Sara Behar
Even in the usually exciting world of cybersecurity, discussions on enterprise security budgets tend to veer toward the mundane. However, today’s macroenvironment has thwarted almost every market prediction, and while we know for certain that the down market has driven most companies toward austerity, its true impact on cybersecurity spending has remained an enigma — until today.
A recent report by YL Ventures based on data pulled from surveying Fortune 1000 CISOs (chief information security officers) and cybersecurity decision-makers is shedding light on the impact of the down market on buying behavior, how security strategies are evolving in response and how customer interactions with vendors have changed as a result.
The biggest takeaway? Half of CISOs can still accommodate new solutions, and, contrary to low expectations, 45% of cybersecurity budgets remained unchanged or have even been increased. Specifically, a third of respondents (33.3%) report unchanged budgets and 12.2% saw their budgets raised.
Meanwhile, another third (33.3%) of cybersecurity budgets have been cut while 21.2% of cybersecurity leaders are currently managing frozen budgets, meaning that new spending is not possible.
Making first contact
Though the data may seem intimidating, vendors still have ample opportunity to get a foot in the door. A considerable majority (75.8%) of cybersecurity leaders are still willing to meet new vendors — there are simply more caveats involved. While almost half (45.5%) are willing to meet any vendor, 18.2% are only meeting with those who strictly address their most pressing security priorities and 12.1% are only interested in meeting younger and smaller startups.
Indeed, this is an excellent time for small startups to shine and perhaps for larger vendors to take note. In the eyes of most cybersecurity leaders, smaller and earlier-stage companies tend to offer more advantageous licensing costs as well as design partnerships, which enable bespoke solutions that better suit their unique pain points and operational needs.
Currently, 26.7% of respondents are relying on free trials as provisional measures. If we think back on the more difficult days of the pandemic, when many cybersecurity providers offered their services for free, we can see ample evidence of just how much goodwill such gestures built and how they propelled companies to the top. For vendors who find this too difficult to stomach, consider how effective land and expansion tactics have tended to work in the past, and remember that the rising tide of fiscal conservatism leaves little room for obstinacy.
The need for flexible contracts is made more clear by the explicit requests of CISOs themselves. Many CISOs who participated in the report had strong words for vendors who approach them with large contracts in the wake of mass layoffs or closures. They have even stronger words for those still relying on the outdated tactic of sowing fear, uncertainty and doubt around the threat landscape. In such difficult times without an end in sight, spreading more negativity is hardly the way to win hearts.
The golden rule of understanding customer needs has taken on additional dimensions, as each company experiences its own journey of financial pressure. Vendors who can be sensitive to this will make it much further than those who do not.
Speaking the same language
The spirit of austerity, even among CISOs whose budgets have grown, is reprioritizing how new product acquisitions are assessed. True cybersecurity veterans are already well familiar with the process of battling for sign-offs on new purchases — usually with the help of demonstrable ROI (return on investment). This experience is coming in handy once again, as ROI and cost reduction become bigger drivers of decision-making than ever before.
Together, ROI and cost reduction make up 60% of the main vendor criteria CISOs are looking for, becoming their primary deciding factor in product acquisitions. Vendors who cannot demonstrate the returns CISOs can expect on their time, efforts and partnership will surely have difficulty surviving today’s frugal landscape.
The report also reveals exactly how this frugality is manifesting into actual enterprise cybersecurity strategy. For a long time, cybersecurity leaders have been determined to streamline their operations — which now involves the orchestration of many departments — and de-bloat their security stacks. They are now under more pressure to do so than before. According to the surveyed cybersecurity leaders, 80% are focusing their efforts on consolidating their solutions, 43.3% have terminated at least one vendor contract, 70% are relying more heavily on automation and 23.3% have had to lay off personnel.
There is much to glean from these data points as well. The first may not be surprising, and yet CISOs find themselves repeating themselves on a daily basis anyway: Vendors must stop selling features as platforms. This is how their stacks got so bloated in the first place. Point solutions will fare little better these days either, as most security teams are too short-handed to dedicate time to learning new technologies or sorting through more alerts. Those that can demonstrate a small learning curve and easy integration may still stand a chance, however, if they resolve a priority issue for CISOs.
Consolidation truly is the name of the game for entrepreneurs looking to build large companies. Pitches that demonstrate how a single solution can make sense of the noise or even replace a number of others are far more likely to win over today’s CISOs. It also harkens to another major trend: Austerity measures are encouraging a return to the basics.
Focusing on what matters
Today’s top priority is to secure existing enterprise environments with maximum efficiency and to cover still existing blind spots. Despite bloated stacks and even overlapping solutions, many major areas of protection remain unattended. When respondents were given the option to select multiple areas of focus, the following areas received the most attention: As far as environments are concerned, 75% prioritize cloud security, 50% data security, 46.9% application security, 25% supply chain security, 28.1% SaaS security and 21.9% API security.
The push toward overall and basic security is reflected in the disciplines they are prioritizing as well: 40.6% are prioritizing compliance and risk management, 31.3% vulnerability assessment, 28.1% detection and response, and 15.6% remote access. This list may appear surprising at first. Where is IAM? How about orchestration, remediation and user behavior analysis? Most glaringly absent, of course, is AI. This is not to say that CISOs are not expressing interest in these areas — quite the opposite.
At least as far as AI is concerned, many CISOs are biding their time for a proper solution and utilizing existing tools to help them see and manage generative AI risk as well as they can in the meantime. Or they’re simply banning the use of generative AI altogether. As for the other types of solutions, there is still no hard data available to quantifiably assess interest. Nonetheless, we do see a marked rise in these types of solutions in the market and can expect interest in them to grow in the coming year.
Even in what seems like a customer desert, vendors who play their cards right can still win the day. This is especially true for those who can provide this valuable expertise to guide CISO strategies in these areas instead of providing mere warnings about the risks involved. This can wedge the door slightly wider, at least until budgets return to where they once were.
How did we get here?
Though cybersecurity is not immune to today’s market slowdown, it has still outperformed most of the tech sector. Of course, this is logical given how remote work compelled most enterprises to digitize, significantly enlarging cyberattack surfaces in the process and creating many new points of risk. Indeed, cybersecurity has become an absolute necessity to offset the risk of digital transformation, which largely explains the absolute frenzy that the sector experienced during the peak years of the pandemic.
Alas, no market sector operates in a bubble, and it is completely logical that cybersecurity customers hit by the down market have had to adopt more austere operational measures in the interim.
Strategic and wise vendors, as well as aspiring cybersecurity founders, should take special note of not only the numbers but also the massive implications behind them. CISOs are still sorting through a barrage of approaches and pitches every day. Many end up having little relevance to their needs. As they become more selective in who they meet and limited in what they purchase, it is important to exercise creativity in the way vendors can offer. Becoming a key source of information and building goodwill through trials are both excellent places to start.
Comment