Even in the world of cybersecurity, discussions about enterprise security budgets tend to veer into the mundane. However, the current macro environment has frustrated almost all market predictions, and while we know for sure that the bear market has driven most companies into austerity, its true impact on cybersecurity spending remains a enigma, to this day.
A report from YL Ventures Based on data drawn from surveys of Fortune 1000 CISOs (chief information security officers) and cybersecurity decision makers, it sheds some light on the bear market's impact on purchasing behavior, how security strategies are evolving in response and how customer interactions with providers have changed as a result.
Half of CISOs still have room to adapt to new solutions and, contrary to low expectations, 45% of cybersecurity budgets remained unchanged or even increased. Specifically, one-third of respondents (33,3%) report unchanged budgets and 12,2% saw their budgets increase.
Meanwhile, another third (33,3%) of cybersecurity budgets have been cut, while 21,2% of cybersecurity leaders are currently managing frozen budgets, meaning no new spending is possible.
Image: YL Report
Make the first contact
Although the data may seem intimidating, providers still have many opportunities. A sizable majority (75,8%) of cybersecurity leaders are still open to learning about new vendors; There are simply more factors that are taken into consideration when making decisions. While almost half (45,5%) are willing to meet any supplier, 18,2% only meet with those who strictly address your security priorities more pressing and 12,1% are only interested in learning about younger, smaller startups.
In fact, this is a great time for small startups to shine and perhaps for larger vendors to take note. In the eyes of most cybersecurity leaders, smaller and early-stage companies tend to offer more advantageous licensing costs, as well as design partnerships, allowing for tailored solutions that better fit their weaknesses and unique operational needs.
Currently, 26,7% of respondents rely on free services as a temporary means. If we think back to the most difficult days of the pandemic, when many cybersecurity providers offered their services for free, we can see ample evidence of how much goodwill those gestures created and how they propelled many companies to the top. For sellers who find this too difficult to swallow, consider how effective land-and-expand tactics have been in the past, and remember that the rising tide of fiscal conservatism leaves little room for stubbornness in requesting higher spending.
The need for flexible contracts is made clearer by explicit requests from CISOs themselves. Many CISOs who participated in the report had harsh words for vendors who approach them with large contracts following mass layoffs or closures. They have worse judgments for those who still rely on the outdated tactic of sowing fear, uncertainty and doubt around the threat landscape. In such difficult times with no end in sight, spread more negativity No. It's the way to win hearts.
The golden rule of understanding customer needs has taken on additional dimensions, as each business experiences its own journey of financial pressure. Suppliers who can be sensitive to this will go much further than those who are not.
Speaking the same language
The spirit of austerity, even among CISOs whose budgets have increased, is reprioritizing how new product acquisitions are evaluated. True cybersecurity veterans are already familiar with the process of fighting for approval of new purchases, usually with the help of a demonstrable ROI (return on investment). This experience is once again useful as return on investment (ROI) and cost reduction become more important factors than ever in decision making.
Together, return on investment (ROI) and cost reduction make up 60% of the top supplier criteria CISOs look for, making them their biggest deciding factor in product procurement. Vendors that cannot demonstrate the returns that CISOs will have will struggle to survive in today's frugal landscape.
The report also reveals exactly how this frugality plays out in actual enterprise cybersecurity strategy. Cybersecurity leaders have long been determined to streamline their operations (which now involves orchestrating many departments) and deflate their security stacks. They are now under more pressure than before to do so. According to cybersecurity leaders surveyed, 80% are focusing their efforts on consolidating their solutions, 43,3% have terminated at least one contract with a vendor, 70% are relying more on automation, and 23,3% have had to lay off staff.
There is a lot to interpret from this data. The former may not be surprising, and yet CISOs find themselves repeating the same thing daily: vendors need to stop selling features like platforms. That's how their stacks grew so much in the beginning. Point solutions won't fare much better these days either, as most security teams are too understaffed to spend time learning new technologies or triaging more alerts. However, those who can demonstrate a small learning curve and easy integration may still have a chance if they solve a top-of-mind problem for CISOs.
La consolidation is truly the name of the game for entrepreneurs looking to build great companies. Speeches that demonstrate how a single solution can make sense of the noise or even replace several others are much more likely to win over CISOs. It also recalls another important trend: austerity measures are encouraging a return to basics.
Focusing on what matters
The current top priority is to protect existing business environments with maximum efficiency and cover remaining blind spots. Despite oversized and even overlapping equipment and solutions, many important areas of protection remain unattended. When respondents were given the option to select multiple areas of focus, the following areas received the most attention: When it comes to environments, 75% prioritize cloud security, 50% data security , 46,9% application security, 25% supply chain security, 28,1% SaaS security and 21,9% API security.
The push towards general and basic security is also reflected in the disciplines they are prioritizing: 40,6% prioritize compliance and risk management, 31,3% vulnerability assessment, 28,1% detection and response and 15,6% remote access. This list may seem surprising at first. Where is IAM? How about orchestration, remediation, and user behavior analysis? Most conspicuously absent, of course, is AI. This is not to say that CISOs are not expressing interest in these areas, quite the opposite.
At least when it comes to AI, many CISOs are biding their time to find a suitable solution and using existing tools to help them see and manage AI generative risk as best they can in the meantime. Or they are simply banning the use of generative AI altogether. As for the other types of solutions, there is still no concrete data available to quantifiably evaluate the interest. However, we see a marked increase in these types of solutions on the market and can expect interest in them to grow over the next year.
Even in what seems like a customer desert, suppliers who play their cards right can still come out on top. This is especially true for those who can bring this valuable experience to guide CISOs' strategies in these areas rather than providing mere warnings about the risks involved.
