Of Long Tails and Stalking Horses
What Are Analyst Firms Going to Do?
Ludovic Leforestier was kind enough to quote me in this piece he published today titled What is The Role of Industry Analysts in an AI-Driven Market? Ludovic is the co-founder and board member of the International Institute for Analyst Relations (IIAR). He also founded Starsight, an industry analyst influence agency.
When it comes to the question of what impact AI is going to have on the analyst industry, Ludovic proposes and assigns probabilities to three “plausible directions.”
Brave new world: (Gen)AI becomes the interface for research. Clients browse, query and consume insights through intelligent platforms — and every interaction leaves a trace. (.3)
Gartner disrupts itself, moving faster than anyone else. It leverages AI to streamline and reskill its teams and outpace the competition. (.5)
AI makes raw research a commodity, and only analysts with sharp advisory skills or a strong personal brand thrive. (.7)
I want to expand on number two above: the idea that Gartner disrupts itself.
Gartner is lucky in that the majority of its customers self-attest to being late adapters. That means Gartner has plenty of time to wake up, develop different approaches, even make an acquisition if a competitor cracks the AI nut and starts to disrupt Gartner’s stranglehold on the market for advisory services. As long as Wall Street can exhibit patience, Gartner does not have to move fast.
But what is the disruption that is coming? It is most emphatically not vectorizing research reports in a RAG to power a chatbot. If Gartner analysts were to publish an AI Readiness Maturity Model (AIRMM) the zero stage would be having a RAG chatbot. (For the record, that’s where IT-Harvest was on January 21, 2023. Read: Catching the ChatGPT Wave.)
As a reminder, I have written two popular books on the world of industry analysts. They are:
UP and to the RIGHT: Strategy and Tactics of Analyst Influence.
and
Curmudgeon: How to Succeed as an Industry Analyst.
Since we are talking about Gartner let me propose what they would call a stalking horse:
The future of the industry analyst business is the long tail. Corollary: scaling to cover all of the vendors in technology requires the assistance of AI.
The analyst industry was born when computers entered the business world. Gideon Gartner left Wall Street in 1979 with the concept that his startup would offer Buy-Hold-Sell advice to clients in the market for technology. Think about the tech space back then. Apple did not go public until 1980 and Microsoft IPO’d six years after that. Gartner analysts were experts on the enterprise technologies of the day. IBM, Ahmdal, Burroughs, Honeywell, Univac, NCR, and Control Data Corp battled it out for enterprise sales.
Big business had to make multi-million dollar choices and they called on Gartner to guide them. (Or IDC, Forrester, Yankee Group, etc.)
If you step back and look at the model it was solely focused on acquiring deep expertise in the dominant market players and charging significant fees for decision advise.
Gartner was built — and thrived off of — the forever growing technology market. Every new generation of technology creates demand for advisory services.
Gartner grew dramatically along side the tech space. When I left Gartner in the summer of 2004 its stock (IT) was trading at 12. By the beginning of 2020 it was at a high of 160, a 12.3X increase. After a short correction due to Covid it rocketed up to its all time high of 538.54 at the beginning of this year. But it dropped steadily until August 5th when an earnings call raised questions about the impact of AI on Gartner’s business. Wall Street was not happy with that call. The stock dropped an additional 28% the same day and hovers around 250 today.
I believe its the explosion in technology solutions that is causing a problem for industry analyst firms. There are too many vendors for analysts to cover. In the niche of cybersecurity I count 3,966. HRtech is comprised of 7,000 vendors. Marketing tech has 14,106. Fintech has tens of thousands of vendors. I can’t even begin to estimate the number of AItech companies, but one vendor in AI Governance counts 2 million artifacts that indicate if an enterprise is using AI products.
In cybersecurity Gartner only covers 144 vendors in Magic Quadrants. The long tail is the other 3,822 vendors. George Colony, CEO of Forrester has publicly confirmed that they will not cover a vendor if its revenue is less than $50 million, the exact opposite of a long tail strategy.
The model of covering only the large vendors means a limited customer base. Gartner has 15,000 or so enterprise customers. That’s a great number, it implies $400K in revenue per customer. But which analyst firm can serve the other million or so enterprises world wide?
During a time of rapid technological advance there is extremely high interest in emerging tech. Even stodgy old companies have pockets of innovation. They track developments in quantum computing, AI, robotics, and space systems. Where are they going to get guidance and advice?
My contention is that an analyst firm should track all tech companies and their products. I estimate there are 250,000 vendors and somewhere around a million products. It would be unwieldy and probably not profitable to attempt to cover all of them with today’s methods.
AI and automation to the rescue.
We know exactly how to put AI and automation to work to tackle this problem. It took us three years to figure out. Even within the microcosm of the cybersecurity niche it’s expensive. Because of that head start, we think it could be done in 24 months. Investment to develop the tooling could be as high as $30 million. But with careful planning, and tackling each segment sequentially, the data gathered could be quickly monitized.
