6 CISOs share their game plans for a post-pandemic world

Like all business leaders, chief information security officers (CISOs) have shifted their roles quickly and dramatically during the COVID-19 pandemic, but many have had to fight fires they never expected.

Most importantly, they’ve had to ensure corporate networks remain secure even with 100% of employees suddenly working from home. Controllers are moving millions between corporate accounts from their living rooms, HR managers are sharing employees’ personal information from their kitchen tables and tens of millions of workers are accessing company data using personal laptops and phones.

This unprecedented situation reveals once and for all that security is not only about preventing breaches, but also about ensuring fundamental business continuity.

While it might take time, everyone agrees the pandemic will end. But how will the cybersecurity sector look in a post-COVID-19 world? What type of software will CISOs want to buy in the near future, and two years down the road?

To find out, I asked six of the world’s leading CISOs to share their experiences during the pandemic and their plans for the future, providing insights on how cybersecurity companies should develop and market their solutions to emerge stronger:

The security sector will experience challenges, but also opportunities

The good news is, many CISOs believe that cybersecurity will weather the economic storm better than other enterprise software sectors. That’s because security has become even more top of mind during the pandemic; with the vast majority of corporate employees now working remotely, a secure network has never been more paramount, said Rinki Sethi, CISO at Rubrik. “Many security teams are now focused on ensuring they have controls in place for a completely remote workforce, so endpoint and network security, as well as identity and access management, are more important than ever,” said Sethi. “Additionally, business continuity and disaster recovery planning are critical right now — the ability to respond to a security incident and have a robust plan to recover from it is top priority for most security teams, and will continue to be for a long time.”

That’s not to say all security companies will necessarily thrive during this current economic crisis. Adrian Ludwig, CISO at Atlassian, notes that an overall decline in IT budgets will impact security spending. But the silver lining is that some companies will be acquired. “I expect we will see consolidation in the cybersecurity markets, and that most new investments by IT departments will be in basic infrastructure to facilitate work-from-home,” said Ludwig. “Less well-capitalized cybersecurity companies may want to begin thinking about potential exit opportunities sooner rather than later.”

Colin Anderson, CISO at Levi’s, agrees that spending on security software will decrease during the next 18-24 months, likely down 20-30% compared to pre-pandemic. Anderson noted that the largest drop-off in spending will be from companies in consumer-facing industries such as travel, retail and hospitality, where spending could fall by 50% or more until 2022, or even later. However, he points out that “technologies to help secure organizations that have embraced a remote-work world will gain traction and see continued growth, including identity and access management (IAM), Zero Trust and endpoint solutions.”

Despite the unpredictable economic situation, Elwin Wong, CISO at Ross Stores, will continue investing in security solutions during the next two years. He expects to see a continued surge toward investments in security products that support the remote workforce, collaboration and bring-your-own-device (BYOD). He also expects to focus on improving and expanding upon his company’s business continuity plan and believes “new security products and services that enable or simplify the management of business continuity could gain considerable traction.”

Security startups should adapt quickly to thrive

For companies selling security software, they will need to adapt their business strategies to survive the next 18-24 months and come out the other side stronger. The pandemic has shifted CISOs’ mindsets about which security applications are most critical, and they’ll be looking for products that meet newfound business challenges. Top of mind for many CISOs are questions about the long-term viability of remote work, handling bandwidth surges, securing networks and physical premises when no one is on site, and more. Security vendors whose products are not flexible enough to accommodate the new reality, such as those with restrictive licensing terms or whose products are not designed to support work-from-home flexibility, will struggle to maintain customers, said Ian Amit, CISO at Cimpress.

COVID-19 made it clear that it is not enough for security solutions to support normal business operations; they need to hold up in a crisis as well. CISOs have always prepared for a doomsday scenario, but the pandemic has shown them just how comprehensive their disaster plans need to be. Security vendors need to ensure that, beyond holding up in the current predicament, their solutions can withstand future disruptions as well. They must have a solid disaster plan in place, outlining how they, as a security service provider, can withstand and continue providing protection under even extreme circumstances.

Working one-on-one with customers to understand how the pandemic has impacted their business outlook for the next two years is essential, said Amit from Cimpress. Understanding customers’ challenges has the potential to enlighten the vendor about areas of opportunity and growth for their own offerings. “Understand what the business has gone through and where it’s headed and seek lessons learned from the pandemic,” he said.

