Key Cybersecurity Buying Trends for 2025: Must-Know Insights for B2B Marketers!
Scott Lowe, co-founder of ActualTech Media, unveils critical insights from the 2025 Cybersecurity Buyers Guide, a must-have resource for B2B tech marketers. This data-driven report reveals how cybersecurity budgets are increasing, decision-making processes are evolving, and why direct vendor sales are now preferred. Marketers will gain actionable insights on buyer behavior, spending trends, and how to align their strategies with real-world demand. Plus, learn why fear-based marketing doesn't work and how to refine messaging for maximum effectiveness.
Download the full Cybersecurity Buyers Guide.
In case you missed it, here's the transcript...
Gianna Whitver (00:06):
Hello. Hello everyone. I am so delighted to introduce Scott Lowe, co-founder and advisor of Actual Tech Media, a future B2B company, and one of our valued platinum sponsors. I'm so excited he is going to dive into this report that we have been working on for a really long time. Mostly he's been working on, honestly a little less on me, but the 2025 Security Buyers Research report debuting the data and statistics from the results of the survey and research that actual tech media a future B2B company has done. Scott, thank you so much for being here.
Scott Lowe (00:44):
Happy to be here.
Gianna Whitver (00:45):
I feed the stage to you.
Scott Lowe (00:46):
Thank you. I know you were supposed to have two people on stage today and you're getting ripped off because Dr. John Honsel is sick, so I have to do this alone, but I promise to do a good job. Thank you all for coming today. I'm really looking forward to revealing the results of our research. There we go. He's sick. The guy at the top. I can't say what you're seeing. There we go. Who was here last year? Who came to this session last year? Do you anybody remember? So Ainsley. So last year one of my partners, Jordy Carswell did this report for everybody and we featured a number of key statistics around cybersecurity buyer behavior back in 2023 and going into 2024. I ran into somebody in the elevator last night going into my room and I forget what company she was from, but she actually said that she used that report to justify to her superiors about starting a webinar series for her company.
(01:48):
They actually had not done webinars before. They heard from somewhere that webinars were dead. Well hint, they're not. And so she actually launched a webinar series. They had a plan to do 12 and they ran six and they landed a whale. They got a hundred thousand client from one of those webinars. So that was really gratifying to hear that the research we did helped someone directly launch a new marketing program and get such success from that program. Jordy did a great job last year. Sadly, Jordy's no longer with us. He's alive. He's just not here.
(02:26):
So there's a number of key takeaways that we want to kind of start with. I don't like to bury the lead. So we have a lot of significant findings from this year's report, and at the end I'm going to ask all of you a very important question, so please don't leave before the end because you're all going to be involved in the creative next year's report. So some of this is very obvious when you do research like this, all the answers aren't necessarily going to be these. Wow, these are things we've never thought we'd hear. Some of things are very obvious. One of the questions that's so obvious is, why are you doing all this security stuff? And most often it's because they want to get ahead of things. They're being proactive in their outreach, they're being proactive in their preparations for what they're seeing in their environments.
(03:13):
When we think about the buying cycle, I think that who here sells cybersecurity marketing tools or services? A lot of hands should go up on that one. We all want hear. As soon as our clients leave budget, they go get it. Well, the reality is only 25% of respondents can get the budget together in about within six months. So when we think about buying cycles as marketers and to our sales teams, we have to take all that into consideration when we think about where they buy. I come from a traditional IT background. I was a CIO for a number of years before starting actual tech, and we've always bought through VARs. Well, when we think about where people want to buy today, especially in our software as a service-based world, people go directly to vendors. In fact, 47% of the time people said they prefer to buy direct.
(04:03):
Now the other time, it's not that they don't necessarily want to buy direct, they just want to buy from someone that can help them deploy it. So that's why the channel is still so important to pretty much everybody in this room, probably in some way, shape or form. And in terms of who makes decisions, it's still most often IT management with a close. Second being the ciso, there's tons of overlap there. A lot of times the CISO's in the IT group, sometimes it's not. That's a little hard one to actually break down further. One of the things that we do in our report, we have a few copies at the booth. It's also available on our website@actualtechmedia.com for download. We break it down with guidance specifically for all of you. So what do marketers need to know and how do you need to think about in context all of the stuff that we're talking about in this report?
