Let’s start with the hard data:
- Between 2022 and 2023, Gartner published at least 10 Gartner Magic Quadrants related to Cybersecurity, with an average of 12.8 vendors per report
- From all evaluated companies, 98 vendors are currently from the United States, with 9 of them originally founded outside of that country (3 of those in the European Union)
- From 40 Leaders, most of them are from the United States (33), with the rest distributed as follows: 2 are from United Kingdom, 1 from Switzerland, 2 from Israel, 2 from Other countries, and none from European Union
The European Union has been working on increasing the priority of their Cybersecurity strategy within the past years, with the introduction of the NIS2 directive, the Cyber Resilience Act, and the strengthening of the role of the European Union Agency for Cybersecurity (ENISA) through the Cybersecurity Act. However, we still don’t see many European Union vendors having a global role neither the technology leadership that the region would require, and that’s very clear when we see how European Union companies fare in analyst reports, like the Gartner Magic Quadrant.
About Gartner MQs
As one of the leading global IT industry analyst firms for decades, Gartner publishes a large number of reports and research that are used by professionals from all over the world to perform their work and make decisions. One of those reports are the Magic Quadrants (or MQs), where Gartner evaluates a particular part of the industry, and ranks vendors and service providers according to their completeness of vision and ability to execute.
Even though Gartner advises that those reports should be only one of many sources of information for decision makers, Gartner Magic Quadrants are then used by mid and large enterprises to make decisions about what software, hardware and services they should consider, maintain or replace. Government organisations use them as decisive criteria in their public tenders, and channel partners make their decisions on which vendor should be part of their portfolio based on the appearance and position in those Gartner reports.
Considering how relevant the Gartner Magic Quadrants are for the success or failure of a cybersecurity vendor, one question that we could ask ourselves is how representative those reports are of the industry they evaluate. And, moreover, how the European Union stands in them.
Geographic representation
When analysing the Gartner Magic Quadrants dedicated to Cybersecurity, there’s a very noticeable data point at first sight: a particular region of the world is highly represented, the United States of America. From this country are 98 out of 128 evaluated vendors, and the vast majority of leaders are from that country as well (33 out of 40).
The European Union is only represented by 6 vendors (it could be 9, if some of them wouldn’t have moved their headquarters to the US), and, not surprisingly, there’s no leader from the EU in any of the MQs. While there are many Cybersecurity vendors within this region, the majority doesn’t fulfil the basic requirements to be considered within the MQs, in terms of annual revenue and global presence.
A former EU country that would have doubled the region’s presence in the MQs, the United Kingdom, has 6 vendors, the same quantity than the European Union, and 2 of them are leaders within their industries, according to Gartner: Sophos in the Endpoint Protection Platforms & Micro Focus in the Application Security Testing.
Israel, a significantly smaller market than the European Union, has 5 vendors, and we could consider those to be 9, if we count those originally founded in that country but later moved to US. With a fraction of the inhabitants that the European Union has, Israel has an equivalent presence, and moreover, 2 Leaders are from that country.
Yes, some (or part) of the solutions that are US-based and part of the MQs now have been enhanced by acquisitions of technologies from other regions, including the European Union, but that also applies to Israel and the United Kingdom, showing that in terms of geographies, the United States is clearly the most represented country in the Gartner Magic Quadrants, and the European Union is far behind.
The needs of the European customers
European customers don’t have the same needs and priorities than the US-based ones, and the European vendors should be in a unique position to satisfy them. For instance, the European Union companies have been, in general, slower to adopt cloud-based solutions when compared to the United States.
In my opinion, this points to a non-negligible bias in the Gartner Magic Quadrant approach. The majority of Gartner customers are from the US, as well as their analysts, and this translates into a vision more aligned with the needs of the US customers rather than the European ones. But, we can’t attribute the poor representation of European-based vendors in the MQs to this, as there should then be more EU vendors as Challengers due to their market penetration, among other factors, and that’s not the case.
While ENISA is attempting to bring a tool for European companies to select vendors according to their specific needs through the ECSMAF (ENISA Cybersecurity Market Analysis Framework), that is only one part of the equation.
Geopolitics & Cybersecurity since Ukraine’s war
Geopolitics have played a key role in Cybersecurity for a long time, with the war in Ukraine making it more clear for everyone. Since then more European companies have realised that the country of origin of their suppliers matters more than ever.
Research from public and private sources, like the recent Cyber Security Market Survey 2023 by Clavister, shows that more than half of buyers consider the country of origin as important or very important in their decision making process.
Then, if Cybersecurity is a top priority for the European Union, and a large number of companies there are looking for European vendors, why are there so few vendors in the Gartner Magic Quadrants? And not only that, let’s remember, none of them is a Leader within is industry.
