Hello everyone,
Who should CISOs report to? To CEO, CFO, CIO, CRO or directly to the LinkedIn fanboys?
In the DACH region, the traditional model with the CIO as the superior still seems to predominate. At DoorDash, on the other hand, the security team is part of the legal department, according to the CISO, a good solution – presumably because the handling of customer data and compliance (e.g. payment processing) is in the foreground. Exception? Or is it a harbinger of an increasingly common model, namely primarily contractually defined security results?
The FT’s headline fits in with this: “McKinsey is under pressure from clients to tie its fees to outcomes achieved“. After taking a look at the chatbot, customers question the added value of advisor advice. And the time required to develop this advice as well as handsome PowerPoint slides. To be honest, this is a development that began some time ago. Corporate ranks are full of alumni from McK, Bain or BCG, who in their new roles critically eye the proposal letters of their ex-colleagues.
Comprehensibly measurable achievements such as concrete implementations instead of generic strategies annoy senior partners who want the golden times back. In which, as a trusted advisor to the CEO, you could agree on handshake deals worth millions. Without beauty contests from annoying shoppers. To quote Prof. Fink (WGMB): “The performance-related part of the fees is increasingly only due when success has actually occurred.” Crass 😉 .
The first software manufacturers such as Salesforce are also changing their payment models – instead of flat licenses per user, customers will pay per (agentically) completed workflow in the future.
In security marketing, however, flowery messages have so far prevailed: Our SOC uses AI! We have the best threat intelligence! We do Threat Hunting regularly! We have adaptive hardening! Our XDR platform pulls all signals together via 35 modules and correlates in nanoseconds to detect identity-based attacks! The network doesn’t lie, that’s why NDR! Phishing-Resistant MFA! Our SIEM comes out of the box with 200 preconfigured use cases that cover all attack paths! We have a BSI C5 attestation! Our CEO was a founding member of Unit 8200!
Heretical question: Who cares? In the end, what counts for customers is that damage caused by cyber attacks is avoided. It is all the more surprising that the majority of the advertising messages do not contain any statements about it. Most claims on differentiating features are not differentiating at all, can hardly be checked by customers and avoid any guarantee of effectiveness. In plain German: Please do not rely on it, we do not take any responsibility.
But there are also laudable exceptions. I think SentinelOne made a start in a good direction from my point of view in 2016 with the first breach warranty, Crowdstrike quickly followed suit. Meanwhile, ~10 MDR/MSOC providers (out of ~130 in the DACH market) offer a similar commitment. Rubrik, VEEAM and NetApp and probably a few others offer compensation payments if the restoration should not succeed after all. Aikido offers a money-back guarantee if no High Severity or Critical Findings are revealed during pen tests. Some physical security services offer variable components depending on whether audits are met or red teaming exercises are successfully passed.
Of course, the devil is in the details of Terms & Conditions, esp. exclusions and obligations of the customers. No provider wants a legal dispute with the customer. And of course, a compensation payment of the usual amounts is only a consolation when you stand in the ruins of the former IT infrastructure. But with imaginative design, there remains a stronger link between the goals of customers and providers. Ideally, the success criteria are the same as those that the CISO has in their bonus agreement. In this way, the risks for security providers are bearable and a real partnership is created: This always requires a community of interest .
The hypothesis is therefore that we will see a trend towards results-based remuneration , the demand for guarantees in tenders and a closer link between cyber insurance and security measures. From my point of view, this is a huge opportunity for all those who want to and can take responsibility. For the broad mass of the user side, technical details will disappear behind a contract like oil-smeared camshafts under the chic plastic engine compartment cover with the brand logo. The main thing is that it works.
That we have a lot to do together is also shown by indicators in the 2026 Verizon DBIR report:
- Exploitation of vulnerabilities is now top 1 initial access vector (31% of all breaches), far ahead of stolen passwords and phishing
- And as an immediate measure, firewall, remote access and SD-WAN vendors are increasingly responding with ACL recommendations and configuration adjustments rather than patches
- The average security team now has to fix 50% more critical vulnerabilities every month compared to the previous year. Not surprisingly, the time it takes to remedy the situation is increasing. Even patching KEV takes an average of 43 days.
