First note that the below is not meant to be anything that is sanctioned or even practiced by the other members of The Analyst Syndicate. This is how I conduct research. Consider it a continuation of the guidance provided in Curmudgeon.

When I first joined Gartner in 2000 my only experience with its research was the feed available from DataQuest. I assumed, as an analyst that I could glean complete information of my research area from this division of Gartner. That was not the case at all. I would ask for “all the IDS vendors” and get data on companies that did not even have IDS products. The problem was that the data was being collected by “researchers” not analysts.

I have since found similar issues with data from just about every source including Pitchbook, CBInsights, and even Crunchbase. One problem is that they rely on vendors’ self reported categorization. The other is that they do not scrub vendors from their database when they go out of business or are acquired. A typical search on “cybersecurity” reveals a list of 6,000+ vendors. After cleaning them up I usually find 2,000 that qualify as vendors of products. Many of the others are consulting firms, resellers, and distributors.

So here is how I do it:

Finding vendors.

I have been collecting data on vendors since 2005, so I already have a large list. I build out the list by:

-Tracking exhibitors at conferences around the world.

-Making notes of when my Linkedin contacts join a vendor I do not know or launch their own startup.

-Most vendors in my space eventually reach out to me via Twitter, if only to follow. I add them to a running list of new vendors to track.

-PR firms will reach out with press releases about new funding rounds or briefing requests from new vendors.

-As a contributor to Forbes I am on a lot of press release distribution networks.

-I review all the infographics created by other firms. It is a strain on the eyes to look at a couple of hundred logos but I check each one against the database using this tool. I never agree with the categorizations and they always include consultants and resellers.

What data to collect?

I built my database to assist me in my research. Before a client call about a particular sector I pull up the list of vendors and review them. During the call I can help a client pick vendors to short list, or a vendor client may be looking for acquisitions and need the list for their own research. So what data is useful and verifiable? If you purchase the Cyber Threat Intelligence Market Research Report 1H 2020 you get all the data I use in a downloadable spreadsheet. It includes:

-Company name, address of HQ, and names of key executives.

-Date of founding.

-Total venture investment.

-URL of company website (you would be surprised how hard it is to find this for every vendor).

-URL of Crunchbase listing.

-URL of company Linkedin page.

-Number of employees for each quarter starting January 1, 2020.

I find that much can be learned from tracking the number of employees at every vendor. You get an immediate picture of vendor health and relevance. A 20 year old firm with two employees is probably a sole proprietorship. A two year old firm with $20 million in funding and steady growth of 50% in number of employees is on a roll. A sudden quarterly decline is a red flag to be investigated.

What to do with the data?

I assume that something I find valuable must be valuable to others. This year I published all the vendors arranged by country and category in Security Yearbook 2020. It makes a convenient desk reference and early reports from CISOs tell me they are using it for vendor selection. (And no, there is no ebook version. Every Kindle book I publish gets pirated. I am not going to give away a directory that I have worked on for years and invested tens of thousands of dollars to create.)

With granular employment numbers for thousands of vendors which I have categorized I can now report on the growth or decline of any category. The market research report on cyber threat intelligence is just the beginning. I am starting on the Deception space next, followed by Remote Browser Isolation, two small but growing sectors with amazing technology.

Are there any other sectors I should prioritize? I am reluctant to tackle IoT security because there are so many participants (over 120 vendors).

Can you think of any other data to collect? Data that does not depend on the vendors self reporting? I would love to track all the conferences each vendor exhibits at. That is a great indicator of marketing commitment. I could also grab the CEO rating from Glassdoor. Perhaps website ranking? Let me know!