Why demand generation is the key to growth in IT security

Organizations that embrace demand generation outperform their competitors who stick to traditional lead generation. This not only leads to higher long-term revenue growth but also prevents a trust crisis in the IT security sector. The traditional focus on lead generation often lacks the nuance needed to build trust in the security industry. The question is not whether vendors should switch to demand generation, but how quickly—and whether they can adapt in time to the purchasing behavior of CISOs.

The results are compelling: according to the HockeyStack Q1 2024 Benchmark Report, demand generation outperforms traditional lead generation by a factor of 4.3, with 26% higher win rates and 36% shorter sales cycles.

What is demand generation and how does it differ from traditional lead generation?

Demand generation and lead generation are often used interchangeably, but they have fundamental differences, especially in the security industry, where trust and long-term relationships are crucial.

Demand generation:

1. Creates brand awareness and interest early in the buyer journey
2. Focuses on building trust and authority within a specific audience—become world-famous in your niche
3. Provides unlimited access to valuable content
4. Aims to get on the shortlist of potential buyers
5. Has a longer response time, typically 3-12 months
6. Faces less competition, as buyers who are not yet in-market are less frequently targeted

Lead generation:

• Focuses on direct conversions and collecting contact details
• Offers gated content such as e-books, whitepapers, or webinars to generate leads
• Tries to convert buyers as early as possible in the buyer journey
• Highlights the specific benefits of the product or service
• Aims for sales to reach out to potential buyers
• Has a shorter response time, usually 4-12 weeks
• Faces high competition, as in-market buyers are frequently targeted

The purchasing behavior of the modern CISO

Demand generation is especially relevant for the IT security industry because CISOs (Chief Information Security Officers) and other security decision-makers often build long-term relationships before making a purchase. Additionally, they need to convince multiple stakeholders, making the decision-making process complex.

• 95% of the time, CISOs and security managers are not in “buying mode” (Gartner IT Security Market Report 2024).
• On average, 2,200 content & ad impressions across 220 touchpoints precede a purchase (HockeyStack Q1 Benchmark Report 2024).
• An average of 14.2 stakeholders are involved in security purchases, higher than the B2B average of 12.8 (Forrester Security Decision-Making Study 2023).
• 92% of security decision-makers consult peer reviews before reaching out (G2 B2B Software Buyer Behavior Study 2024).
• 84% of communication happens in private security communities and Slack/Discord groups (Dark Social in Security Report, HockeyStack 2024).

Traditional lead generation marketing no longer works… the CISO’s buying journey has changed. Decision-makers are influenced by other CISOs in private communities. They trust them, which is why demand generation is essential for security companies. This strategy focuses on sharing valuable information and actively engaging potential customers over extended periods, building trust early on.

And that is necessary, because a staggering 80% of security purchases go to vendors who were already on the mental shortlist before the formal buying process (Bain & Partners B2B Security Buyer Research 2024).

How do you measure success in demand generation?

To measure the successful outcomes of demand generation, you can focus on various metrics that go beyond traditional lead generation. Here are the key ways to measure success:

Metrics focused on awareness and engagement:

• Branded search and website traffic: Measure the number of visitors and searches related to your brand name and Ideal Customer Profile (ICP).
• Social engagement and click-through rate (CTR): The level of interaction and engagement on social media, which is essential for strengthening your presence in relevant security communities.
• Retargeting audience: The size of the audience that regularly returns and engages with your content, indicating the effectiveness of your demand generation efforts.

Metrics focused on conversion:

• Pipeline value: The revenue value of deals generated from your marketing efforts.
• Lead conversion rate: The percentage of leads (“hand raisers” in demand generation—people who reach out on their own) that actually convert into business.
• Sales cycle: The time from first contact to deal closure. Depending on the type of product, this can range from 3 to 12 months in the security industry.

Metrics focused on growth:

• Revenue and customer value: How much revenue does demand generation generate for your organization, and what is the long-term value of customers acquired through this strategy?
• Customer satisfaction: Measure the satisfaction of customers who have been attracted through demand generation.

By combining these metrics, you gain a holistic view of the impact of your demand generation efforts, with a focus on the quality of engagement and actual business results.

Case study: a security company transitioning from lead generation to demand generation.

Let’s take an example of an organization that has implemented both traditional lead generation and demand generation, focusing on security:

Old approach (2022):

• 1200 MQLs per quarter
• 3% conversion to SQL
• Average sales cycle: 9 months
• Win rate: 12%

New demand generation approach (2023):

• Focus on thought leadership content around Zero Trust
• Weekly security podcast featuring CISO interviews
• Active participation in private security communities
• Free security assessment tools with no forms

Results:

• 65% increase in inbound demo requests
• Sales cycle reduced to 5.5 months
• Win rate increased to 28%
• 82% of deals now come from inbound

This demonstrates the effectiveness of a demand generation approach that focuses on long-term relationships and content-driven engagement rather than immediate conversion. (Source: CyberGuard Solutions Annual Marketing Report 2024).

The future of security marketing?

The future of security marketing lies in building trust before the buying phase. It’s no longer about generating leads but about developing thought leadership and demonstrating technical expertise without direct sales pressure.

• Building trust before the buying phase by actively contributing to the security community and focusing on education. Examples: share real-time threat intelligence, offer free (ungated) security tools, conduct independent research and publish peer insights, or host CISO roundtables.
• Is your target audience in-market? Provide proof-of-concept trials—a risk-free way for prospects to test and evaluate your solution. Or assist them in making the best decision by offering a customized security assessment.

For security vendors, the question is no longer if they should transition to demand generation, but how fast they can make this shift to stay relevant before the CISO starts searching.