The main reasons behind the low presence of EU vendors in Gartner MQs
First, we need to take into consideration some particular things that are unique to the European Union: even if it’s one of the biggest markets in the world, it’s not a single market like the United States is. It’s a common market that’s fragmented due to multiple countries and their own culture, language and politics. This has not made it the most fertile ground for large software vendors.
Moreover, it has favoured the growth of conglomerates like Airbus, Atos and Thales (who recently acquired Imperva, and before that Gemalto), who have been the voices of Cybersecurity in the region for a long time, but have been primarily integrating their own custom solutions or integrating foreign technologies for their projects and customers.
Besides them, large Telecommunications companies have started their cybersecurity companies as well, like Orange, Telefonica and Deutsche Telekom, providing services, integrating solutions from others (primarily non-European), and also acquiring smaller companies or developing their own software, taking a large part of the enterprise cybersecurity market with them.
It would be difficult to see Orange selling a product from Telefonica, or Atos integrating a software owned by Thales, so this situation where the largest suppliers are also vendors creates an additional fragmentation in the market.
There’s another very important factor in how the United States and Israel perform when compared to the European Union: funding.
"The VC funding landscape varies significantly across regions. US saw a peak in 2021 with venture funding topping $23 billion and remains a significant player in global cybersecurity funding. Over 20% of venture investment in Israel has gone to the country's cybersecurity sector. Europe has lagged behind significantly although AI tech funding is now picking up.”, highlights Neena Sharma, Senior Product Marketing Manager of Clavister, a Swedish Cybersecurity company that was founded in 1997 and was one of the earliest companies to launch a firewall.
Joanna Świątkowska, PhD, COO of European Cyber Security Organisation (ECSO), expands on this matter: "European companies very often provide excellent solutions—products and services, but they frequently suffer from a lack of wide recognition beyond their local markets. European players also experience problems accessing sufficient investments to scale their businesses.”
This disadvantage in the available capital that European Union companies have, compared to those in the United States, also affects the growth trajectory of vendors in each region, and gives the ability to the US-based ones to spend more in marketing and take bolder approaches in their messaging, helping them to grow faster and earlier.
The United States is the leading market
The above are only some, but in my opinion the most significant, of the several reasons that makes it easier for US-based vendors to thrive. They are founded and grown in a single market with less barriers than the EU, where independent software vendors have access to a larger addressable market, and where the access to it is less fragmented or controlled.
"The Cybersecurity market is, indeed, heavily dominated by US cybersecurity providers with only a few exceptions.This reality is also then evidenced as part of Gartner security research, most prominently visible in its signature report - Gartner Magic Quadrant which provides a snapshot of top providers for a particular market it evaluates. We can clearly observe that over 80% of all listed vendors in all Gartner security focused MQs are coming outside of Europe, with only a few exceptions such as ESET based in the heart of Europe but with global operations spanning the globe.”, comments Zuzana Legathova, responsible of Global Analyst & Tester Relations at ESET.
If we add all of the above to the fact that the United States is the largest cybersecurity market by revenue, it makes a lot of sense that the vendors from the largest market in the world are the leaders in the industry, considering their competition from other regions has more barriers to grow and establish themselves, especially in the EU.
Conclusion
Even if it has some effect, the fact that there are so few European vendors in the Gartner Magic Quadrant isn’t primarily related to the role these reports have in the selection of their suppliers by large and medium companies, but to the success the European vendors have had in increasing their market share by bringing to life a vision that will appeal not only to European customers but also to the rest of the world.
That is also the consequence of a region that makes it more difficult for vendors to thrive due to its unique characteristics. Europe will need to do a lot more (and also invest more), if they want to see local solutions being competitive enough to fulfil the local and global needs.
In order to do that, the European Union needs to have their own platform vendors, and support their growth. No only that, some of the EU vendors, in different industries, should consider to join forces, strategically (or through mergers) to succeed worldwide. Alliances, partnerships and integrations are more common among US vendors, and the EU vendors must learn to develop them to their advantage.
Until then, we are not going to see many european vendors in the Gartner Magic Quadrant, neither becoming market leaders, and that would be a missed opportunity for the continent.
Further reading and resources
If you want to read more about the European Cybersecurity market, i recommend this article from Ross Haleliuk.
You can also find the full report from Clavister in this article:
https://www.clavister.com/clavister-cybersecurity-report-2023/
European Cyber Security Organisation (ECSO) provides multidimensional support to European Union companies to accelerate their growth, like Cyberhive EUROPE by ECSO, an unique marketplace for European cybersecurity solutions that provides visibility and global recognition; matchmaking events like Cyber Investor Days and Cyber Solutions Days; the Cybersecurity Made in Europe label; and support in regulatory requirements and networking:
Want to read more from Ignacio? His substack can be found here.
Comments
Do you want to leave a comment?
Login or register to proceed
Login Register