Posted on

Launch of LOCH Technologies

I have been talking with Garry Drummond, founder of LOCH Technologies for several months. We finally used the news of an upcoming name change and re-launch as a great reason to get together to record the below interview. LOCH is all about radio frequency security, a realm that has expanded well beyond just the various flavors of wifi networking evoked by LOCH’s previous name, 802Secure.

The Internet of Things, from cars to drones, to industrial control systems, introduces an even greater need to understand what sort of devices are talking over the airwaves in your environment. Discovering all these deices are the first step in understanding what they are doing, how they are connecting to your networks, what data they may be transmitting, and what risk they pose.

Watch the interview to see how to introduce wireless security into your security infrastructure.


Posted on

IT-Harvest Methodology

This is how I conduct research. Consider it a continuation of the guidance provided in Curmudgeon.

When I first joined Gartner in 2000 my only experience with its research was the feed available from DataQuest. I assumed, as an analyst, that I could glean complete information of my research area from this division of Gartner. That was not the case at all. I would ask for “all the IDS vendors” and get data on companies that did not even have IDS products. The problem was that the data was being collected by “researchers” not analysts.

I have since found similar issues with data from just about every source including Pitchbook, CBInsights, and even Crunchbase. One problem is that they rely on vendors’ self reported categorization. The other is that they do not scrub vendors from their database when they go out of business or are acquired. A typical search on “cybersecurity” reveals a list of 6,000+ vendors. After cleaning them up I usually find 2,000 that qualify as vendors of products. Many of the others are consulting firms, resellers, and distributors.

To be added.

So here is how I do it:

Finding vendors.

I have been collecting data on vendors since 2005, so I already have a large list. I build out the list by:

-Tracking exhibitors at conferences around the world.

-Making notes of when my Linkedin contacts join a vendor I do not know or launch their own startup.

-Most vendors in my space eventually reach out to me via Twitter, if only to follow. I add them to a running list of new vendors to track.

-PR firms will reach out with press releases about new funding rounds or briefing requests from new vendors. -We email several thousand vendors each year to ask them to check their listing in the Directory with the tool we created.

-As a contributor to Forbes I am on a lot of press release distribution networks.

-I review all the infographics created by other firms. It is a strain on the eyes to look at a couple of hundred logos but I check each one against the database using this tool. I never agree with the categorizations and they always include consultants and resellers.

What data to collect?

I built my database to assist me in my research. Before a client call about a particular sector I pull up the list of vendors and review them. During the call I can help a client pick vendors to short list, or a vendor client may be looking for acquisitions and need the list for their own research. So what data is useful and verifiable? If you purchase the Cyber Threat Intelligence Market Research Report 1H 2020 you get all the data I use in a downloadable spreadsheet. It includes:

-Company name, address of HQ, and names of key executives.

-Date of founding.

-Total venture investment.

-URL of company website (you would be surprised how hard it is to find this for every vendor).

-URL of Crunchbase listing.

-URL of company Linkedin page.

-Number of employees for each quarter starting January 1, 2020.

I find that much can be learned from tracking the number of employees at every vendor. You get an immediate picture of vendor health and relevance. A 20 year old firm with two employees is probably a sole proprietorship. A two year old firm with $20 million in funding and steady growth of 50% in number of employees is on a roll. A sudden quarterly decline is a red flag to be investigated.

What to do with the data?

I assume that something I find valuable must be valuable to others. This year I published all the vendors arranged by country and category in Security Yearbook 2020. It makes a convenient desk reference and early reports from CISOs tell me they are using it for vendor selection. (And no, there is no ebook version. Every Kindle book I publish gets pirated. I am not going to give away a directory that I have worked on for years and invested tens of thousands of dollars to create.)

With granular employment numbers for thousands of vendors which I have categorized I can now report on the growth or decline of any category. The market research report on cyber threat intelligence is just the beginning. I am starting on the Deception space next, followed by Remote Browser Isolation, two small but growing sectors with amazing technology.

