Rethinking The Secondary Sector Of Cybersecurity Industry

THE COI

01 About Secondary Sector

Category 2: Technology Production and Value Delivery (Secondary Sector)

In the cybersecurity industry, the secondary category refers to the industrial system that transforms technological capabilities into products, tools, services, or financial instruments, and delivers them commercially to end users. The ecosystem includes not only technology developers and manufacturers, but also all derivative actors who convey value to clients—such as sales, integration and system assembly, delivery and implementation, and all supporting structures that facilitate value realization.

Technology itself is morally neutral, yet it empowers its users. The ultimate purpose of the secondary sector is to enable end users to realize the full value of technological capabilities. However, as user needs and objectives vary, the selection and application of specific technologies likewise differ—whether commercial or political, whether just or malicious, the realization of value ultimately depends on the intent of the user.

02 Clarifying Key Relationships

1. Protagonists and Supporting Roles

In most technological narratives, solution providers—particularly technology vendors—are placed at the centre of the stage and portrayed as the protagonists of technological evolution, industrial transformation, and capital-driven wealth creation. Technological breakthroughs, product innovation, and capital success form the main storyline, while other participants in the industry are naturally relegated to supporting roles.

Underlying this narrative structure is a deeper assumption: technology is treated as the ultimate purpose of industrial development, and the significance of other actors lies primarily in enabling the realization of that purpose.

The cybersecurity industry, however, does not fully conform to this technology-centred, one-dimensional narrative. Rather than a linear progression driven solely by technological advancement, it more closely resembles an organic ecosystem of strategic interaction among multiple actors. Within this ecosystem, each participant exists according to its own logic, value, and objectives, rather than as a mere extension or instrumental tool of another.

For this reason, within our analytical framework of the cybersecurity secondary sector, THE COI do not presuppose a hierarchy of protagonists and supporting roles. Technology vendors and the surrounding ecosystem—including service providers, channel networks, consulting institutions, and other industry participants—are situated on the same analytical plane. Industrial evolution, in this view, is not the result of unilateral propulsion by a single type of actor, but rather the outcome of continuous interaction among multiple roles that collectively shape the trajectory of the industry.

Likewise, the existence of the secondary sector should neither be understood as the sole purpose of the cybersecurity industry, nor reduced to an instrumental function serving other dimensions of the industry. It constitutes an essential component of the broader industrial ecosystem—one that coexists with and depends upon other structural dimensions, together forming the integrated system through which the cybersecurity industry operates and evolves.

2. Logical Exclusivity and Practical Integration

In conventional commercial settings, the objectives of the various solutions within the secondary industry are largely aligned: to address clients’ problems and create tangible value.

Yet the different paths through which these objectives are pursued remain distinct in their essential attributes. Within the analytical framework of the secondary industry, we therefore distinguish among three categories—2.1 Technology Products, 2.2 Professional Services, and 2.3 Financial Services—each of which evolves into different forms under its respective attributes.

Conceptually, a client may adopt any one of these instruments as the primary means of addressing its needs. An enterprise, for example, may allocate the majority of its security budget to technology products, or combine the three through different arrangements in order to construct a security architecture better suited to its circumstances. Correspondingly, companies may specialize in a single technical or service capability, or assemble integrated offerings composed of multiple instruments.

However, the combination of tools in concrete commercial practice does not imply that their industrial attributes can be blurred. Technology, services, and finance represent fundamentally different forms of value. These distinctions of attribute shape not only their internal logic of value creation but also their external modes of application, and to a considerable extent define the structural relationships through which other actors in the industry collaborate and integrate with them.

3. Three Lenses of Technology

The technology industry communicates meaning largely through systems of terminology, concepts, and symbols. Such symbolic systems do not merely provide different forms of description; they embody distinct logics and value orientations.

Within the field of cybersecurity, three commonly used descriptive frameworks can be observed: technology-based, threat-based, and business-scenario-based. In practice, these symbolic systems are frequently used interchangeably or in combination, depending on the context. One may think of them as viewing the same object through different faces of a triangular prism, or as analogous to the Rosetta Stone—where multiple languages converge in their effort to describe a single underlying reality.

Yet language and symbols possess inherent limits. No symbolic system can fully escape this constraint. Consequently, technological narratives constructed from different dimensions each contain elements of precision, while also inevitably introducing some degree of distortion.

Structurally, these three lenses do not stand in a hierarchical relationship to one another. Rather, they represent different perspectives through which the same technological reality may be articulated. When examined more closely, each of these frameworks can in turn reveal deeper layers of internal logic.

Nor is there any inherent superiority among them. They simply constitute different pathways for understanding and describing technological reality.

4. Market Pathways and the End User

Within the secondary industry, a diversity of roles can be observed. In concrete commercial cases, multiple roles may appear in conjunction; yet this does not imply that every role must necessarily be present within the practical pathway of the market, nor that they invariably form a complete sequential chain.

Across different countries and regions, variations in cultural traditions, commercial conventions, and institutional environments give rise to different configurations of market pathways. Some chains remain relatively concise, while others develop into more layered structures; the forms through which value is distributed—and the scale at which it is realized—accordingly vary.

Value ultimately converges upon the user. Users may take the form of corporate organizations or individual consumers. Under different stages of development and contextual conditions within the cybersecurity industry, these categories of users assume distinct positions within the broader industrial structure. In constructing the THE COI Model, no restriction is imposed upon any particular type of user. Rather, all demand-side and usage-side participants are incorporated within a unified analytical framework. Further discussion of this principle can be found in Part IV of the THE COI Model.

The structural complexity of market pathways bears no necessary relation to whether the end user is an enterprise organization or an individual consumer. Large institutions may contract directly with technology vendors, while consumer purchases may also pass through multiple layers of distribution and agency. Such differences are, in essence, alternative manifestations of commercial structure in practice.

03 Notes

1. Premise of the Analysis

THE COI analytical model is constructed to observe the various roles within the cybersecurity ecosystem and the relationships among them. The model itself is an abstract structure: its function is to reveal relationships, not to render moral judgment.

Yet any analysis must proceed within a concrete setting. Only through the articulation of a scenario can relationships become clear, meaning emerge, and discussion take place.

In examining the roles and relations of the secondary industry, we therefore introduce a default assumption: the discussion concerns the classification of roles within the commercial secondary sector of cybersecurity industry, and the relationships among them.

In fact, upon the same primary foundation—Zero-Day—different forms of secondary industries may arise. One may observe, for example, a black-market cybercrime sector, or a state-oriented cyber capability shaped by political objectives.

When the underlying assumption changes, the roles within it change as well, and so too do their relations to the other dimensions of the model.

04 About THE COI

THE COI (Cybersecurity Observatory Institute) is an independent, non-profit research institute dedicated to the sustained observation and systematic epistemic study of the global cybersecurity ecosystem as a structured, multi-layered industry.

Established for academic and public-interest purposes, THE COI does not engage in vulnerability trading, technology production, commercial services, or compliance enforcement. Instead, it operates as a neutral observatory—examining how cybersecurity capabilities are generated, commercialized, institutionalized, and governed across different sectors and jurisdictions. 

By systematically mapping actors, roles, and interactions across the sectors of cybersecurity, THE COI develops analytical frameworks, ecosystem models, and research outputs intended to support informed decision-making by users, institutions, and policymakers.

THE COI is independent by structure.

Its role is not to participate, but to observe, study, and clarify the complexities of an evolving global cybersecurity landscape.

Subscribe and get the research report HERE.

info@the-coi.org

www.the-coi.org

www.linkedin.com/company/thecoi/