Gartner’s primary value to enterprises is providing them with vendor shortlist (MQs) in an otherwise complex market. Their primary value to vendors is telling them what they need to do to get on that shortlist.

Very soon I expect cyber-insurance carriers to begin exerting their influence by providing their clients with a product shortlist of their own if they want to get coverage or get premium discounts. When Gartner’s and Insurance carriers shortlist conflict, I think the latter wins.

Consider this: Who is more financially motivated, Gartner / Analysts or Insurance carriers to get their vendor shortlist ‘right’ in terms of risk reduction? Who is going to have the best data to make decisions?

So do you foresee the insurance carriers teaming up with test labs in some way? And improving their approach? Because it seems like "does it do a good job at catching threats?" is the key question, but it has not been easily (or credibly) answered by anyone.

Hmm, maybe and I’m sure some will experiment with this approach. Or, they’ll just base their shortlist on claims / incident details where they’ll ask the clients what security products they were using at the time of breach — and see which failed.

That data will be used to create criteria for security product selection. And if a product fails too many times, it’ll like get crossed of the approved list.