One of the most overused phrases in cybersecurity discourse is “the ever-changing landscape”. While it is true that security threats evolve alarmingly quickly, this doesn’t mean that the needs of CISOs, or the technology solutions they use, change at the same pace. We’re still looking for solutions to the same problems.
For our latest CyLon Insights report: “Signal From Noise: How to Win Customers and Influence CISOs”, released today, we surveyed CISOs and senior security decision makers from across the CyLon network. The findings showed that not only are the security needs of CISOs fairly consistent, but it also seems that CISOs don’t buy a huge amount; we found that CISOs only purchase around three new security products each year, independent of company size and sector.
At one end of the scale for new product appetite, a global professional services company with between one thousand and ten thousand employees (and a security team of 70 to 50 people) buys only one new product a year.
At the other extreme, a global consulting company with more than ten thousand employees and a huge security team of 420 people has an anomalously high number of product purchases: 50 a year.
Importantly, companies tend to only review their security technologies once a year, and worryingly some only reevaluate after a security breach.
Just under 60% of those surveyed conduct an audit annually (41%) or every two to three years (18%). Most CISOs say that their decisions to buy new products are almost always the result of a continuous process of monitoring and analyzing how technology and security threats are evolving, rather than concerted efforts to find a specific solution.
Many business processes could reasonably be counted within the cybersecurity remit - from physical device management to high-level business continuity strategies. Not all of these areas require third-party technology products. In fact, we found that CISOs' primary technology needs are currently concentrated in three main areas: cloud security, threat intelligence and governance, risk and compliance.
How do CISOs make their decisions?
Our report also found that CISOs are inundated with product pitches; 40% read more than 50 pitches annually, averaging to a new vendor pitch each week. Some security officers are consuming more than one a day: the highest response was 300-400 pitches per year.
The majority of CISOs are spending only an hour or two each week reviewing pitches, and a set maximum of five hours. One respondent said: “I am only supposed to take a maximum of five hours of vendor briefings a week. This is time reserved for taking briefings on new products or updates to existing products.”
However, CISOs don’t particularly struggle to select the new products they want to go ahead with. On a scale from “very easy” to “very difficult”, 37% of the CISOs surveyed said it is “quite easy” to evaluate and select the cybersecurity solutions their companies need.
This can be explained by the fact that there is one clear priority for CISOs making technology decisions: risk reduction. Two-thirds say it is the most important factor when evaluating products, compared to five percent who said cost was the most important factor and just under 30% who chose user experience as a top priority.
Timeframe is more than just time to implement a new solution across the business; more importantly, under-resourced CISOs are seeking solutions that will not be an ongoing burden to manage. Two-thirds of CISOs said that the time and resource it would take to manage a product is one of the top two decision factors.
Even though the evaluation process isn’t overly difficult for CISOs, they would like to see some key developments in the vendor landscape to make the process more manageable and efficient. Vendor noise is complicating decision-making, and so 32% want more information to help them sift through and compare products.
The cost factor
Price point might not be the most important factor, but budget does determine which opportunities a CISO can consider.
Budget does vary greatly between different company sizes and sectors. Companies with more than a thousand employees spend up to $2m on cyber products, and companies with more than 10,000 employees generally spend multiple millions. Financial services firms are willing to spend the most on security, up to £5m a year.
In regions like Singapore and Australia, where the cybersecurity and finance communities are smaller but extremely active, CISOs tend to know how much their peers spend on security products, and so there is some convergence on budgets.
The silver bullet
A recurring theme that surfaces in every discussion with CISOs about their product gaps and needs is that they would like to see more multi-point or end-to-end solutions. A quarter of respondents to our survey said that would improve their decision-making process, and multi-point products were jointly chosen as the area in which CISOs want to see more offerings (16%, along with governance, risk and compliance products).
More than half (53%) said they have too many security technologies in their environment at the moment.
What exactly does the ideal, comprehensive, end-to-end cybersecurity product look like? Respondent suggestions for “dream cyber solutions” which don’t yet exist included integrated threat management and machine speed remediation, a product which can accurately provide information about what is on the company’s network and how the network is put together in real-time, and active vulnerability management solutions.
Currently, these “holistic” solutions are being assembled from tools that were designed for more specific tasks or environments, which could cause problems. One respondent explained: “There isn’t a single solution that does it all very well, but there are particular solutions that do part of the puzzle very well.”
Rather than a single multi-point solution, more vendors now work on points of integration with other products, in response to demand from CISOs. Even large and established vendors are now committing to interoperability through APIs and shared protocols so that specific cyber tools can all sit within an integrated solution structure.
As one respondent put it: “There is no silver bullet. We have a dynamic, fast-changing, unpredictable environment and it's dangerous to suggest (especially to your Board) that there is one solution that can keep up and "fix" cybersecurity".
Closing remarks
Our report highlights that CISOs are inundated with new vendor pitches, yet rarely can they dedicate much of their time to reviewing the products. This means startup vendors have an extremely limited window of opportunity to sell to them.
The survey uncovered some prominent themes around CISOs' changing needs to manage and have oversight over more flexible, modular cloud environments, and a demand for multi-point or interoperable solutions. Subsequent interviews with CISOs revealed that there are always at least two sides to all these themes, since CISOs have to straddle technology and strategy, always seeking to reduce day-to-day risk and vulnerabilities while also planning ahead for future innovations.
Understanding this delicate balance, and particularly the importance of business strategy in a CISO’s role, is the only way for vendors and startups to effectively meet their needs.
This is part of a blog series provided by CyLon, who find, grow and invest in the world’s best emerging cyber businesses, via its tailored acceleration programs in London and Singapore. Since 2015 CyLon has supported more than 80 companies and has a portfolio of international companies valued at more than £400m.
The survey this report is based on is open to all CISOs and senior cyber decision makers. If you'd like to give your view, email mail@cylonlab.com for the questions.