What about the threat from the foundational models? Will OpenAI, Anthropic, Perplexity, or Google, discover that there is a $50 billion market for technology data and advisory services? That’s a small number compared to the trillions represented by material science, or medical innovation. But there is always the risk that one of the LLMs will just be good enough. I test every model when it comes out.
Here is a simple test: I asked GPT-5, “create a list of all the hardware security modules (HSMs) on the market today. Be exhaustive, create a csv file listing the product name, company name, country of headquarters.”
GPT-5: I’m sorry — I’m unable to create an exhaustive CSV list of all hardware security modules (HSMs) on the market today.
Would you like me to pull together a representative list of major HSM products (say ~20-30), including product name, company, and HQ country, and provide it in CSV format?
When I said “sure” we get:
Product Name,Company,Country
nShield 5c,Entrust,USA
nShield 5s,Entrust,USA
nShield Connect,Entrust,USA
Luna Network HSM,Thales Group,France
Luna PCIe HSM,Thales Group,France
Luna USB HSM,Thales Group,France
PayShield 10K,Thales Group,France
YubiHSM 2,Yubico,Sweden
YubiHSM 2 FIPS,Yubico,Sweden
CryptoServer CP5,Utimaco,Germany
Atalla AT1000 (Payment HSM),Utimaco,Germany/USA
Vectera Plus (General-Purpose HSM),Futurex,USA
Excrypt Plus (Payment HSM),Futurex,USA
SecureKey HSM (Atalla line embedded),Utimaco (Atalla),USA
IBM 4769 (PCIe Cryptographic Coprocessor),IBM,USA
IBM 4768 (PCIe Cryptographic Coprocessor),IBM,USA
Not bad. 16 products from five vendors. Our answer? There are 139 HSM products from 71 vendors world wide in our database. If you are shopping for a HSM I believe starting with an exhaustive list, not a representative list, is the best approach.
Gartner creates whole new categories at a tremendous clip. One of my pet peeves is that an analyst will recognize a few similarities in the briefings they sit in on with emerging vendors. They make up a new category, implying that someday there will be a Magic Quadrant. They then pick 10 or 15 “representative” vendors to illustrate their thesis that there is a new category. Today the three letter acronym space (TLA) has been exhausted so they are starting to dip into four letters, thus ASPM, DSPM, CSPM, or even five letters, CAASM (Cloud Asset Attack Surface Management).
What they don’t do, because they don’t have the data, is publish a complete list of all the vendors that fall under that category. Take for instance Cloud Security Posture Management (CSPM), coined several years ago. We re-ingest cybersecurity product data from 4,000 vendors every quarter or so. As vendors update their marketing, they self identify as having products in the new category and only then do our search results match the new acronym. Here is the current search result for CSPM.
There are 109 CSPM products from 92 vendors. If an analyst firm is going to create a new category they should be in a position to acknowledge all of the players in the space and track them all the way to IPO, acquisition, or death.
Wake up call.
When trillions of dollars are being spent and created, when massive data center projects are kicking off to support it, when thousands and thousands of startups are jumping on the AI bandwagon, old school businesses should sit up and pay attention. We are at the very beginnings of the biggest technological upheaval of our time.
AI, even in its early stages of utility, is the most impactful of technology changes to occur since the 1947 invention of the point-contact transistor.
As during every other technological revolution, the old guard will pass away to be replaced by the innovators. Looking at the analyst industry it is obvious to many that it is ripe for change.
Thanks for the nod Richard, it means a lot coming from you.
Your point about exhaustivity is really interesting –and supported by data.
IIAR> members asked this question precisely when Forrester removed the lower band in its Wave evaluative methodology: this also removes their relevance in tracking emerging players.
See > https://analystrelations.org/2024/07/02/iiar-analyst-firm-webinar-forrester-wave-update-16th-july/
Good analysts maintain manual spreadsheets and notes about vendors in the categories they track –but this is time-consuming and out-of-process.
To give Gartner some credit, they came up with the Emerging Magic Quadrant which tracks more vendors and with a faster refresh cycle -but it's very very far from being perfect. They have the resources to correct it (and hopefully change the confusing product name) –will they?
The long tail thesis is right. But there's a parallel problem no one's covering.
You're asking: how do we track all the vendors? The missing question: how do we diagnose whether organizations can actually adopt what they buy?
Gartner covers 144 vendors. You're covering 3,966. But even with perfect vendor visibility, most AI security initiatives will stall. Not because the tools are wrong, but because the human layer was never diagnosed.
Stack analysis tells you what you have.
NIST mapping tells you where the gaps are.
Neither tells you why the SOC team quietly works around the new tool, or why the CISO's initiative dies in middle management.
The long tail of vendors is a data problem.
The long tail of adoption failures is a human problem.
Both need solving.