(04:50):
All right, A few other sort of overview things. This year we broke it down by some additional data points. So you all have different ICPs ideal client profiles. Some of you go after small companies, some of you go after large companies. We broke the data down that way this year to try to help all of you target better the work that you need to do to get in front of your ICP. And again, we provide that mark that guidance for all of the data points in our reports. So the big stuff, cybersecurity, people feel like they're making progress most often. They're not going to say that they aren't. So that's probably a little people overestimating what they're doing. But in general, over 20, 24, 20 20 threes report, they feel like they're making progress. Most importantly, you guys would be happy to hear they want to spend their money on security tools and we'll show you some charts about that in just a second.
(05:45):
They want to work more closely with vendors. And I know this probably comes as a massive surprise. Humans remain the weakest link in the security chain. So I'm sure that none of you are exactly shocked by that. So share of budget. So you can see the chart on the screen. When we think about the amount of the whatever budget this comes from the IT budget, the general operations budget, whatever on the share of the budget. Dedicated cybersecurity has increased a bit year over year, but just over 50% of respondents are spending between 11 and 30% of their IT budgets now on information security tools. That's not an insignificant amount of money in a lot of organizations, especially when there's so many competing demands for other IT things. And only 11% of respondents were spending less than 10%. So there is significant spending taking place for cybersecurity tools across organizations of all sizes.
(06:48):
And as you start to think about your 2025 plans lands this, and I'm sure some of you have either thought about them or you're in the process of this is important, people have money to spend and they're willing to spend it. They're dedicating big swath of their budget to information security, it gets by company size. This is where I think things get real. I really like breaking things down by these kind of data points because I think this is where you sort of start to see some of the differences in the market. In smaller organizations, they're far more likely to be spending less on as a percentage of their budget on information security tools. And this makes sense, right? Smaller organizations, which we define as under 100 employees spend, 25% of them spend less than 10% and they've got lots of other demands and they also have it's much smaller budgets to work with. So they're just a smaller piece of the a smaller full pie to work with. So when we start to think about medium and larger organizations, which I'm sure most of you, if you think about your ICP focus on larger companies, how many of you focus mostly on under 100?
(08:02):
Nobody under 100 employees, right? I wonder why. I'm kidding. Probably partially because of this. So again, as you're developing your ICP, this is a good justification for why many of you don't focus on the smaller side of the thing. So when we think about the amount of the check, when we cybersecurity checks, we label it this because this is basically where you're putting your, what you are actually focusing on is what's a priority. When we look at last year's report, the focus of then the people last year, 44.8% said that cybersecurity would be a significant focus for them in 2024. This year, 55% said it's going to be a significant focus in 2025. And as I put in the report, this is the very definition of the iron being hot and you should probably strike, this is a place where we see an appetite for spending and hopefully that yields some gains for all of you.
(09:03):
Oops, I think I skipped one. Yeah. Again, when we think about the company size, this is actually an interesting one. It makes it look like larger companies are not putting as much of a focus on this in 2025. However, when we start to look at other data points, the reason for that is they've already put a focus on it for the past few years. I mean, larger companies have additional compliance requirements, regulatory requirements. In some cases the SEC is demanding some things that are not being demanded of smaller organizations or non-public organizations. So they've already had this as a focus for a number of years, and so our smaller and medium sized organizations are starting to feel some of that pain and starting to see or suffer from attacks that are making them have to make this more of a focus. This is why we see basically 57% of small and medium organizations making this a focus, more of a focus in 2025.
(09:56):
Now, what this also says from a marketing standpoint, those of you that aren't looking at smaller companies, there may be opportunity there, especially in the medium side. If you're not looking at medium, which we define as 100 to 999, and you should be thinking about that. We also think about this from a product management perspective. If you don't have skews that support small and medium sized organizations, there may be missed opportunity right now that you might be wanting to think about. Now, obviously super small organizations create other challenges, but those medium sized organizations could be ripe for the picking as we go into 2025. By the way, I'm happy to take questions throughout. Want me to stop and explain something more? I'm happy to do it. Any questions so far? All right, people, I already told you that people provide the problems Ever since the advent of computers, people have been the problem and that holds true to this day.
