Part One: Changing buyer priorities – The CISO & Cyber

This started as a single blog about the changing buyer priorities, but as I delved into the research at length, it turned out there were a couple of topics to address. So, this will be a two or maybe a three-part series.When we ask who they're looking to target, organisations' default standard is a C-level executive. It's pretty generic, but over the last 6-12 months, we've started to see a change in remit as to who is responsible for what and their priorities.

Kristal Jamieson, Founder of One Little Seed

The CISO & Cyber

According to the WSJ 2022 CXO Tech Agenda, Cybersecurity has increased to 57% from 28% in 2021 as a trigger for organisational transformation. What's more interesting is the reasons why cybersecurity is a priority:

  • 64% indicated protection against future breaches
  • 50% stated that it was in response to a previously sustained breach
  • 59% said it was to increase customer and client trust, plus PR efforts

Gartner reported that in 2022, spending on managed services & consulting will grow 7.9% globally to $1.3 trillion.

Reputational risk is a huge consideration for many activities. As we came out of the first wave of COVID (not knowing what was coming), there were many conversations with our clients about the risk of being that super spreader event as we considered a return to in-person events. Across my years in cyber, there's been the discussion that you never want to be 'that' company in the headlines because of a breach.

According to Extrahop's 2022 Cyber Confidence Survey in Asia Pacific, 83% of organisations in the region have had a ransomware breach in the last five years. When we tie that back to reputational risk, 20% of organisations won't tell anyone they have been breached. This is despite government reporting regulations. Don't ask, don't tell doesn't work here. Because inevitably, someone will tell, and the repercussions are much more significant than transparency in the first place. There is still a stigma attached to being impacted by a breach. However, 83% of businesses state that they've been impacted by ransomware, which means you're in the minority if you haven't been hit.

This report also states that 64% of respondents say that threat of legal action and fines promotes action by senior management in security decisions.

What we've started to see through our work across the industry is that the CISO is gaining larger influence at the boardroom table, whilst at the same time their remit is getting larger. Cyber resilience is a term that's being bandied about and is the new term de jour alongside XDR. This means that under the banner of cyber resilience, backup and disaster recovery are moving into the CISO remit.

Australia's first Cyber Security Minister, Clare O'Neil standing in parliament
Australia has also recently appointed the first minister for Cyber Security in Clare O'Neil, showing the changing face of business and government priorities.

What does this mean in terms of marketing?

From our perspective, we've always been about business issues. What challenges are you trying to solve for your customer? It's no longer about just the breach. It's also about the wider business implications and that they're influencing the decision-making process.

Start to add value to your prospect conversations by raising the issue of business continuity & crisis management. Who is responsible for what within the relationship? What can you as a trusted advisor bring to the table to assist in this? What are the timelines for identification of the source and impact of the breach? What are the RPO / RTO benchmarks?

Gartner also reported that the buying group size for 62% of businesses is 4-9 people.

Gartner reported that in 2022, spending on managed services & consulting will grow 7.9% globally to $1.3 trillion. 'Through 2025, organisations will increase their reliance on external consultants, as the greater urgency and accelerated pace of change widen the gap between organisations' digital business ambitions and their internal resources and capabilities'.

Vendors never like to hear it, but the customer doesn't always care what label is on the technology and infrastructure. They're putting their trust in you, your recommendations and validations of the solution you're offering them. Ultimately, they're buying your service.

Often our best conversations come from the simple question of 'how can we make your life easier?'

Gartner also reported that the buying group size for 62% of businesses is 4-9 people. And that 15% of the buying cycle went into reconciling disparate information and building a consensus. So it's more important now than ever to build a brand across your prospects' organisation.

In this case, when you're engaging with the C-Suite, the conversation goes further than stopping or identifying the breach. It's about providing the right information in a timely manner, enabling them to communicate better internally and externally. It's about understanding how far their remit does extend because it's different for every organisation and constantly changing.

Put simply, look wider and deeper within your target organisations because you're targeting a buying group within the business, not an individual. It may seem simple, but too often, we see organisations focusing on one specific job title.


  • Global Software Trends and Buyer Behavior Insights 2022
  • Extrahop 2022 Cyber Confidence Survey in Asia Pacific
  • WSJ 2022 CXO Tech Agenda

Disclaimer: We do work for Extrahop in ANZ, so that's why we've got easy access to their report.