Are there any other sectors I should prioritize? I am reluctant to tackle IoT security because there are so many participants (over 120 vendors).

Can you think of any other data to collect? Data that does not depend on the vendors self reporting? I would love to track all the conferences each vendor exhibits at. That is a great indicator of marketing commitment. I could also grab the CEO rating from Glassdoor. Perhaps website ranking? Let me know! This post was originally published on The Analyst Syndicate website.

Posted on

Vendor Viability: Four Step Checklist

A sudden drop in employment is a very bad sign


I thought it would be valuable to describe how I do fast vendor evaluations. Practically every day somebody reaches out over Linkedin to ask my opinion on the prospects of a particular company. Unless I have been briefed by or worked with the vendor recently, I run through this process.

I also do this for every single vendor in the Directory published in Security Yearbook. The current Directory has 2,337 vendors in it. I have a month to review 900 additional vendors my team has identified as potential candidates for inclusion.

I use vendor headcount as the basis for a bottom up analysis of market segments. See the just published Cyber Threat Intelligence Market Research Report 1H 2020.

Here is the checklist:

Step 1. Check the vendor’s Linkedin page.

Linkedin has become one of the most valuable tools for evaluating vendors.

Look for number of total employees. This includes advisors and board members, yet is usually +/- 3-4 of the real number. If there are two employees listed it is probably very early stages or a side gig for the founder.  Check the founder’s profile. If they are an industry veteran with successful past exits it may be a vendor worth following.

If there are more than 25 employees Linkedin will provide a timeline of employee numbers going back two years. Click on “Insights” to see that. (You have to be a Pro Linkedin subscriber.)  A viable vendor is probably growing at a healthy clip of at least 50% a year unless they are in the thousands of employees. Even then they should show consistent growth over two years. Is engineering employment dropping while sales increasing?

If there are fewer that 25 employees you are blind to recent changes. That’s why IT-Harvest records every company’s total employment every quarter. (Heads up to stock market investors: I have seen a very close correlation between headcount change and reported quarterly revenue.)

Check the HQ address. A vendor’s base of operations tells you a lot. Malta or Iceland? Probably not going global soon. US, UK, Canada, or Israel? Good chance of offering global opportunities.

Check out the founders. Usually, they are the CEO, CTO, or both.  Are they experts? Is this their first dance?

Step 2. Check out the website.

Does it have a clear and concise statement of their value proposition? I can tell you right now, nobody is looking for an “AI/ML/Blockchain solution for their most pressing Big Data management problems.”

Step 3. Search Crunchbase.

Look at the total investment and latest round. Did they take in $50 million in 2005 and do a debt offering in 2019? What caused them to languish? Crunchbase also provides a list of recent news events like new partners, big customer wins, or opening offices in new regions.

Step 4. Glassdoor

You have to use judgement with Glassdoor reviews of a company and the CEO rating. I have found that most reviews are either from disgruntled former employees or plants from the vendor marketing or HR teams.  That said, you can derive some valuable insights from the story that develops from reading the reviews.

That’s it.  I can do this in five minutes for any vendor. At twelve an hour that means I have 75 hours of eye straining work ahead of me to complete the Directory for Security Yearbook 2021.

Posted on

Press Release: Cyber Threat Intelligence Space Grows 3% in 1H 2020

IT-Harvest Research: Cyber Threat Intelligence Space Grew 3% in 1H 2020

New “Cyber Threat Intelligence Market Research Report 1H 2020” – Richard Stiennon, and Ron Moritz.