(10:58):
This charts, if you're having trouble following it, follow the lines, but the top five problems that we identified in the report and that people ranked as their number one challenge that they are seeing are all to do with people phishing attacks. That's usually because of a human weakness. We don't have machines responding to emails on their own and providing social security number for every employee and things like that. Now we're attacks again, often due to that happens because of a phishing attack, password attacks, ransomware, social engineering, all people problems. As we start to get out of the people problems, again, it doesn't matter about company size, regardless of size, people are the problem. So if you just fire all the people, we're good, but that's probably not going to happen. So then we get into some of the non-people problems, even though people are still the problems, denial of service shadow, it, supply chain attacks, and we don't see on the top five, we don't see tons of variants.
(12:02):
We start to see that a lot at the bottom. By the way, this is all in the report as well. So that's available for download, like I said@actualtechmedia.com. So for marketers, if you aren't already, the human angle is never a bad thing to be talking about in your messaging. I'm sure you already do to an extent, but even if you're talking about physical security breaches or insider threats, there's still a people angle on all of this stuff that we should be thinking about. I want to talk about, yeah, and I'm going to skip this slide.
(12:38):
So one of the things that I don't particularly like is fear. In fact, I was talking to somebody this morning about fear-based marketing. How many of you have marketing that tries to scare the crap out of your potential customers? Does it work, right? So I understand that fear works, right? Negative emotions get the most attention. Just look at social media. I mean the negativity far outweighs a lot of the positivity. And this also happens in our marketing. It feels like the negative marketing, fear-based marketing works because we're trying to induce some kind of fomo, fear of missing out or fear of being attacked. Fba, I guess as we can call that. And I think that's good in moderation, and I do think that there's a way to responsibly harness this kind of messaging. But I can say that in talking to people, end users and analysts, there's a line somewhere, don't know what that line is, but where it starts to go from this is really helpful to, wow, this really sucks.
(13:49):
I don't want to hear this anymore. So I would strongly suggest if you have a heavy reliance on fear-based marketing, try to dial it back a little bit and look for other outcomes that people can achieve to help address some of the challenges. So I was at ICIO for a long time and I heard the phrase shadow IT more than I ever wanted to hear it and forever it was the number one problem to do with security. One of the really interesting things this year, this is sort of an aside data point, is shadow. IT has kind of gone back into the shadows for most. And you saw in the previous slide it was actually towards the bottom for large and medium companies and a little bit higher for small companies. Smaller companies tend to be a bit behind the curve in terms of these kinds of trends.
(14:39):
So it makes sense that they're behind the curve on shadow it being eliminated. But when we start to think about IT governance, IT governance has evolved in 2024 and going into 2025 where more organizations are willing to allow this sort of democracy based deployment of tools that we didn't see before. And so shadow it is not as much of a problem. Either organizations are supporting it or they've put a sufficient guardrails in place to eliminate it and accept in the very smallest of organizations. So again, smaller organizations lag. Consider this in your marketing. If you are targeting smaller organizations, the shadow IT boogeyman, for lack of a better phrase, can still be an effective message, but for larger organizations, it's probably not going to be that interesting anymore. Security maturity. So this is a hard question to ask, and I say that because you're basically, oh, was that me?
(15:42):
This is basically asking someone, are you secure? Are you doing a good job? Right? And you're asking security pros this question. So I would advise you to take this a little bit with a grain of salt because I don't think really that 34% are actually NIST tier four, however, I think it's probably getting there. People tend to overestimate themselves a little bit, but directionally for marketers, there's still a lot of room for improvement. We still have 66% of people who are not rating themselves as tier four, and that number's probably higher. So you can still be thinking about your messaging in terms of how do you get to that highest level of security maturity in your organization. And remember, this is a point in time survey, people were anonymous, but they still want to portray themselves in a positive light. This is a significant increase over our 2023 results.
