Analyzing 3 Cybersecurity Customer Segments: Is PLG Right for Your Business?
I hear a lot of conversation about product-led growth (PLG) in cybersecurity. Most of it is focused on a single question: “Can it work?”
It’s a good question. Not many cybersecurity companies have seemingly succeeded in using product as the main driver of growth to build a sustainable customer acquisition channel.
PLG can work in cybersecurity, but there are nuances to consider across different customer segments. Here, I explore three types of cybersecurity customers—people (B2C), SMBs (B2B), and enterprises (also B2B), and investigate what product-led growth approaches might look like in these segments.
1. Consumer-focused cybersecurity
Since security is something that everyone needs, one would think there would be high levels of adoption across consumer segments. But consumer adoption of security tooling continues to be low for a number of reasons:
Lack of problem awareness
The level of consumer awareness and understanding of cybersecurity is low. The overwhelming majority of people have an abstract understanding of cybersecurity and view it as an issue to be solved by organizations, not individuals.
Cybersecurity solutions have been known to add friction to otherwise simple processes and workflows. Password managers, multi-factor authentication, and the like are seen as obstacles that slow down normal operations and therefore, are silently forgotten or openly sabotaged.
Willingness to pay for cybersecurity solutions is low. Consumers have grown accustomed to business models that offer software for free but most cybersecurity companies are unable to design revenue models around free products. This means that users are asked to pay for security, and paying for something that adds friction is a tough sell.
The takeaway: PLG is not a good fit for B2C cybersecurity
All this, combined with the fact that product-led growth assumes that users have a problem to be solved, and are capable of recognizing the value the product offers, makes PLG unsuitable for B2C cybersecurity solutions.
In the consumer market, security must be cost-free and frictionless for widespread adoption. I have a strong conviction that security will be integrated into consumer tools and technologies, rather than sold to them separately.
It remains to be seen how this market develops, but I bet on B2B2C solutions instead—business models where companies pay for security as a workplace benefit. Already, players like Agency, Enfortra, and IDX operate in this space. With the lines between personal and company security continuing to blur, I would anticipate this market segment to grow rapidly in the coming years.
2. Enterprise-focused cybersecurity
To understand how and if product-led growth works in enterprises, it is worth briefly examining the conditions and market factors at play:
A noisy market
The number of security vendors is growing rapidly, now approaching four digits. CISOs are overwhelmed with the number of startups competing for their attention and bombarded by the ever-increasing rate of cold calls, email spam, and other forms of outreach.
Constant security threats
And yet, security executives cannot simply ignore what’s happening. Organizations’ environments are becoming more and more complex and harder to defend, and the number of breaches is growing—trends that force buyers to somewhat tolerate the madness of the vendor market.
CISOs face competing priorities
Despite the need to purchase security tooling, CISOs are busy designing holistic security strategies, working on stakeholder alignment, coaching boards, and building relationships with other executives. Initial tool evaluation is increasingly being delegated to security practitioners.
Security practitioners are key influencers
A growing number of security practitioners are spending time tinkering with different tools, trying what’s out there, stitching open source tools to solve their problems, and staying active in the community. And, more and more CISOs are taking the recommendations from their team members who come with well-structured suggestions, rooted in their knowledge of the company needs: “I know we’re looking at X. So I’ve been playing with this tool and it seems to do what we need – how about we take a look?”
The takeaway: Bottom-up adoption works well for enterprise cybersecurity tools
It is becoming apparent that “Let’s get a CISO into a demo” is no longer a viable strategy. If the product can appeal to practitioners, and if the company can equip them with sales enablement to pitch the solution to their management, it may be possible to get bottom-up adoption.
In B2B enterprise sales, “product-led growth” is typically a form of free or limited trial that brings product-qualified leads to sales teams. It’s not a primary revenue generator, rather a means for practitioners to try before they buy. Since most of the cybersecurity vendor market is B2B enterprise sales, this is likely the shape PLG will take in this industry.
In enterprise sales, any vendor will inevitably undergo a well-structured due diligence process. Here are the advantages of the bottom-up adoption approach:
- Self-service. Prospects can conveniently try and test the product without having to talk to someone, benefitting both the prospect and vendor in terms of cost-effectiveness
- Validation. By the time the sales team is engaged, the prospect has done a basic validation and expressed interest in progressing.
- Users become champions. If the practitioner likes the solution and wants their company to adopt it, they can be a loud proponent and a champion throughout the sales process.
3. SMB-focused cybersecurity
Until very recently, small and medium-sized businesses worried little about security. Even today, I commonly hear small business owners say, “We are small fish, nobody would go after us.” But with the rise of ransomware and subsequently, insurance premiums, these attitudes are changing.
Like consumers, small and medium-sized businesses are not used to paying for security and software in general. They rely on free email, free tiers of productivity tools such as Asana, and even free collaboration platforms like Slack, despite their limitations.
For cybersecurity companies selling to SMBs, there are several challenges to overcome:
By definition, SMBs are small (typically around 10 employees), and so are their deployment sizes. PLG is a fitting approach here for two reasons: small business entrepreneurs are familiar with self-serve purchases, and deploying sales teams to negotiate contracts with a few number of users is usually economically unfeasible.
But the problem is that SMBs don’t typically understand cybersecurity, which makes it challenging for them to compare options and choose a solution on their own.
Despite small sizes, SMBs can have high sales volumes and large numbers of customers, and with that, generate significant revenue. Think of a small e-commerce company with three employees and $25 million in sales—not an uncommon scenario. In this situation, cybersecurity companies have a lot to protect, but little to charge for unless they become creative in negotiating pricing.
Designing a pricing structure based on one metric alone (data ingested, number of users, etc.) can be much trickier for SMBs compared to enterprises, especially as their willingness to pay for security is typically lower than that of enterprises.
The takeaway: PLG approaches must focus on educating SMBs
These two challenges alone make the implementation of product-led approaches in cybersecurity difficult. Companies resolved to try PLG must invest heavily in education to make their solutions easy to understand and easy to compare. They must also offer greater levels of support to answer questions SMBs will inevitably have.
If done well, PLG can empower cybersecurity companies targeting small and medium-sized businesses to offer a fully self-serve experience. Unlike the enterprise segment, which I believe is unlikely to radically change its purchasing habits, SMBs have the potential to become savvy shoppers if provided with the right education and support.