News provided by


Sep 17, 2020, 08:34 ET

Picked up by: Seekingalpha, Morningstar,

BIRMINGHAM, Mich., Sept. 17, 2020 /PRNewswire/ — IT-Harvest, an independent research firm covering the cybersecurity industry, has published a “Cyber Threat Intelligence Market Research Report 1H 2020” – Richard Stiennon and Ron Moritz on the cyber threat intelligence (CTI) sector. The report includes 61 vendors that provide threat intelligence to the enterprise or collect and manage threat intelligence. These include, Recorded Future acquired by Insight Partners in 2019, Anomali, LookingGlass Cyber Solutions, ZeroFOX, and Intsights.

Key findings:

Funded companies had healthy growth despite the headwinds in 1H 2020: Sixgill (+79%), SpyCloud (+59%), DarkOwl (+48%), Recorded Future (+45%).

Fears of an economic slowdown due to COVID-19 led investors and their portfolio companies to restrict hiring at many firms. Overall headcount growth of 3% in 1H is a positive sign.

IT-Harvest predicts that 2H growth will be an additional 10% over 1H, leading to 2020 revenue of $517 million.

The 34-page Market Research Report is available at It provides a guide to the industry and a summary of each vendor’s capabilities. It comes bundled with an Excel spreadsheet of all the data used to track 61 vendors.

About IT-Harvest:

IT-Harvest tracks over 3,000 vendors in the IT-security industry. All of them are printed in a directory in Security Yearbook an annual publication. The CTI Market Research Report uses the data collected for this Directory as a basis for our analysis. Security Yearbook 2020: A History and Directory of the IT Security Industry is available at

To contact the author, Richard Stiennon, email:

Press contact: Leslie Kesselring,, (503) 358-1012

About the authors:

Ron Moritz, Contributing Analyst, is a venture partner in OurCrowd, the most active investor in Israel, and Entrepreneur-in-Residence with CyRise, Australia’s cybersecurity accelerator. His career has spanned roles at Finjan Software, Symantec, Computer Associates, and Microsoft. He also helped create the CISSP (Certified Information Systems Security Professional) certification and was one of the first to earn it.

Richard Stiennon, Chief Research Analyst, is the founder of IT-Harvest and author of Security Yearbook 2020: A History and Directory of the IT Security Industry. He has held executive roles at Webroot Software, Fortinet, and Blancco Technology Group. He was also VP Research for Gartner. Contact

Posted on

My Publishing Journey

As I pushed Curmudgeon: How to Succeed as an Industry Analyst over the publishing line in late July, I was asked to present to members of Detroit Working Writers, the oldest writing group in the US, on my publishing journey. The event was very well received, but it was not recorded, so I recorded a private session below.

If you want to learn about the ins and outs of indie publishing I teach the lessons learned from each of my books.

Surviving Cyberwar. My only traditionally published book.

UP and to the RIGHT. My first indie-published book, still selling after eight years, and seeing a bump thanks to Curmudgeon.

There Will Be Cyberwar. My Masters Dissertation from King’s College London turned into a book.

Secure Cloud Transformation: The CIO’s Journey. By far my most widely distributed book with 35,000 copies world wide.

Security Yearbook 2020: A History and Directory of the IT Security Industry. The culmination of ten years of research. Purchase right here.

Stiennon On Security: Collected Essays. During lock-down I decided to compile ten years’ worth of columns from Forbes. Read Ben Rothke’s review.

And finally, Curmudgeon: How to Succeed as an Industry Analyst. It includes contributions from six veteran industry analysts.

Now my calendar is freed up to begin writing Security Yearbook 2021!

Posted on

More On Writing

Just a follow up to my post on Writing a Book. That post was an excerpt from Curmudgeon: How to Succeed as an Industry Analyst, which was published Tuesday this week. Thanks to the comments and feedback here on Peerlyst I put together a list of books that have helped me in my writing career. I included this list in an Appendix to Curmudgeon.

Speaking primarily about works of fiction, James Branch Cabell said the goal for an author is to write perfectly about beautiful happenings. That is a lofty goal for any writer, and perhaps over the top for nonfiction. Yet, why not strive to write perfectly? We may fail but are bound to have created something that is more enjoyable to read and conveys the knowledge we wish to impart.
Here are the books on writing that I have found the most useful and inspiring.