(16:37):
This is one that surprised me a bit and I don't know if people actually are doing that much better or if they're just staying there that much better. There's still a ton of room for improvement in terms of overall security maturity for our organizations, and this is where it gets super skewed company size, I was happy to see this because I would not have believed that a small organization said that they were more mature than larger organizations in this, but only 21% of smaller organizations think that they're at the highest level of security maturity that they can have in their organization. Larger companies, I do believe that's closer to reality, particularly with what we're seeing in terms of, I said before, regulatory environments. Some of the mandates have come down from various three letter agencies in terms of how people have to disclose, holding CISOs more personally responsible for breaches of their organizations and some of the new reporting requirements that we see for organizations, public entities that have been breached.
(17:40):
And what I would say here, and it's on the screen, but when you think about security maturity, it doesn't matter where organizations are, someone in client organization is starting at the beginning. And so you can never be too basic in your messaging and education you're doing for the people you're trying to target for your marketing. Again, I was talking to someone this morning and he asked the question, what should we be telling people? And it's basically tell 'em what they need to learn. And I realize that sounds very simple, but it's hard to execute. But when you start with an education mindset rather than a, I have to get my company messaging out mindset a hundred percent of the time incredible things happen. People are much more willing to listen to something that's not overt marketing or sales, and if you're educating them and slipping things in along the way, really good things can happen.
(18:38):
We did see this year a bit of a reduction and the amount of time that it's taking for organizations to budget for cybersecurity solutions. Now, there's a big company size dependency here, and the problem here is there's probably a size of purchase impact somewhere. If you're going out and buying a one-off VPN tool or something, right for one person, you're going to get that today. If you're not going to go spend a half million dollars on a new identity management solution, it's probably going to take more than 30 days for the process to happen, right? Has anybody had called up an organization and said, we want to sell you something for $5 million? And they said, sure. Can we write you a check today? Anybody? No. Okay, so when you think about your marketing and sales teams, bear this in mind when you're thinking about your nurture campaigns. Bear in mind that these things are going to take months to get across the finish line. When you're thinking about your sales cadence, when you're thinking about your sales processes and your proofs of concept and all the things you need to do to support the full sales process, keep this in mind. Just keep in mind what expectations are in terms of pulling money together for clients and make sure you take that into consideration in your internal planning so your Salesforce people don't get mad at you for not closing deals, right?
(20:04):
There was a bit of an impact here in terms of company size, but again, take this into consideration if your ICP includes larger organizations, unsurprisingly, larger organizations have more, they have slower, I should say, timelines in terms of pulling money together for information security purchases, which isn't that surprising. They're typically slower anyway, not because of any reason, but just because they have a lot more decision points we have to think about. I mentioned early on that the number one motivator for new cybersecurity solutions was basically getting in front of perceived risk in the organization, proactively addressing these things. That's not a surprise actually. It's kind of nice to see that rather than being forced over half of our people are doing something proactive and that's good for them. Maybe not as good for some of you, but if they get breached, what would we need something right away, right?
(21:08):
20% are doing it because of outdated technology. Arguably you could say that that might be in the proactive bucket as well, but that still feels somewhat reactive to me when you're doing something ahead of a problem versus this is getting really old. I feel like there's a difference there. Increasingly, we're seeing cybersecurity insurance create new priorities for a lot of our client organizations. They're putting demands in place for things like two factor authentication, just some of the basic things we see now that may be forcing some of the spend government regulations. This is going to increase significantly in the next few years. It'll like huge, especially if you're doing business in the EU and those kinds of places, this is going to become a huge reason that people are putting in place new cybersecurity solutions. I'm sure all of you have your ear to the ground in terms of all of the news about all of this stuff, and you're working on messaging around it, this slice of the pie next year, I bet it's at least double what we see this year and incident.
(22:08):
Unfortunately, we still see organizations that had an incident and all of a sudden they say, maybe we should make that not happen again. And so, and four and a half percent of our respondents said that their primary reason for new solutions was because of an incident. This was a single answer question. We made people actually tell us what their primary motivation was. It's too easy to check all the boxes. And so this year we said, what's your big reason? What's the one reason you have for this? And that forces people to make a decision. We did not do that last year. These were all multi select last year product capabilities. Trump price, even if it doesn't feel like it sometimes, do any of your customers ever come to you and say, can you do better on price? Anybody ever have that happen? Yeah, right. What I was really happy to see was that regardless of company size, number one was product service capability.
