We wondered about the key characteristics and requirements of IT security solution buyers – what they’re thinking and what’s driving their behaviors – so we conducted a survey with Gatepoint Research.  While the survey touched on a number of pressing issues, and the resulting market brief is deep with insight, for this post we’re exploring just one key topic: who are the primary buyers of IT security solutions, where do you find them, and what are their titles, responsibilities, and characteristics? (Note: for the full read, follow the link at the bottom.)

 

To better understand our target audience, we’ll begin with a short overview of their context:

 

What’s motivating buyers?  The challenge:

 

Cyber  attacks are increasing both in number and sophistication.  This clear risk to organizations has elevated information security to a key strategic concern in the vast majority of boardrooms. 

 

 

Who is making buying decisions?  The decision-making process:

 

While senior management was indeed concerned with security, most management teams delegate purchase decisions on IT security solutions to IT professionals and their management – the appropriate CxO or VP.

 

Customarily, the technical staff recommends upwards to the CIO or Chief Privacy Officer (CPO), who is primarily concerned with budgetary considerations and rarely questions those recommendations.  Typical budgetary authority for enterprise-level organizations runs from $250k to $1m.  In general, IT security solution decisions are made by committee:

“The decision is a collective decision: the technologists talk with vendors and have a technical evaluation; business managers work on the commercialization issues and skills needed versus available; purchasing gets involved with pricing and T’s & C’s; sign-off is by the CSO who is a VP-level executive.  One person cannot sign off on a security.”  –survey respondent

 

 

Where are the buyers? Industry Segments and hot markets:

 

In mature markets, Financial Services are focused not only on protecting access within their own networks, but are also considering the vulnerability of their extended vendors’ networks and the full chain of custody for transactions.

 

At the other end of the spectrum, strong emerging markets are in retail and healthcare.  The recent spate of thefts among major retailers of sensitive customer data (most notably, credit card records) has exposed security needs and prompted investment.  For healthcare companies, the security of patient information has long been an issue, but the more recent electronic implementation of patient records systems has created new and larger security concerns.  In these organizations, security solution decision makers are likely to be a part of a customer privacy organization, perhaps under a CPO, rather than directly part of the IT organization.

 

Key responsibilities of IT security decision makers: 

 

Among the most pressing of responsibilities for IT security decision makers are ensuring regulatory compliance (such as SOX 404,GLBA, OCC, OTS, FFIEC Standards, HIPAA), as well as compliance with internal and external audit processes.  Part and parcel to this is the development and management of information security strategy and risk mitigation, including:

• Governance, risk and compliance policy drafting, formulation and analysis.
• Creating action plans
• Disaster recovery/business continuity (DR/BC) & IT security risk assessment, IT audit, and IT vendor management.
• Security information management tool selection and implementation.
• Architecture and implementation of information security and DR/BC applications.
• Project life cycle management.

 

 

Key concerns and attitudes: 

 

The growing sophistication of cyber threats requires a corresponding, proactive growth in organizational capabilities to protect and complicate access. Although this is a critical component, it is sometimes frustrated by a lack of budget and resources, or senior management support.  Yet experts agree that the vast majority of threat mitigation is ultimately non-technical and an issue for better governance and employee training.  The emerging trends of cloud computing, mobile computing, and BYOD all pose significant end-user vulnerabilities which need to be explicitly addressed with good governance.

 

 

Implications for vendors:

 

These pressing concerns of IT security solution buyers create a significant opportunity for vendors to provide timely and much needed solutions.  On the technical side of this equation, buyers require the ability to deal with advanced threats, including the support of cloud-related Big Data, mobile, and BYOD scenarios.  Vendors who can package these technical components in a user-friendly, easily adopted and deployed format, will position themselves well to aid buyers in addressing their non-technical security issues – namely, employee compliance with BYOD and Smartphone policy through easy-to-use solutions that add value.

 

 

For further insight into the needs and mindsets of IT security solution buyers, read our full report which includes the following topics:

• What’s happening to IT security budgets in 2014?
• What are the top IT security priorities in 2014?
• What are the biggest causes of vulnerability?
• How satisfied are IT security professionals with their current solutions and security capabilities?
• How do IT security professionals buy?
• What do IT security professionals expect from vendor’s sales reps?

 

 

About SimplyDIRECT:

 

SimplyDIRECT with its subsidiary Gatepoint Research designs, drafts and deploys opt-in, invitation-only surveys to management-level executives within leading technology companies. Using web, phone and email-based data collection, its cutting-edge IT trends research and data analysis helps in the generation of custom reports and thought-leadership content.