Tech Marketing

Cybersecurity Buyers Report Part 3

Article Summary

The third article in ActualTech Media's Cybersecurity Buyers Blog Series, in collaboration with the Cybersecurity Marketing Society, offers insights from a survey of 327 senior cybersecurity professionals in the U.S. It highlights the lengthy cybersecurity sales cycle, often spanning 6-12 months, and emphasizes the importance of early and consistent marketing engagement to influence budgeting and vendor selection. The report also notes the varying sizes of decision-making committees in organizations, suggesting tailored marketing strategies for different company sizes. This installment aims to guide cybersecurity marketers in aligning their strategies with customer needs.

In this latest entry of the ActualTech Media Cybersecurity Buyers Blog Series, developed in partnership with the Cybersecurity Marketing Society, we're excited to share more crucial insights. Building upon our foundational exploration in the series, accessible here, where we began demystifying the cybersecurity arena, we're thrilled to introduce the third instalment of the Cybersecurity Buyers Report. This ongoing series and report are designed to address the critical queries that cybersecurity marketers encounter. We have put together an extensive report, providing our readers with enlightening information and offering free access to the entire report.

Towards the end of 2023, ActualTech Media conducted a survey among a diverse group of cybersecurity experts and key decision-makers. The goal was to gauge the scope, current status, and complexity of their cybersecurity initiatives. We focused on their primary technological priorities, encompassing urgent security threats and IT-driven business objectives. Our research also included an analysis of the aspects of their security infrastructure that are currently managed externally and their plans for future outsourcing. We explored their procurement methods, criteria for choosing vendors, challenges in proof-of-concept stages, and budget planning schedules. Additionally, our research highlights the marketing channels and strategies they deem most effective.

We invite you to delve into the intricate details of the ActualTech Cybersecurity Buyers Report with us!


The key, over-arching point in these data: This is a long game. Both sales and marketing need to be prepared and ready to nurture prospects along with assets, messaging and touch points for each stage.

How far in advance do you start your budgeting process for cybersecurity solutions?

Success in netting a closed/won deal in under three months (from initial discovery to deal), is highly unlikely unless there was an urgent need or incident that precipitated the conversation. Be prepared for a longer sales cycle.

Generally, most prospects are on a 6–12-month purchase cycle. Plan accordingly, both in expectations and forecasting.

Given the budgeting and purchase timelines involved, prospects will need many touch points, awareness efforts, check-ins, value-added offers throughout the process to stay top of mind and in the consideration stage. Plan your marketing around this length of cycle.

To think about:

  • What can you do to get in front of the budgeting process with clients?
  • How can you help them plan their budget?
  • Suggested solutions they can bake into their budgeting process?

Do you budget annually or quarterly?

Trying to get budget allocated for something prospects haven’t already thought about or planned for is going to be difficult.

This reinforces importance of getting awareness and nurturing started early. Be top of mind when it comes to budget time, perhaps by giving prospects some ballpark figures to work with. Don’t hold back budgetary pricing unnecessarily.

Even when a deal isn’t won, start thinking about when a prospect will need to start planning renewal or replacement of the solution you lost out to. Can you start a marketing cadence to help them plan ahead, if even if they didn’t go with you on round one? What’s the average replacement/lifecycle of solution in your space?

Could you help them see how to use budget they already have to solve more problems? For example: they were already going to spend $50,000 on endpoint security, but your tool does endpoint security and application security under one umbrella for a similar price.

Vendor selection is a months-long process. Be ready for that.

Think about what that slow pipeline movement will mean for your in-progress marketing. How can you keep a consistent cadence of top-of-mind messaging that applies to the pipeline stage they’re at?

Is your sales team aware and in-sync with you on how long this process will take and are they prepared and ready to be the distribution channel that you’ll be using to get the helpful messaging and assets out to the client as you go? Sales will often have better touch points at these stages.

Where do you typically prefer to procure cybersecurity solutions?

Good news: Buyers are willing to go direct to the vendor a fair bit of the time.

However, you will need also VAR distribution if you want to reach a large portion of the market. What’s your current distribution strategy for VARs? Are you providing all the marketing support you can to your VAR or Integrator partners? Are you running programs with those VARs that will help them put you to the front of the line as they go to market?

If a deal originates with you directly, but the buyer wants to go through their VAR or an integrator, do you have the relationships in place to make sure that deal doesn’t fall off the table or get routed to another player who is somehow incentivizing the VAR to push their solution?


How many key members or stakeholders are typically on your decision committee for cybersecurity solutions?Even in larger organizations, the buying committee may be smaller than you think.

For marketers, this is good news: fewer people may need to be targeted to achieve influence over the buying committee.

However, in organizations with more than 2500-5000 employees, the decision committee jumps to 11 or more 43% of the time, and 60% of the time in companies over 5000 employees.

As a result, as you look at your ABM account target list, realize that in organizations with 2500 employees and fewer employees, you’re looking at a reasonably small stakeholder group to go after.

Above that, you’re going to be talking to a lot more people who will care about different things and you’ll have to figure out who those people are and what they care about. Your sales team should be able to survey similarly sized organizations in your existing customer base to get an idea of who all is on the committee and what their concerns were or are.

Is That It?

This is the third article in this seriesYou can download the full report here. In the next article we will consider the answers to the questions: who makes the buying decisions? What motivates their decision making? And, what drives the decisions?

Respondent Details & Disclaimer

For this report, ActualTech surveyed 327 senior cybersecurity professionals and decision makers at organizations of all sizes who have dedicated cybersecurity teams in the United States. Respondents were CISOs, Directors and Managers of Information Security, Data Privacy Officers, Senior Cybersecurity Analysts and similar roles. While all organization sizes were surveyed, the data shown in the charts in Part 1 was filtered for companies of 500 employees or more. Data from organizations below 500 employees is included in the Appendix. The questions were developed in consultation with the Cybersecurity Marketing Society. The results and insights for these survey areas are included in Part two of this report. Cybersecurity marketers can use these data points (and the surrounding takeaways) to better their align product positioning and messaging with real-world customer requirements.

While ActualTech Media is not a professional research firm, our access to the minds and trust of the cybersecurity professionals and decision makers in our audience uniquely positions us to gather answers to questions that other firms may not be able to procure, and then present that data through a marketing lens.  It’s our hope that this report makes your job as a cybersecurity marketer more data-informed and intentional.