(23:04):
That's not always the case. Sometimes it's like, well, it'll get by, but we need something cheaper. People are spending an appropriate amount of money on security solutions to get the features that they need to protect themselves. Pricing for small companies, unsurprisingly was number two. For large companies, it was number four. Vendor reputation was number two, and my primary guidance there is stay out of the news for the wrong reasons. Don't have an incident named after your company. That's my general overarching guidance. That's something that's hard to come back from. Nobody seems to care at all about sustainability and ethics anymore, so just throw that out. No, I'm kidding.
(23:49):
These are all rank ordered. Of course, maybe that's important, but it's not as important as other things. And for smaller organizations, I want to point out supplier relationship. That's really important, even though it's number six, people want to have a good relationship with all of their vendors, but I think in general, specifically their security vendors, because you guys are going to be really in the mix on a lot of things, you're going to be involved in a lot of sensitive discussions, and they're going to be their most vulnerable when they're talking to you, particularly if it's after an incident. So having a good relationship with your customers can really pay a lot of dividends in terms of overall product features and capabilities.
(24:31):
So direct sales from a vendor preferred, not actual, but preferred place to buy stuff over last year went from 49% to 64%. People want to buy directly from all of you. A lot of times they want to go to a VAR or an integrator, obviously, because they don't have the capability themselves in this as they do the work or they just want, they're buying as part of a broader solution. And then other, we didn't really ask what other was. Maybe they're buying it from a cart, the street, I don't know. But that was basically to have some other method that they want to use to buy this stuff. And smaller organizations prefer direct vendor sales at 71% compared to 59% for small medium businesses or medium large businesses. Deployment timelines, this is different than budget. Rarely does someone mash the buy now button and deploy the same day, right?
(25:30):
That just simply doesn't happen. In fact, it takes for 50% of respondents, it takes anywhere from zero to six months for the tool to get deployed once it's been acquired, and for some 7.1% it's over 12 months. It takes a long time for the tools to actually get their way from procurement into planning cycle and then deploy it out to the organization. So that's something to bear in mind. And we're going to go to the next slide. We'll talk about company size. There's a huge differential here that I want to talk about. But when you think about for marketing, this is again, once the sale is made, you're not necessarily done with your job. You still want to nurture those people. Maybe there's upsell opportunities. Maybe there's a renewal coming that you're going to have to make sure that you're supporting. If they're going to take a year to deploy, you want to make sure you're staying in touch with them throughout that year so they don't lose the urgency and the understanding of the relationship that they have with you and your company for your client success people, this is really critical.
(26:32):
This is really who's going to make this work? Marketing to an extent, but your client success teams are going to be critical here and staying in communication with those clients, okay? Larger organizations, sorry, it's coming off, are slower than smaller organizations. Anybody surprised by that at all? I'm not. So 12% of projects exceed 12 months to go live from data of acquisition. Again, keep this in mind when you're working on your deployment plans, your salespeople, customer salespeople, all of them need to make sure that they're setting realistic expectations and make sure that your Salesforce dashboards reflect reality rather than what you want it to be.
(27:16):
Integration. So even during a proof of concept, people want to know that what they're buying works together. This was always important to me. I didn't want to buy a bunch of stuff and just have it work independently of everything else I have. I had a small team. We didn't have millions of extra cycles to deal with, so we needed tools that we could deploy into the environment that worked well together. And people want to see this during proofs of concept. What this may mean, and by the way, there's a sentence missing there, so I apologize for that, but it'll be in the report. What this actually means is simplicity is really important and your proofs of concept may take longer than you want them to because you're not going to just throw something up on a virtual machine or in the cloud and say, okay, we're going to go test this in a vacuum. They're going to want to make sure things work with all the other stuff they got. So there may be some light integration work to do in terms of deploying new tools in a proof of concept way. So their primary, again, this was a single choice question, this was their primary concern in terms of deploying new tools, was integration with what they already have.
