safe option”?
Never underestimate the importance of being a “safe” option for your buyers.
Bad purchasing decisions torch hard-won political capital and can be career-limiting for buyers. Unless your product is low-cost (and there’s more to cost than sticker price) most people won’t be interested in “giving you a chance”.
So, what makes you a safe choice?
Size is a good start. The larger you are, the less likely your solution will be bad enough to explode in the buyer’s face. But buyers don’t look up financial statements to figure out which vendors are the biggest. Instead, they use a heuristic: how often they hear from and about you compared to your competitors.
Marketers refer to this as your Share of Voice (SoV). Field and Binet define this as:
“[your] brand’s share of total communications expenditure by the category.”
There’s a bit more to it. If you completely waste your communications budget, you aren’t achieving a commensurate SoV. Conversely, if you’re talked about a lot (and positively) you might achieve an outsized SoV compared to your spending. But all else being equal, it’s about your comms budget.
Now the fun part.
If you can achieve Extra Share of Voice (ESoV) — that is, SoV above what would be expected for your market position — you can signal to buyers that you are more significant than your market position suggests. In fact, they don’t know or care what your market position is in reality. They assess your significance based on your SoV.
The formula is simple:
ESoV = SoV - Share of Market (SoM)
If you have 10% SoM and achieve 20% SoV, your ESoV will be:
20% - 10% = 10 percentage points of ESoV
Field and Binet found that sustaining 10 points of ESoV will drive 0.5 points of SoM per year. So, if you have 10% SoM and sustain 10 points of SoV, you can grow to 10.5% SoM after one year, 11% SoM after two years, and so on.
Over time, you’re slowly capturing an increasingly large proportion of in-market accounts. In a large and/or rapidly growing market, this can result in significant business growth.
You should aim to achieve ESoV across brand and performance marketing. Again, we’re looking to build awareness with buyers before they come in-market AND give them a nudge when they come in-market.
Note: There’s a lot more to this topic than I’ve explained here. If you want to know more, I strongly encourage you to read The Long and Short of It by Les Binet and Peter Field.
Achieving ESoV often requires segmentation
If you’re thinking “achieving ESoV sounds expensive,”... you’re right. Achieving 10 points of ESoV as a vendor with 10% SoM means spending double the amount.
This is an argument in favour of segmentation and targeting for smaller players within a market. Realistically, it’s very costly to maintain significant ESoV across the entire market, particularly if you haven’t been funded to the gills.
This is a big topic. In simple terms, you’re focusing your efforts on a segment of the market that’s large enough to satisfy your growth objectives but small enough that concentrating your spending will allow you to achieve significant ESoV.
The elephant in the room
You’ll note that the promotional programs run by most cybersecurity vendors look nothing like what I’ve described here. Most are all-in on short-term performance marketing with occasional nods to brand marketing that are really performance marketing in disguise.
It’s tough to go against the flow, but it is your best bet for long-term growth.
Keep the 95:5 rule in mind. Market both to the 95% of buyers who aren’t in-market and the 5% who are. Remember, you’re trying to gain access to a higher proportion of available deals and improve your win rate… without relying on repeated heroic sales efforts.
I have nothing against salespeople. I know and have worked with tons of great sellers. But a business strategy that demands continuous and outstanding performance from every member of its sales team is just not scalable.
Final caveat: When it is all about sales
If you’re a very early-stage startup with no brand awareness and limited funds, you will naturally lean more heavily into generating immediate results. That generally means short-term performance marketing, high sales effort, and leveraging founder relationships.
Still, don’t completely take your eye off the long-term. Once you have a foothold, you must invest in long-term marketing if you want rapid growth.
That’s the reasonable approach to growth. But…
What if I don’t WANT to be reasonable?
Now we’re talking.
Very few of the cybersecurity founders I’ve met started their company with the dream of retaining a small market share year after year. Actually, I’m not sure I’ve ever met a founder who wanted that.
Usually, their dreams involve disruption, rapid scaling, and other high-energy phrases.
So… how does an account acquisition rate in line with your market share sound to you? Is that enough to satisfy your growth targets?
In a stable market, probably not. In cybersecurity, it may be because the market growth rate has historically been very high. If your market is growing at 10% YoY, you can retain exactly the same market share while also growing at 10% YoY.
On the other hand, growing at a rate higher than your market share — which is the same thing as growing your market share — is a difficult and slow process. It can be done, but change at this level takes a long time to play out, and it's both difficult and expensive.
So, what are your options?
As Mats Georgson is fond of pointing out, there are examples of companies that grow faster than we can explain using marketing theory. Not just that, they’ve done it without spending outrageously more than their competitors on promotion. You can see Mats’ analysis of 150 companies that fit this description here, and I’d encourage you to do so.
There are five cybersecurity companies on Mats’ list, but there are many more examples of rapidly growing cybersecurity companies. Richard Stiennon’s Cyber 150 is a good place to start.
What are these companies doing? And can we learn anything from them?
I’m so glad you asked. I’ll be back and writing about precisely that topic… soon.