Super Cyber Fridays!
Join us TOMORROW, Friday [09-12-25], for "Hacking Managed Services"

Join us Friday, September 12, 2025, for “Hacking Managed Services: An hour of critical thinking about what questions to ask when you’re looking for a provider”

It all begins at 1 PM ET/10 AM PT on Friday, September 12 with guests Buddy Pitt, vCSO, Logically, and Jay Wilson, CISO and CIO, Insurity. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register now

Thanks to our Super Cyber Friday sponsor, Logically

Defense in Depth
The Pattern of Early Adoption of Security Tools

Since we started the CISO Series, we've always known that selling cybersecurity products is quite difficult, especially when you're a young and unknown startup. Fortunately, large companies are often the first to adopt new solutions. When that happens, it becomes an attractor to smaller buyers. Unfortunately, enterprises are traditionally slow moving and risk averse. This creates a difficult break for market visibility and companies' willingness to purchase new solutions. How can and do small startups cross that chasm?

Check out this post by Ross Haleliuk of Venture in Security for the discussion that is the basis of our conversation on this week’s episode co-hosted by David Spark, the producer of CISO Series, and Edward Contreras, senior evp and CISO, Frost Bank. Joining them is CISO Series reporter and CISO herself, Hadas Cassorla.

Listen to the full episode here.

Security poverty line excludes SMBs

The cybersecurity industry has inadvertently created a two-tiered system. Small and medium businesses cannot access the same level of protection available to enterprises, despite facing similar threats. Patrick Garrity from VulnCheck identifies this as "more reflective of market failure to build products that scale across market segments. Organizations tend to choose to optimize for large enterprises and big deal sizes. Hence, the security poverty line that's been created due to these dynamics." This economic reality forces SMBs to operate with inadequate security while representing "a huge untapped market" for vendors willing to address their needs. But even if vendors move into that space, "Most SMBs cannot afford or understand the cost of cybersecurity. In addition, the value of security is hard to quantify as it doesn't matter until it does," explained Peter Ho from Prudential Financial. The result is a market structure where security vendors prioritize enterprises, leaving smaller organizations vulnerable until solutions eventually trickle down.

Skills gap and channel dynamics slow SMB security adoption

Small businesses often lack internal expertise and must rely on service providers. "Security solutions require very specific skillsets to deploy and manage properly. Most of the large enterprises have these skillsets in the house, however, SMBs lack IT resources that are trained in security," explained Akhilesh Dhawan from A10 Networks. This creates dependency on service providers, who don't make decisions solely on what would be best for their client. They have their own distribution channels that favor established relationships over innovation. Dawn Bradley from SecurityScorecard pointed out how "the VAR channel has changed in the last 20 years. Making it difficult for smaller cyber tech companies to gain traction and leverage the growth factor by using the channel. The big resellers own the enterprise and mid-market relationships and have a 'pay to play' mentality."

The startup disadvantage cycle

Analyst firms are designed to be a valuable resource, but they also have a broader influence on the market ecosystem. "Influential organizations like Gartner tend to focus on large vendors that can generate significant revenue and long-term partnerships. This dynamic puts startups at a disadvantage compared to large cybersecurity vendors," said Nikoloz Kokhreidze from Mambu. The consequences extend beyond individual company success to industry-wide innovation stagnation. When "innovation from startups may struggle to gain traction until bigger players catch up and potentially acquire them," the market loses access to solutions specifically designed for current threat landscapes. This cycle means "the most innovative solutions can't reach mass adoption, stifling the very progress needed to address evolving requirements and threats," added Kokhreidze.

Technology adoption flows from enterprise complexity to market simplification

The natural progression of cybersecurity innovation starts from solving enterprise challenges to broader market accessibility through commoditization and simplification. "New technologies come out to address threats/issues that the most sophisticated organizations face... the early buyers replace their home-grown hacks, then the capabilities become commoditized over time and down market," said Robi Papp from Upwind Security. Bryan O'Neil from runZero notes that while enterprises get this new tech first, they often limit this to smaller trials. Smaller organizations can move faster, "SMBs and mid-market companies can adopt early across a whole organization while still keeping the implementation and rollout to a simple scope vs. complex enterprise environments."

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, ThreatLocker

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Rob Teel, CTO, Oklahoma Department of Commerce.

Thanks to our Cyber Security Headlines sponsor, Vanta

Cyber chatter from around the web...
Jump in on these conversations

“US govt has given ICE the greenlight to deploy paragon spyware's graphite hack“ (More here)

“The more I understand cybersecurity, the more I realize I don’t — is that part of the journey?” (More here)

“What’s the simplest hack or vulnerability that shocked you?” (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [09-12-25] Hacking Managed Services

• [09-19-25] Hacking Critical Infrastructure

• [09-26-25] Hacking Security Theater

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.