(28:29):
So key takeaways, make sure that you understand that security spending is not slowing down. Has anybody seen that? It's slowing down? Anybody seen it increasing? You're seeing it slow down a lot. Okay. Anybody seen it accelerate? Please clap. I'm trying. I'm kidding. Okay. According to this research buyers maybe, maybe is too strong a word. They're probably not eager to write checks for this stuff, but they're eager to make sure their organizations are well protected. So I think that that's, when we think about improving their security posture, they're eager to do that. So in that context, they're eager to spend the money in an appropriate way. Firmographic information is really company size play a really important role when it comes to alignment from cybersecurity marketers. So our general guidance is review the report. There's a lot more in the report than we have in this today.
(29:32):
Review this guidance as you've developed your 2025 plans. Take a look at your ICPs in the context of what we're presenting in this report and make appropriate adjustments. If you don't have an ICP that looks at smaller or medium-sized organizations, at least consider it what it would look like. I realize small is a little hard, maybe medium-sized organizations because there is money to spend there and there's an increasing appetite to do so. If you would like the, and basically consider the full spectrum of your go-to-market, which includes your marketing, your sales, your client success, all of it, not just what you're doing as marketers. The whole go-to-market strategy is really important in terms of the overall success of your client's cybersecurity solutions. If you want the full report, we do have a few printed copies at the booth downstairs, and you can download it at actual tech media.com/cybersecurity buyers reports.
(30:27):
I'm going to go to the next slide while we do q and a. Before we do q and a. Make sure it's not by the booth and say hi. The team's over at Raise your Hands Team. That's them. That's actual type media. And the really important thing I need from all of you, you need to email Ainsley is Ainsley there, that's him. That's Ainsley with a big bushy beard, and we want your help devising next year's report. Specifically, what kinds of questions after you get the report did we not include in the report that you think would be particularly interesting? And most importantly, what kind of demographic or firmographic pivots can we do next year? This year, we spent a lot of time on company size. What else would be interesting to you in terms of pivoting next year's data? That's where things get really interesting.
(31:14):
The big broad stuff is interesting, but when you start digging down a little bit into the details, that's when things get kind of fascinating, at least to me, which I like digging into the data. So maybe that's just me, but that's what we want from you. Please follow Dr. John Honsel on LinkedIn. He's not here, he's not dead, but he's not here. He's at John Honsel on LinkedIn. I'm also on LinkedIn if you want to follow me, and I'm going to go back to the q and a side. Anybody have questions they like to ask?
Gianna Whitver (31:43):
Hello? If you have questions, please come up to the mic so that the virtual, because we're live streaming this so that the virtual people can also hear your question. Come on up, Mike, over here. All right. We have a question from the virtual audience. Is there significant differences for orgs that are a hundred to 500 and 500 to a thousand in size? So maybe Scott, what are some of the major differences for those two? I ICPs,
Scott Lowe (32:10):
I'll need to get back to you on that. There are differences from a hundred to 500. We do have that breakdown. We did it this way to keep it simple for presentation, but I don't remember all the differences right now off the top of my head, unfortunately.
Gianna Whitver (32:20):
Hi Dick. Everyone can download the report too.
Scott Lowe (32:23):
Well, that's not in the report, but we can get the data. If somebody has a specific question, happy to look at the data.
Gianna Whitver (32:27):
Oh, I love that email. Ansley with a question.
Aaron (32:32):
Aaron Mann from In Technologies, we have an IT security solution, and I guess what we're trying to do from an A BM approach is map the buyer and we go in through the C-I-O-C-T-O director of it, but we're starting to see a little bit of a trend with where the buyer is and decision makers. Are you seeing anything as far as we're CISOs are starting to fit in because CISOs love us, but they never really buy from us.
Scott Lowe (33:01):
Yeah, CISOs don't seem to spend a lot of money sometimes if they're part of an IT organization, the CIO is making the decisions for whatever reason. In a lot of those cases, I don't think you should not. I think you should target the CISO because regardless, CIOs and CTOs are not making those decisions in a vacuum. The CISO is probably informing, they're probably basically the technical decision maker behind the scenes in some way, shape or form part of the buying group. And that includes security analysts and all of the sort of individual contributors that make up those organizations too. They're all weighing in on a lot of these solutions. So I think you should still, am I answering the question
Aaron (33:43):
A little bit of a follow up? I guess. Are you starting to see that it is kind of coming under the CISO versus
Scott Lowe (33:51):
Not under No, I see that happening. Sometimes I see it sort of reporting into the ciso, but also I see it more often still the other way where security is still reporting into the CIO.
