Tech Marketing

Cybersecurity Buyers Report Part 4

Article Summary

The fourth installment of ActualTech Media's Cybersecurity Buyers Blog Series, in collaboration with the Cybersecurity Marketing Society, offers a deep dive into the decision-making processes in cybersecurity purchases. The report, based on a survey of 327 U.S. cybersecurity professionals, reveals that decision-making varies by organization size, with IT management and CISOs playing key roles. It highlights the importance of features, pricing, and trust in vendor selection, and underscores risk reduction as a primary motivation for new cybersecurity solutions. The report also discusses the effectiveness of webinars, industry recommendations, and analyst reports in influencing cybersecurity purchases. This comprehensive analysis aims to refine cybersecurity marketing strategies.

Welcome to the fourth chapter of the ActualTech Media Cybersecurity Buyers Blog Series, a collaborative effort with the Cybersecurity Marketing Society. Continuing from our previous deep dives into the cybersecurity field, which you can revisit here, we are eager to unveil the fourth part of our Cybersecurity Buyers Report. This series and the accompanying report are crafted to tackle the essential questions that confront cybersecurity marketers. We've assembled a detailed report, brimming with insightful data, and are pleased to provide unrestricted access to the full report.

In the closing months of 2023, ActualTech Media carried out a comprehensive survey with a varied group of cybersecurity professionals and influential decision-makers. Our aim was to evaluate the breadth, present condition, and intricacy of their cybersecurity efforts. We concentrated on identifying their key technological focuses, addressing urgent security challenges, and aligning with IT-related business aims. Our study further delved into the segments of their security setup that are presently outsourced, as well as their future outsourcing intentions. We investigated their methods of procurement, the criteria for vendor selection, the hurdles encountered during proof-of-concept phases, and their budgeting approaches. Our findings also illuminate the marketing channels and tactics they consider most impactful.

Join us as we explore the comprehensive findings in this final part of the ActualTech Cybersecurity Buyers Report in detail!


When it comes to calling the final shots, the decision-makers shown here hold sway.

Who typically makes the final decision?

In organizations with 500 or more employees as shown above, IT management still plays a lead role, followed by the CISO, the security management teams and C-level executives.

However, in organizations over 5,000 employees, the CISO takes the driver’s seat with 28% saying that they are the final decision maker, followed by IT Management who are still heavily involved in the final decision-making at 23%, basically even with the security management team at 22%.
Collectively, in organizations over 5,000, the CTO/CFO/CEO roles make the call in 20% of the companies surveyed.

For marketers, there are clear implications. In smaller organizations (those under 5,000), focus on upper IT and security management, who make the final call about 40% of the time. The CISO makes the final call in only 13% of the time, likely because they don’t have a CISO in the first place. In orgs under 500, the CEO or CFO makes the final call shortly after IT management, which makes sense given the organization size.

What is your typical decision criteria when selecting vendors?

When it comes to decision criteria, features are king, but only insofar as they map to the requirements, pains, and challenges that the prospect has.

Pricing as shown here is likely relative to their budget.

Vendor and risk assessment likely combine into one criteria, they’re “trust”-based concerns.

Stakeholder recommendations could be based on word of mouth from other industry people they trust or industry colleagues.
A previous relationship with the vendor may matter less than we think, and marketing and sales shouldn’t don’t rely on that – you’ll have to win their business every single time.

When selecting a new cybersecurity tool, what is your primary goal or outcome?When it comes to the motivation behind procuring new solutions, risk reduction is the number one driver.

“Risk” has two facets here: both the reduction of organizational risk (say, from a security incident), and reduction of personal career risk (eg. staking your reputation on a tool that fails to deliver).

The desire for increased visibility to understand exposure and the time savings gained through automation are also key purchase drivers.

Marketers can leverage the desire for automation gains by making it clear how much time and effort implementing a new solution or approach will save.

What are your primary concerns when considering running a proof-of-concept with a cybersecurity vendor?Understanding potential roadblocks to getting a PoC implemented can help vendors address these concerns up-front and move the PoC process forward.

Presenting an already well-articulated scope for a PoC that makes it easier to agree to should result in greater success rates.

Consider creating a “PoC Concerns” battle-card that addresses the top concerns shown here or provide a trust-building “PoC Guide” that explains off how you address these concerns. Make sure to include detail about how to get off-boarded if they feel it wasn’t successful. Give them an “off-ramp.”

Where do you typically like to learn about new cybersecurity solutions?Webinars are not “dead” and are still the leading source of education about new cybersecurity solutions.

So-called “dark social” or industry friend/colleague recommendations also stand out. As a marketer, think about how you could create an army of ambassadors in the “dark social” space. Their recommendations have weight.

If your SMEs build a genuinely helpful presence on Reddit in advance of any pre-sales questions or opportunities or negative brand mentions that come up, you’ll be in a good position to respond effectively. A single dropped link from a trusted reddit user can drive significant traffic to your website.

Analyst reports are still used as a starting point or shortlist of vendors for buyers and may be worth the cost to play depending on the cost/benefit analysis. There’s also a reasonable expectation that tradeshows will continue to grow in 2024.

Is That It?

This is the fourth article in this series. There is a whole section 2 that is not addressed in this blog series that explores cybersecurity buyers technology stack. You can download the full report here.

It's free! 🤫

Respondent Details & Disclaimer

For this report, ActualTech surveyed 327 senior cybersecurity professionals and decision makers at organizations of all sizes who have dedicated cybersecurity teams in the United States. Respondents were CISOs, Directors and Managers of Information Security, Data Privacy Officers, Senior Cybersecurity Analysts and similar roles. While all organization sizes were surveyed, the data shown in the charts in Part 1 was filtered for companies of 500 employees or more. Data from organizations below 500 employees is included in the Appendix. The questions were developed in consultation with the Cybersecurity Marketing Society. The results and insights for these survey areas are included in Part two of this report. Cybersecurity marketers can use these data points (and the surrounding takeaways) to better their align product positioning and messaging with real-world customer requirements.

While ActualTech Media is not a professional research firm, our access to the minds and trust of the cybersecurity professionals and decision makers in our audience uniquely positions us to gather answers to questions that other firms may not be able to procure, and then present that data through a marketing lens.  It’s our hope that this report makes your job as a cybersecurity marketer more data-informed and intentional.