How do you make cybersecurity tech buying decisions? Here’s what your peers say
Article by Thycotic chief security scientist & advisory CISO Joseph Carson.
How do CISOs and other IT security professionals make informed decisions about tech purchases? Global research commissioned by Thycotic takes a close look at how IT and security professionals make technology buying decisions, and what influences boards to invest in cybersecurity.
The good news: The research—conducted among more than 900 CISOs / Senior IT decision-makers across nine countries—found more than half (58%) of IT security decision-makers say their organisations plan to add more security budget in the next 12 months.
Amid growing cyber-threats and rising risks due to the COVID crisis, respondents indicate that boards are listening and stepping up with increased budget for cybersecurity, with the overwhelming majority, 91%, agreeing that the board adequately supports them with investment. Almost three in five believe they will have more security budget because of COVID-19.
The bad news: Even with growing executive management support, CISOs and their security teams must remain vigilant in making their case for cybersecurity investments.
Over one third (37%) of participants’ proposed investments, for example, were turned down because the threat was perceived as low risk or because the technology had a lack of demonstrable ROI. One third (33%) of respondents believe senior management often does not comprehend the scale of threat when making cybersecurity investment decisions.
More than three in four respondents (77%) said that a security incident at their organisation or an audit failure helped convince their boards to approve investment into new cybersecurity projects. Thus, it is not surprising that compliance appears to be a prime motivator in getting executive management to invest.
This is particularly the case in Europe, where several companies have received significant fines in millions of Euros resulting from a data breach or failure to be compliant with EU GDPR.
Looking at decision-makers in Australia, Singapore and Malaysia, however, they are much more likely to prioritise ROI analysis as the most effective strategy in persuading boards to invest.
The road ahead for IT and cybersecurity leaders moving into 2021 is complicated. The rapid evolution of threats across perimeter-less networks, along with an ever-growing range of cybersecurity technology choices, complicates IT decision-making.
What’s the best way to make real-world decisions about where and when to allocate finite resources that best serve your organisation’s interests? Are such decisions made on facts versus fear? Here’s what this global research says about how executives are making technology buying decisions.
Almost half of respondents view their organisation as ‘in the pack’ (45%), and only a third consider their companies to be ‘pioneers’ (36%), embracing new technology advancements. Just 17% think their business has its finger on the pulse, prioritising investment according to the latest security threat.
According to the research, CISOs and other senior IT security decision-makers look most often to their peers for guidance.
Benchmarking with other companies in their industry was the top method in decision making, with 46% of respondents gauging their efforts compared to what their colleagues are doing. Another 43% look to industry analysts as their most important source of information. A significant 39% rely on their peers’ opinion as most important to their decision-making process, and 39% rely on existing relationships with vendors.
One of the more interesting aspects of this research is the differences noted between the nine countries involved in the study. For example, the UK, New Zealand, Spain, Singapore, and Malaysia see benchmarking with industry peers as the top source of information in making informed decisions. In contrast, the USA and Australia lean toward industry analysts for direction. Germany is a standout by giving significant weight to existing relationships with vendors, though all preferences were very close in priority.
While product features generally make the most difference when making a final buying decision (44%), it’s interesting to note that 24% of respondents consider the company’s reputation to be the most decisive factor. Another 15% believe their trust in the individual salesperson to be most important in the final decision.
Even though we all like to think that technology purchases are based strictly on rational criteria, it is clear from the research that a vendor’s reputation and trust in an individual salesperson still play a critical role in many final technology purchase decisions.
One highlight from the research indicates that IT Operations share a significant portion of the purchase decision-making process with security teams. Among respondents, IT Ops has the final say in cybersecurity purchase decisions (38%) compared to the security team and CISO (32%). France appears to counter this trend, where operations have much less influence in the final say (18%).
While executive board support is expanding and cybersecurity budgets are generally increasing, the research has raised a red flag when it comes to executing investment decisions. That’s because IT and security professionals admit only 50% of their cybersecurity technology investments get fully utilised.
There may be several reasons why cybersecurity technology investments may not realise their full potential in protecting our organisations. Given the shortage in cybersecurity talent, companies may be frustrated in lacking the staff resources to fully implement solutions beyond their initial deployment. It could also signify that too many security technology solutions are still overly complicated or do not integrate well with legacy systems.
In any case, one of the key recommendations in the report emphasises that a proper proof of concept should be conducted before making any technology buying decision:
- Here are the type of questions to ask when making an evaluation:
- How easy is it to deploy the solution?
- How intuitive is the user interface?
- Do I have the skilled resources to operate and maintain it?
- Will this require additional professional services? And at what cost?
- What are the underlying requirements or hidden costs?
- Does it work in my specific environment?
- Does it integrate with my existing solutions?
- What kind of support options are available with the solution?
- Can we try logging some support calls just to test the response?
- Will it make our day-to-day tasks easier and more efficient?
- Does it offer more value for future priorities and business plans?
- Will it adapt and scale as our business grows?
Both IT Ops and cybersecurity teams would do well to reflect on their own evaluation processes. Sharing the experiences of our peers in this report will hopefully make us all better decision-makers.