- Positive: In less than a third of all ransomware cases, ransoms are still paid
How is it actually going at Trend Micro? A look at the figures shows:
- Approx. EUR 1.5 billion in sales, cash flow positive and highly profitable with approx. EUR 200 million profit (figures similar in 2025 and 2024, growth was only ~1%)
- Of ~7,000 employees, one third each work in R&D and Sales & Marketing
- The home market of Japan accounts for about 25% of sales, the rest is evenly distributed across the continents. In Europe, however, Trend’s consumer business does not play a role
- Market capitalization ~5 billion EUR, share price is still about 70% below the all-time high during the dot.com bubble 25 years ago
- One reason for this may be: “We are mainly focusing our business in the field of cyber security business based on antivirus software”. If it were at least “AI antivirus“.
- CEO is currently still Eva Chan, the sister-in-law of founder Steve Chang => A kind of family business
- The OT Security Business was spun off as TXOne a few months ago. In the B2B environment, where platforms are sought, in my opinion not a good idea
Despite strong growth (> 20%), SentinelOne is also cutting about 8% of its staff from currently about 3000 employees. In the DACH region, it certainly doesn’t help that the previously strong partner SVA is now also relying on Crowdstrike .
M&A:
- ZScaler buys Symmetry Systems (access graphs based on log data included). Goal: Zero Trust for agentic AI as well. The ZScaler share has fallen by 30% in one day, the market value has fallen by 70% within a year – despite actually excellent figures. The reason is the outlook: “only” ~17% growth. A sentence from the Q3 Shareholder Letter on the Red Canary acquisition that caught my eye: “Keep in mind that MDR businesses like Red Canary tend to significantly have higher churn than Zscaler’s core business.”
- Nextron Systems (CTI and forensics, some may know about Thor Scanner) will be acquired by the French PE player Eurazeo
- Cyera raises another 600 million USD in funding at a 12 billion valuation and buys Genie (DLP startup from Israel, 7 people) for ~50 million USD
- NinjaOne (now with ~500 million in revenue/year, profitable) receives another $400 million
- Checkpoint buys deepchecks (quality assurance for AI systems)
- Dragos acquires Phosphorus (IoT Security)
- Akamai issues ~$3 billion worth of convertible bonds to buy back stock and further replenish cash
- Socket (analysis of open source packages) gets ~60 million USD in new funding. And with the IBM / Red Hat initiative “Project Lightwell“, a huge competitor that will also provide a clearing house for secure open source software.
Vendor briefings:
DoIT Solutions:
- German MSSP, approx. 30 employees, belong to the French I-TRACING (globally positioned MSSP / Cybersec consulting with ~1000 employees). By the way, not to be confused with DoIT GmbH
- Almost 100 corporate customers, e.g. Dachser, Heraeus, Fanuc and also the banking and defense sector
- SOAR (used internally) with all customer data (each customer in their own client, of course) in D
- “SOC-in-a-Box” standard based on Sekoia SIEM + CTI, recommended EDR HarfangLab
- Otherwise flexible, we also operate e.g. Elastic on prem in the customer’s data center, Splunk, Sentinel or all possible EDR/NDR/XDR solutions. Corelight+Gatewatcher for OT
- SOC analysts are mainly located in Germany (on call 24/7), otherwise other locations (e.g. USA, Malaysia, China) for 24/7 shift operation are also possible
- We also offer incident response from Germany (listing with the BSI has been requested)
- Other services such as pen tests, product/application sec may be purchased from the parent company
Security Journey:
- SDLC Training for Developers (“Secure Coding in the Age of AI”) from the USA
- Already ~400 corporate customers, also in the EU / DACH
- In particular, programming exercises with video formats
- Trainings are available for ~50 programming languages, each with progress measurement along learning paths (e.g. LLM Applications, iOS Developer, Cloud Engineer, PCI Compliance)
- There is also a curriculum specifically for the CRA
- Integrations with popular learning platforms
Ticura:
- “Spotify for Threat Intelligence” from Germany, from the former IBM X-Force team, which started its own business in 2022
- Continuously collect + analyze > 1300 TI sources (open source + commercial, incl. darkweb monitoring) and make them available in a customer-specific filtered form (e.g. industry-specific, regional) in a stream for common XDR/SIEM/SOAR platforms (and now also MCP servers)
- Customers mainly MSSPs, already 50% in the USA
- Can also benchmark CTI feeds
- If you run a SOC: Feel free to take a look, feedback welcome
As always, questions, suggestions, comments, experience reports, topic requests and also opposing opinions or corrections are welcome by email. Ditto for unsubscribing from the mailing list.
For the people who have received the market commentary for the first time: Here you can register if you are interested or test a DDoS attack on the archive. By the way: By clicking on the flag symbol in the upper right corner, you can switch from the machine-translated English to the original German version.
Best regards,
Jannis Stemmann
