Tech Marketing

Cybersecurity Buyers Report Blog Series

Article Summary

The ActualTech Media Cybersecurity Buyers Report, created with the Cybersecurity Marketing Society, offers insights into cybersecurity programs' size, state, and sophistication. It explores technology priorities, threat concerns, IT goals, outsourcing plans, buying processes, and decision criteria. The report reveals that many cybersecurity teams, even in large organizations, are small and overburdened, suggesting opportunities for outsourcing and automation. It highlights the varying maturity levels of cybersecurity programs, with a significant portion lacking maturity, indicating a need for training and tools to enhance program sophistication. Key findings include the prevalence of human security training, identity access management in larger firms, and the opportunity for growth in cyber-risk insurance and SecOps implementation. Endpoint security emerges as a top technology concern. The report also identifies phishing as the primary threat, emphasizing the need for solutions that aid in prevention, resilience, and recovery. It suggests that solutions integrating multiple security areas, enhancing cost efficiency, and aiding in compliance and digital transformation will resonate with cybersecurity decision makers. The report is part of a series, offering detailed insights for cybersecurity marketers to align their strategies with customer needs.

Cybersecurity Decision Makers

ActualTech Media has prepared a Cybersecurity Buyers Report in partnership with the Cybersecurity Marketing Society to provide the hard-to-get answers to the cybersecurity marketer’s most burning questions. We have not only created a comprehensive report to share with our audience, but we are presenting a Cybersecurity Buyers Blog Series that will provide you with the most pertinent and useful information, as well as free access to the full report!

In late 2023, ActualTech surveyed our audience of cybersecurity professionals and decision makers to find out the current size, state, and sophistication of their cybersecurity programs, and we looked at their top technology priorities, including their most-pressing threat concerns and overall IT-centric business goals. We also dove into the elements of their security stack they’re currently outsourcing and what they’re planning to outsource in the near future. We asked them about their buying and vendor selection process, decision criteria, proof-of-concept concerns, and budgeting timelines. Finally, we were able to pinpoint the marketing modalities and channels they find most valuable.

Let's dive into the ActualTech Cybersecurity Buyers Report findings!

On nearly every information security team there is likely to be some level of specialization in roles happening, with no one person handling every aspect of cybersecurity.

How large is your overall information security team?

At the same time, members of teams of 2-5 indicate that they are wearing multiple ‘hats’- personally handling several areas of cybersecurity inside their organization.

One takeaway here is that if even if your solution niche is small and your ICP is narrow, it’s important to realize that responsibility for that function is likely being done by someone who has other things on their plate. Empathetic messaging and a focus on communicating the efficiency gains your solution can bring will strike a chord.

Even in organization sizes above 5,000 employees, 2-5 person teams still account for 20% of all teams. These people are likely to be overloaded and perhaps more open to outsourcing certain functions for relief.

41% of respondents lack maturity in their cybersecurity program.

Describe the maturity of your cybersecurity program.

Some takeaways: Their teams are likely still hungry for information about how to mature. As individuals, they're likely sensing that the world of cybersecurity is advancing faster than they can keep up with, and they'll be grateful for—and trust you more for—training them to know what's important (not in your self-serving story, but what's really important in the big picture) and helping them get better at their job.

The 48% who have more maturity (tier 3 and tier 4) want to keep it that way. They've worked hard for this level of maturity, and the rest of the business and customers now expect it. So, they're probably looking for an “edge”, or tips to help them stay one step ahead of the bad guys. Often, this level of cybersecurity maturity comes bundled with a high degree of confidence which, in unhealthy cases, can present as arrogance. While these folks are looking for an edge and are interested in new information, be careful not to talk down at them or accidentally insinuate that you know everything, and they know nothing in your quest to teach and offer useful insights.

The fact that 11% of cybersecurity decision makers don't know whether their organization is mature should be concerning. This seems like an opportunity to offer a rubric for evaluation or some training on assessing maturity and developing an action plan to create growth.

88% of respondent’s organizations (if you include the “I Don't Knows”) rank short of the top tier, which means there's plenty more work to do in helping cybersecurity departments mature. Again, tools and training for doing this will be helpful and build trust.