The Sense of Style: The Thinking Person’s Guide to Writing in the 21st Century, by Steven Pinker, is my favorite book on style and writing.

On Writing Well: The Classic Guide to Writing Nonfiction, by William Zinsser, is a must-read. I have found it guided me in developing a voice for my research reports, blogs, and books. It was first published in 1976 and has been updated many times since.

Good Prose: The Art of Nonfiction, by Tracy Kidder and Richard Todd. You may remember Kidder for The Soul of a New Machine, one of the first narrative nonfiction books on the tech industry.

Writing Down the Bones: Freeing the Writer Within, by Natalie Goldberg, is a series of philosophical essays on writing that may provide some motivation.

Bird by Bird: Some Instructions on Writing and Life, by Anne Lamott, is another collection of essays to help you tackle and complete a project.

Creative Nonfiction: Researching and Crafting Stories of Real Life, by Philip Gerard, has chapters on conducting interviews, choosing a topic, and research which are a big help.

Steering the Craft: A Twenty-First-Century Guide to Sailing the Sea of Story, by science fiction author Ursula K. Le Guin, is beautifully written prose about writing beautifully.

If you find yourself fascinated by the writing life, as I am, you will enjoy Zinsser’s memoir, Writing Places: The Life Journey of a Writer and Teacher.
C.S. Forester, one of my favorite fiction authors, also wrote a memoir: Long Before Forty. What is notable about Forester is that his writing appears effortless. The reader can be completely absorbed in the story without being distracted by the writing at all.
In the same vein as Forester, Nevil Shute’s memoir, Slide Rule, describes how he transitioned from pioneering aeronautical engineer to bestselling author of such works as A Town Like Alice and On The Beach.
I encourage you to read these works and also look up your favorite authors on YouTube. Many of them have lectured on their writing practices. Malcolm Gladwell teaches a master class at which is revealing and practical.
Oh, and one more. Jon Winokur’s The Portable Curmudgeon, a collection of over a thousand quips and quotes from notable curmudgeons, from Groucho Marks to Dorothy Parker.

This post first appeared on Peerlyst, which is sadly going offline August 27, unless a white knight rides in.

Posted on

Beauceron Security

David Shipley, founder and CEO of Beauceron Security, was responsible for security awareness training at a Canadian university. After looking at existing solutions he decided that something better was needed. (Before you ask, a Beauceron is a sheepdog from Beauce, France.)

Beauceron Security has developed security awareness training tools that include an element of gamification. Each end user is given a score based on factors that include testing their knowledge, reporting phishing emails, and taking corrective action if they miss something.

Driving positive behavior change is always a challenge in cybersecurity. Beuceron drives change by providing the right information at the right time for employees to care about their role in cybersecurity. Keep in mind that cybersecurity awareness is different for employees and executives so having different approaches for different levels of target value is important.

Their set of cloud based tools is also highly customizable so that new phishing methods or things that are unique to a customer organization can easily be built in to the training progam.

Watch my interview with David here.

Posted on

BitDam. Security for Collaboration

There is no question that collaboration tools, particularity email, are the major vector for attacks. Especially in this time of lock-down and work from home, when we all rely on email, Teams, and other collaboration environments, attackers are taking advantage of our constant use of these tools.

BitDam addresses the security problems with these vectors with an inspection engine that is blindingly fast. Because it is cloud-native, an enterprise or even a small business can set up BitDam protection in minutes.

I had an opportunity to interview BitDam’s founder and CEO, Liron Barak. Listen to the origin story of BitDam and how they are demonstrating higher catch rates than their competitors.

To back up their claims of better catch rates, Liron describes how they use harvested malware and send it to instrumented mailboxes, allowing users to see which malware their existing protections missed. Well worth investigating the constantly updated dashboard here.