One way forward for startups could be to recalibrate their offerings to make sure they are hitting the right notes with prospective buyers. Vendors need to make sure they don’t ask customers to do any heavy lifting during a crisis situation and that their solution can rise to huge challenges on its own. Especially these days, CISOs are looking to buy products that leverage existing investments and don’t require net new infrastructure spend.

“Many of us are dealing with data lakes of several petabytes and we need smarter technology to help,” says Levi’s Anderson. “Enterprises already have a solution to manage the vast amounts of data they have in their environment so it will be more efficient to tap into those instead of expecting us to create new ones for each solution.” He adds that as cybersecurity continues to be a big data problem, vendors will need to double down on automation and orchestration and improve APIs.

Tips for selling security software during and post-pandemic

Breaches, hacks, intrusions, leaks and other nefarious activities won’t go away now or in the future, so CISOs will continue to need security solutions. However, in a post-pandemic world, selling security software will look a bit different. So how can cybersecurity vendors adapt their go-to-market strategy to get CISOs’ attention and budget in the next 12-24 months?

Rubrik’s Sethi said the best way to increase sales during and after the pandemic is to practice empathy. Instead of bombarding customers with sales pitches, try to understand the challenges they may be going through due to the changing business environment and what their needs will be post-pandemic. “The number of vendor emails using the pandemic to sell rather than to check in and see how potential customers are doing is disappointing,” said Sethi. “Those companies that have stayed in touch with customers and prospects and have genuinely cared about them through this crisis are the ones that will be successful post-pandemic.”

Now more than ever, it’s important for startups to truly understand their buyers as well as their current challenges, ServiceMax CISO Al Ghous agreed. And it’s also key to lead sales with a solution mindset that is more elevated than selling point products. “Many vendors are focused on selling products and not solutions to solve problems; instead, it would be best for them to start with understanding the prospect organization, how they approach certain things, their challenges and then work with them to propose a solution,” he said.

When proposing a solution, security providers should be adaptable with their value proposition. In normal times, a vendor might have chosen one or two unique angles to lead a sales pitch. But the pandemic calls to reshape and restructure the pitch according to what’s top of mind for buyers, right now and in the foreseeable future. For example, many companies had to downsize, so vendors can address how their solutions mitigate this gap by highlighting ease of setup, maintenance and use.

In today’s special circumstances, it’s also critical for sales teams to position themselves in a trusted advisory role, building communication toward a long-term partnership as opposed to a short-term transaction. Being knowledgeable and sensitive to the impact COVID had on the prospect’s business is a critical stepping stone. Then, sales can focus on finding ways to provide prospects with unique value in mission-critical areas. “For example, if a prospect has a gap in their security program around protecting their mobile workforce, you could help educate them on the risks and provide insights and metrics into what their peer companies are doing to solve similar issues,” said Ross Stores’ Wong.

And, lastly, vendors need to have patience and remember that selling software won’t be business-as-usual for several months. Right now, many customers and prospects are in adjustment or self-preservation mode. Existing customers may be interested in purchasing additional functionality to solve immediate problems caused by the shift to work-from-home, but they won’t necessarily have the mindset to invest in new solutions right now.

“There are a lot of distractions at the moment, so I expect that for the next couple of months it would be pretty tough for new companies to get our attention. Once things calm down, I think that value and fit-to-purpose will be a focus for most companies,” Ludwig said.

Security vendors should be mindful that selling is not only the sales team’s role. Actually, every person in their company is a sales person — from the product marketer to the support agent — and they should all work together to create the best experiences for prospects and customers alike. As such, this is the time to double-down on customer success; vendors need to make sure their support and success teams are working round the clock to ensure existing customers are happy and to fix any issues that might arise.

Prospects that were already in the pipeline pre- pandemic need to be nurtured closely. Because in-person interactions are no longer possible to close deals, regular video meetings should be conducted. Vendors can also think about extending special discounts or payment terms if prospects agree to close a deal in the next few weeks or months.

Everyone in the security sector, including vendors designing new solutions and CISOs implementing technologies to keep their employees, network and corporate assets safe, has been impacted by the pandemic. But with determination and cooperation, vendors and security teams can come out of this crisis stronger — creating, adapting and implementing new tools to cater to the ever-changing security landscape.