Aaron (34:04):
Thank you.
Scott Lowe (34:05):
Yep.
Sanna (34:07):
Amazing. Okay, Sanna, from Hack the box, sorry, this is really high. I really love the stuff that you add. Really interesting. I like the breakdown of the enterprise medium sized and all that stuff. Have you guys ever thought about breaking that into industries? I'm just thinking you said obviously governance huge. You have a highly regulated industries like finance. That governance probably is higher than manufacturing, for example. Is there any breakdown on industries?
Scott Lowe (34:34):
We do have that data. We didn't break it down for this report. We probably need to refine the industry list a little bit. It was quite broad, so statistic significance was a little bit questionable, so we did not include it in this report. I think next year one of our goals is going to be to look at some big swath industries and go that way. If there's specific interest you're interested in, please contact Ainsley because we do have some data.
Sanna (34:57):
Perfect. Will do. Thank you.
Scott Lowe (34:59):
Sorry, Ainsley.
Pauline (35:03):
Hello, I'm Pauline from HivePro. I was thinking that it might be interesting to integrate data about how CISOs and cybersecurity teams more generally approach or think about or save budget for new technologies, new frameworks, new buzzwords, right? Because cybersecurity has a new buzzword or a new product, sorry, a new technology all the time, and how do they want to be educated and how do they consider budget?
Scott Lowe (35:37):
Yeah, so how they want to be educated. We do have in the report, so there's top three, it's IT analyst reports, something and then webinars. So when we think about the way that they still want to be educated, we do have that in the main report. Is that helpful?
Pauline (35:56):
Yes. On the way of being educated, but also how do they approach saving budget for something they might not know about?
Scott Lowe (36:06):
So how are they approaching, it's almost like how are they approaching prioritizing their budget for new security? We don't have that question now, but Ainsley will take a note on that, right? Ainsley and we'll consider that for next year.
Pauline (36:17):
Love it. Thank you so
Scott Lowe (36:18):
Much. You're welcome. Thank you.
Dan (36:21):
Hi, I'm Dan Lowden with Blackbird AI. A question I wanted to see if you asked it or if it came up in the data, are CISOs more concerned about say, misinformation, disinformation, deep fake attacks that target their executives or their company and manipulate stock or say there's a fake breach that happened or accelerate the social discussions around when an actual breach does happen?
Scott Lowe (36:48):
That is not in this year's report, however it will be in next year's report. And I say that because it's, I mean, I've looked at what companies like 11 Labs are doing and SOA with open AI and stuff like that, and it's incredible and terrifying at all at the same time. Have any of you been just blown away by some of the stuff AI can do? I've been in it for 30 a long time and it still blows me away that what I see happening. Notebook, lm creating a podcast episode, Dick is legitimate. It's insane how good it is. I'm waiting for open added release soa. Have you guys seen the SOA demos, open ai, soa? It's basically up to a minute long video generation with just the text prompt and it's absolutely phenomenal in what it can do. And deep fakes are going to be, the next election's going to suck. I mean, it's going to be no fun open to the public in the next 10 days. In the next 10 days. Okay. I knew it was this year. I wasn't sure. This year is running out, so, okay. Scott, can you repeat that For the virtual, just say Sora is going to be, oh, Sora is going to be released in the next 10 days according to Okay. From OpenAI. And if you haven't looked at any of the demos yet, if you have a chat GPT subscription play with it. It's mind blowing.
(38:19):
Next question.
Tommy (38:20):
Yeah, thanks. Tommy Smith, before ai, one of the slides you had up there was it said something like 52% of CISO said they were spending money on proactive measures. Did you double click on that and is there any detail about what they mean by proactive and what tools they consider proactive?
Scott Lowe (38:35):
We do have a bit more detail. We did actually collapse a number of options into proactive because that was the intent behind the question. We can pull that together and if you can get with Ainsley, we can get that to you specifically.
Tommy (38:46):
Ainsley, you got a full plate, man.
Scott Lowe (38:48):
Yeah. Ainsley's going to be busy for the next year and a half. That's right. Job security. Is that it? Thank you everyone very much for your attention. I really appreciate your time.