Human security/training and identity access management have traction inside larger organizations, so marketers may now be able to focus on speaking to their differentiators rather than just the need to implement a program in the first place.

What are your company's key cybersecurity tech stack component/solutions?

Only 50% report having cyber-risk insurance, representing a big opportunity for growth for insurance providers.

Under 50% have implemented SecOps to-date. This represents a big growth opportunity for vendors and MSPs in this area. An opportunity also exists for messaging around “operational maturity” and tools that enable that. Messaging should reinforce that security needs to become an integrated part of operations as opposed to a bolt-on or an afterthought.

Interestingly, Endpoint Security ranks as the top “key” technology. To some extent, this likely means that even though organizations are starting to train users well (eg. the Human Security & Training item), the primary concern is still protecting the client vector at a technology level.

Any of the areas that are “high-touch” for professionals could be outsourcing and/or automation solutions opportunities.

Drivers/Pains for Action

Phishing is by far the top threat priority, obviously connected to ransomware and malware. Messaging that focuses on prevention, resilience and recovery is likely to resonate.

What threats are you prioritizing right now?

A big opportunity exists if your solution makes patching zero-day exploits easier through automation.

All of the highest-ranked items include “the human element”. People are still the most significant vulnerability. Human element concerns should equate to training opportunities that could be served by vendors or MSPs in the space.

If your solution covers off multiple areas here in an integrated way, that’s a good message. Think of using messaging like “who wants to handle each of these with individual tools?”

If your solution helps reduce cost and boost efficiency, that’s a message that’s going to resonate.


What are your overall corporate IT priorities or investments in the coming year?

Prove how your solution can help. Think of using more case studies, hard numbers (even if anonymous), ROI calculators, guides like “Guide to Cost Optimization and Efficiency in Cybersecurity (or tool/solution area)”.

For modernization or digital transformation projects, messaging around upgrading tools to meet the latest threats or needs could work. Talk about how your solution can accelerate this process. Think about what kinds of content/assets/tools might help your prospects do this.

  • Cloud migration: if your solution dovetails nicely with a cloud story, and you can help them make that move and win, that could resonate well.
  • Compliance and regulatory concerns: Help them solve their pain here. Can your solution make compliance easier to achieve, maintain and report on?
  • Resiliency: Think about how your solution could help prospects map out how to build, test and maintain resiliency.

Note: “Talent” ranks low here–a few takeaways:

Tools that help you do more with less will resonate. Example: if you lose a team member, you’re maybe not backfilling that position. Or from the other angle: if the work demand increases, you’re probably not getting extra team members to help.

  • For the individual: getting raises and new jobs is going to be harder, and the bar will be higher; therefore, any knowledge/training/edge you can give the individual to gain their trust, they’re going to appreciate.

Because security decision makers won’t be able to solve their problems with people, they may be on the lookout for technology that solves the same problems (but which they do have budget for, as opposed to people).

Is That It?

This is just the first article in this series. You can download the full report here. In the next article we will take a closer look at respondent primary motivators can motivate messaging; and outsourcing.


Respondent Details & Disclaimer

For this report, ActualTech surveyed 327 senior cybersecurity professionals and decision makers at organizations of all sizes who have dedicated cybersecurity teams in the United States. Respondents were CISOs, Directors and Managers of Information Security, Data Privacy Officers, Senior Cybersecurity Analysts and similar roles. While all organization sizes were surveyed, the data shown in the charts in Part 1 was filtered for companies of 500 employees or more. Data from organizations below 500 employees is included in the Appendix. The questions were developed in consultation with the Cybersecurity Marketing Society. The results and insights for these survey areas are included in Part two of this report. Cybersecurity marketers can use these data points (and the surrounding takeaways) to better their align product positioning and messaging with real-world customer requirements.

While ActualTech Media is not a professional research firm, our access to the minds and trust of the cybersecurity professionals and decision makers in our audience uniquely positions us to gather answers to questions that other firms may not be able to procure, and then present that data through a marketing lens.  It’s our hope that this report makes your job as a cybersecurity marketer more data-informed and intentional.