What Are Security Buyers Looking For?

This post was originally published on this site

The information security market has been a topic of acute interest for quite some time now.  Estimates around the current size of the market range between $75 and $150 Billion. That is far larger than the market was even just a few years ago. That being said, the market is expected to continue to grow at around 10% per year over the next five years. That puts the size of the security market at somewhere between $120 and $240 Billion by 2022.

Although it is difficult to pinpoint the exact size of the security market, one thing is very clear.  There is an incredible amount of investment in people, process, and technology that is expected to continue to grow in the coming years. Yet, with all that investment, if you ask most security buyers what they are looking for, they would probably quote you a line from a famous U2 song: “I still haven’t found what I’m looking for.”

Recently, I attended a few different security events that were relatively well attended.  I happened to notice a few people that I knew to be in “buyer” positions.  It seemed that every time I happened across them during the course of the event, another person in a “seller” position had their ear.  Of course, this is a natural part of professional events.  But if you happen to be in a seller position, take a moment to think about it from the perspective of the buyer.  Perhaps you are the 10th, 50th, or even 100th person that day to grab their ear and make your pitch.

As you can imagine, at some point, everything begins to blend together.  The security market of 2017 consists of nearly 2,000 vendors and upwards of 50 sub-markets.  Let’s make the somewhat generous assumption that a buyer succeeds in remembering the conversation associated with a given business card, follow-up email, or LinkedIn invite. The question then becomes: What was the pitch that was relayed and how did it resonate with the buyer?

Did the pitch perhaps highlight how the product or service, which competes in a crowded market with 20 or 30 competing products or services, is just a bit better than the competition?  Or, perhaps the pitch described a product or service that doesn’t quite fit into the buyer’s strategic plan or budget?  Or, perhaps the pitch detailed a product or service found in a market that the buyer has already invested in?

I could go on, though I’m sure you understand the point by now. The real question is: What are security buyers looking for?  And further, how can sellers understand what buyers are looking for to determine whether or not their offering is a good fit and how best to communicate the value of their offering?  This is where I think benchmarking, assessment, and audit can perform a tremendous service to the buyer-seller conversation.  An added benefit, if you will, to the value they already provide enterprises.  I’ll explain.

Large enterprises with large security teams regularly benchmark themselves, perform assessments, and undergo audits to identify challenges and issues that need addressing. Thus, these large organizations generally have a pretty good idea of what problems need solving.  Consequently, those on the seller side can simply ask those on the buyer side what they are looking for.  Buyers are generally quite happy to share their priorities and plans for the near and even distant future.  If sellers listen acutely, they will find the information they are looking for. I did this quite a bit in my immediate previous role with good results.

But what are small and medium-sized business to do?  For sure, they also have issues, challenges, and problems that need solving.  Unfortunately, in most cases, these businesses do not have the resources, financial or human, to benchmark themselves against others, assess the state of their security programs objectively, and audit their capabilities, despite the benefits of doing so.

Does that mean that small and medium-sized business should remain in the dark about where they should invest their resources and time?  Or that buyers and sellers should forever remain on different pages when it comes to all but the largest of enterprises?  No, of course not.  But how can this hurdle be overcome?

In my opinion, this is why the time for automated benchmarking and assessment has come. I’m not an elitist.  Small and medium-sized businesses need the ability to benchmark, assess, and audit just as much as large businesses.  The problem is that the current state-of-the-art for benchmarking, assessment, and audit involves a very manual, labor-intensive process.  While this process works well for large businesses, there are two main limitations here that keep SMBs from leveraging these services:

Cost: Not surprisingly, a manual, labor-intensive process requires people to fuel it.  And in this case, we are talking about highly-skilled, expensive people.  That makes the cost of manual benchmarking, assessment, and audit a fairly high one.  And one that is simply out of the reach of just about all small and medium-sized businesses.

Bandwidth: When a service relies on highly-skilled people, there is a natural bandwidth limitation that occurs.  There are simply not enough people with the requisite skills necessary to perform the benchmarking, assessment, and audit services that small and medium-sized business would require, even if the price point could be lowered.

Both of these issues highlight the need to automate the benchmarking, assessment, and audit process to enable small and medium-sized businesses to benefit from it.

So, to get back to the original question: What are security buyers looking for? Before we can ask buyers that question, we need to give them the ability to answer it. And to my knowledge, empowering them with automated benchmarking, assessment, and audit tools is a great way to accomplish that.

view counter

Joshua Goldfarb (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently Co-Founder and Chief Product Officer at IDRRA. Prior to joining IDRRA, Josh served as VP, CTO – Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Previous Columns by Joshua Goldfarb:

Tags: