Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Management & Strategy

What Are Security Buyers Looking For?

The information security market has been a topic of acute interest for quite some time now.  Estimates around the current size of the market range between $75 and $150 Billion. That is far larger than the market was even just a few years ago. That being said, the market is expected to continue to grow at around 10% per year over the next five years. That puts the size of the security market at somewhere between $120 and $240 Billion by 2022.

The information security market has been a topic of acute interest for quite some time now.  Estimates around the current size of the market range between $75 and $150 Billion. That is far larger than the market was even just a few years ago. That being said, the market is expected to continue to grow at around 10% per year over the next five years. That puts the size of the security market at somewhere between $120 and $240 Billion by 2022.

Although it is difficult to pinpoint the exact size of the security market, one thing is very clear.  There is an incredible amount of investment in people, process, and technology that is expected to continue to grow in the coming years. Yet, with all that investment, if you ask most security buyers what they are looking for, they would probably quote you a line from a famous U2 song: “I still haven’t found what I’m looking for.”

IT Security Tools

Recently, I attended a few different security events that were relatively well attended.  I happened to notice a few people that I knew to be in “buyer” positions.  It seemed that every time I happened across them during the course of the event, another person in a “seller” position had their ear.  Of course, this is a natural part of professional events.  But if you happen to be in a seller position, take a moment to think about it from the perspective of the buyer.  Perhaps you are the 10th, 50th, or even 100th person that day to grab their ear and make your pitch.

As you can imagine, at some point, everything begins to blend together.  The security market of 2017 consists of nearly 2,000 vendors and upwards of 50 sub-markets.  Let’s make the somewhat generous assumption that a buyer succeeds in remembering the conversation associated with a given business card, follow-up email, or LinkedIn invite. The question then becomes: What was the pitch that was relayed and how did it resonate with the buyer?

Did the pitch perhaps highlight how the product or service, which competes in a crowded market with 20 or 30 competing products or services, is just a bit better than the competition?  Or, perhaps the pitch described a product or service that doesn’t quite fit into the buyer’s strategic plan or budget?  Or, perhaps the pitch detailed a product or service found in a market that the buyer has already invested in?

I could go on, though I’m sure you understand the point by now. The real question is: What are security buyers looking for?  And further, how can sellers understand what buyers are looking for to determine whether or not their offering is a good fit and how best to communicate the value of their offering?  This is where I think benchmarking, assessment, and audit can perform a tremendous service to the buyer-seller conversation.  An added benefit, if you will, to the value they already provide enterprises.  I’ll explain.

Large enterprises with large security teams regularly benchmark themselves, perform assessments, and undergo audits to identify challenges and issues that need addressing. Thus, these large organizations generally have a pretty good idea of what problems need solving.  Consequently, those on the seller side can simply ask those on the buyer side what they are looking for.  Buyers are generally quite happy to share their priorities and plans for the near and even distant future.  If sellers listen acutely, they will find the information they are looking for. I did this quite a bit in my immediate previous role with good results.

Advertisement. Scroll to continue reading.

But what are small and medium-sized business to do?  For sure, they also have issues, challenges, and problems that need solving.  Unfortunately, in most cases, these businesses do not have the resources, financial or human, to benchmark themselves against others, assess the state of their security programs objectively, and audit their capabilities, despite the benefits of doing so.

Does that mean that small and medium-sized business should remain in the dark about where they should invest their resources and time?  Or that buyers and sellers should forever remain on different pages when it comes to all but the largest of enterprises?  No, of course not.  But how can this hurdle be overcome?

In my opinion, this is why the time for automated benchmarking and assessment has come. I’m not an elitist.  Small and medium-sized businesses need the ability to benchmark, assess, and audit just as much as large businesses.  The problem is that the current state-of-the-art for benchmarking, assessment, and audit involves a very manual, labor-intensive process.  While this process works well for large businesses, there are two main limitations here that keep SMBs from leveraging these services:

Cost: Not surprisingly, a manual, labor-intensive process requires people to fuel it.  And in this case, we are talking about highly-skilled, expensive people.  That makes the cost of manual benchmarking, assessment, and audit a fairly high one.  And one that is simply out of the reach of just about all small and medium-sized businesses.

Bandwidth: When a service relies on highly-skilled people, there is a natural bandwidth limitation that occurs.  There are simply not enough people with the requisite skills necessary to perform the benchmarking, assessment, and audit services that small and medium-sized business would require, even if the price point could be lowered.

Both of these issues highlight the need to automate the benchmarking, assessment, and audit process to enable small and medium-sized businesses to benefit from it.

So, to get back to the original question: What are security buyers looking for? Before we can ask buyers that question, we need to give them the ability to answer it. And to my knowledge, empowering them with automated benchmarking, assessment, and audit tools is a great way to accomplish that.

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently a Fraud Solutions Architect - EMEA and APCJ at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.


Twenty-one cybersecurity-related M&A deals were announced in December 2022.