Looking beyond the CISO: other IT security buyers

When I started my CISO research, I asked myself: Are CISOs the right audience for security vendors? Looking at the number of CISOs in the Netherlands (only 1100) and the big differences between organizations, I’d argue that in many situations, they are not the right target audience.

So, who do you focus on instead? It starts with differentiating between buyers and users of products and services. In this article, I look into the options.

Are you interested in more research about “the CISO”? Read my previous articles:

• There is a bigger difference between CISO and CISO than you think
• The role of the CISO: mainly risk and audit
• CISO says: “Don’t contact me” (or do they?)

The limits of CISO targeting

Consider a specific threat intelligence tool focused on application security. Would a CISO be the primary decision-maker for such a specialized solution? Unlikely. While they might sign off on the budget, they rely heavily on their technical teams’ expertise for evaluation and implementation. They simply can’t be experts in every security domain.

This disconnect between decision authority and technical expertise creates interesting dynamics. CISOs often serve more as facilitators than decision-makers for specialized tools. They coordinate between technical teams that understand the requirements and executive leadership that controls budgets. However, they rarely have the deep technical knowledge to evaluate specific solutions like threat intelligence, application security, or OT security.

Some CISOs might have the technical knowledge. But once someone starts managing a team, the logical step is to step back and focus on strategy and guidance rather than remaining involved in decisions. That’s why most CISOs will depend on their teams for technical evaluations.

The CFO fallacy

Some marketers have recently argued for targeting CFOs, citing their budget control. While this sounds logical at first glance, it misses a crucial point: budget authority doesn’t equal technical decision-making capability. Yes, CFOs are important stakeholders, especially with regulations like NIS2 increasing security accountability. But running marketing campaigns specifically targeting CFOs? That’s missing the mark.

The push to target CFOs stems from a simplistic view of organizational decision-making. The logic goes: “CFOs control budgets, therefore they control purchasing decisions.” However, this ignores the complexity of technical procurement processes, especially in security. CFOs might have final budget approval, but I doubt they’ll ever call the CISO to say: “I just saw this ad. Are you aware we have this risk, and have you considered buying a solution?”

Moreover, targeting CFOs with technical security solutions can actually backfire. Most CFOs aren’t interested in the technical details of security products – they care about risk management and business impact. While they should certainly be involved in major security investments, they’re rarely the right entry point for specific security solutions.

Looking up and down the hierarchy

Where should vendors focus if neither CISOs nor CFOs are the ideal target? The answer lies in understanding the full spectrum of security decision-makers and influencers within organizations. Two main approaches emerge, each with its own advantages and challenges.

Moving up the chain

• CTOs (over 3,000 in the Netherlands)
• CIOs (more than 1,000)

These roles often have the technical understanding and budgetary authority to make meaningful decisions about security investments. They typically have a broader view of the organization’s technical landscape and can better evaluate how security solutions fit into the overall technology strategy.

The advantage of targeting these roles is their combination of technical knowledge and decision-making authority. CTOs and CIOs usually understand security investments’ technical requirements and business implications. They’re also more likely to have direct budget control and the authority to make strategic technology decisions.

Going bottom-up

LinkedIn shows over 19,000 people in the Netherlands with “information security” or “security” in their job titles. Roles vary from teachers and auditors to security architects, engineers, and developers – the people who actually implement and work with security solutions.

This bottom-up approach recognizes that many security purchases start with technical teams identifying needs and researching solutions. These practitioners often have the deepest understanding of specific security challenges and are frequently the ones who initially champion particular solutions to their leadership.

A practical example

Consider local government security in the Netherlands. There are roughly 200 municipal CISOs – a relatively small target market. However, when we expand our search to people in “information technology” roles within these organizations, we find over 14,000 potential contacts.

This dramatic difference isn’t just about numbers – it reflects the reality of how security decisions are made in these organizations. While a municipal CISO might set an overall security strategy, the actual evaluation and implementation of security solutions often happens at the IT team level.

Furthermore, these IT professionals often significantly influence security purchases, even if they don’t have direct buying authority. They’re the ones who will actually use the tools, maintain the systems, and deal with any implementation challenges. Their buy-in is crucial for successful security deployments.

Rethinking target audiences

The key is understanding the decision-making process for different types of security solutions. This varies significantly based on the type of solution and its impact on the organization.

Strategic solutions (e.g., security frameworks, GRC platforms):

• CISO involvement crucial
• C-level approval needed
• Long sales cycles
• High-touch engagement required
• Often require broad organizational buy-in
• Impact multiple departments or teams

Tactical solutions (e.g., specific security tools, threat intelligence platforms):

• Technical team evaluation crucial
• CISO might only be involved in final approval
• More technical sales process
• Product capabilities matter more than executive relationships
• Often can be implemented within existing workflows
• May need minimal organizational change

This suggests a more nuanced approach to market targeting that considers both the nature of the solution and the organizational context:

1. Know your solution type

• Is it strategic or tactical?
• Who will actually use it day-to-day?
• What level of technical expertise is needed to evaluate it?
• How does it fit into existing workflows?
• What organizational changes might it require?

2. Map the decision-making process

• Who influences the decision?
• Who needs to approve it?
• Who will implement and maintain it?
• What are the budget thresholds for different approval levels?
• How do technical and business requirements align?

3. Target accordingly

• Focus marketing efforts on actual users and evaluators
• Include strategic stakeholders where appropriate
• Build relationships at multiple levels
• Develop different messages for different audiences
• Consider organizational dynamics

What can you learn from this?

The security market’s fixation on CISOs as the primary target audience needs reevaluation. While CISOs are crucial in security strategy and budget approval, they’re often not the best entry point for specific security solutions.

Success requires understanding the broader security ecosystem within organizations and targeting marketing efforts accordingly. This might mean developing different messages and approaches for different roles – technical content for practitioners, business cases for executives, and compliance frameworks for risk managers.

The goal isn’t to ignore CISOs but to recognize them as part of a larger decision-making ecosystem. We can engage more effectively with security stakeholders by broadening our view beyond the CISO’s office. This more nuanced approach might require more effort, but it’s likely to yield better results than focusing solely on a limited pool of CISOs.