The content CISOs need from security solution providers

Among many other things, a content marketer’s job is to provide prospects and clients the information they need to make educated buying decisions. A recent study sheds some light on the content CISOs need to be successful–and empower them to purchase your security solutions.

One of the security industry’s favorite mantras is, “It’s not if you’ll be attacked, but when.” Turns out, content marketers may be preaching to the choir. According to research from Kaspersky Lab, 84% of CISOs in North America believe cybersecurity breaches are inevitable. CISOs globally report that financially motivated criminal gangs and malicious insiders are the biggest IT security risks their businesses face. The most critical consequences of a cyberattack are reputational damage (28%) and financial damage (25%).

So, what’s the issue? Turns out—even though 60% of North American survey respondents expect their security budgets to increase in the future—CISOs are having difficulty getting the funds they need to protect their organizations. The problem says Kaspersky: “It’s almost impossible for [CISOs] to offer a clear return on investment (ROI) or 100% protection from cyberattacks.” In fact, more than a third of CISOs report that they can’t secure their required IT security budgets because they can’t guarantee there won’t be a breach.

Therein lies the opportunity. Boards of directors must be educated on the inevitability of an attack and how today’s technologies reduce risk. Executives must understand the difference between allowing an attacker to run rampant in the IT environment and having the capabilities in place to identify and shut down malicious activity before it leads to real damage. Executives need to learn that security strategies must evolve if there’s any hope of surviving a breach.

Meanwhile, CISOs and other security leaders must learn how to measure and communicate risk levels in terms that executives will understand. They need to learn how to explain concepts like dwell time, mean time to detect, and mean time to respond.

That’s where your content comes in. With only 26% of security leaders reporting that they are members of the board at their respective businesses, we can reasonably assume that these leaders can benefit from content that will help them engage and educate top decision makers.  Provide content that educates security leaders on how to bridge that gap between the security organization and the business. Give security leaders insights into the boardroom and how to facilitate change. Offer easily digestible content that can be distributed to business executives.

In other words, help security leaders help themselves. Because ultimately, it won’t matter how much your prospects believe they’re under attack if they can’t communicate that effectively to those who control the purse strings.

Spending on information security still favors preventive measures

Worldwide spending on information security products and services is increasing. That’s the good news. The bad news is that organizations continue to favor preventative measures over detection and response – which is key to fighting advanced persistent threats (APTs).

According to Gartner, worldwide spending on information security products and services will reach $81.6 billion this year, an increase of 7.9% over 2015. Preventive security will continue to show strong growth, as many security practitioners continue to prefer preventative measures.

On the one hand, it’s no surprise that security practitioners continue to invest in preventive measures rather than divert some of those funds to detection and response. Security teams are resource strapped. They don’t have the people and skills to deploy, manage and use an effective combination of tools to detect threats, stop them, and then recover the environment to a known good state. So instead, they’re pouring almost everything they’ve got into prevention.

On the other hand, it is well known (I thought?) that preventive measures do not stop APTs. Today’s threats can evade preventive controls and sit on the network any length of time before they are finally detected – if they are detected.

Gartner reports that consulting and IT outsourcing are currently the largest categories of spending on information security. This could be IT organizations’ saving grace. Gartner reports that managed detection and response (MDR) is emerging, with demand coming from organizations that don’t have the resources to do it themselves. With more MDR providers emerging targeting the midmarket, Gartner foresees these services being an additional driver for security spending for both large and smaller organizations.

In addition, solutions such as security information and event management (SIEM) and secure web gateways (SWGs) are evolving to support detection-and-response approaches. Gartner expects the SWG market will maintain its growth of 5 to 10% through 2020 as organizations focus on detection and response.

Takeaways for technology marketers

If your company provides a detection-and-response solution:

  • Continue to drive home the message that preventive solutions do not stop APTs and that a modern security strategy requires detection and response.
  • Create content to help security practitioners make a business case for your solution.
  • Highlight in white papers, blogs, etc., how your solution makes it possible for even resource-strapped organizations to have an effective detection-and-response strategy.

Other notable statistics

Gartner also reports:

  • The average selling price for firewalls is expected to increase by at least 2 or 3% year over year until the end of 2018.
  • By 2018, 90% of organizations will implement at least one form of integrated data loss prevention (DLP), up from 50% today.
  • Public cloud adoption will impact firewall spending by less than 10% until the end of 2019 but will have an impact after that.
  • Half of midsize and large organizations will add bigger, more advanced inspection-oriented features to their network firewalls by 2019.

Top cloud infrastructure service providers

When IT organizations evaluate cloud infrastructure providers, the same two consistently rise to the top: Amazon and Microsoft. That’s not likely to change any time soon.

According to Synergy Research Group, Amazon and Microsoft lead the cloud infrastructure service market (Note: This includes IaaS, PaaS and hosted private cloud). Amazon is three times the size of Microsoft and has a clear lead in all major regions and most segments of the market. However, Microsoft is growing much faster, with a 100% year over year growth rate compared to Amazon’s 53%. This isn’t surprising when you consider that enterprise IT organizations are already familiar with Microsoft tools. Transitioning to Azure presents a much lower learning curve than AWS.

IBM and Google round out the top four cloud infrastructure providers, which together account for well over half of the worldwide market. These providers are growing more rapidly than their smaller competitors, with combined revenues growing 68% in Q2. The next 20 largest cloud providers – which includes CenturyLink, Hewlett Packard Enterprise, Rackspace and Oracle – grew by 41%.

Other notable stats:

  • Synergy estimates that quarterly cloud infrastructure service revenues (including IaaS, PaaS and hosted private cloud) have reached $8 billion.
  • Twelve-month revenues are close to $28 billion.
  • North America accounts for over half of the worldwide market.

More stats: Amazon Leads; Microsoft, IBM & Google Chase; Others Trail