← Back to Library

Going into 2026: what founders and security leaders need to know

By Ross Haleliuk · Venture in Security · · 14 min read

Deep Dives

Explore related topics with these Wikipedia articles, rewritten for enjoyable reading:

  • Fear, uncertainty, and doubt 18 min read

    The article explicitly discusses FUD as a historical sales tactic in cybersecurity that is now losing effectiveness. Understanding the origins and psychology of FUD as a marketing strategy provides valuable context for why this shift is significant.

  • Return on investment 12 min read

    The article centers on the shift from FUD-based selling to ROI-based justification for security purchases. Understanding ROI as a formal business metric, its calculation methods, and limitations helps readers grasp why demonstrating security ROI is particularly challenging.

  • Proof of concept 15 min read

    The article discusses the evolution from proof of concept (POC) to proof of value (POV) in security sales. Understanding the formal definition and history of POC in technology and business contexts illuminates why this transition represents a fundamental change in buyer expectations.

The last post of the year is usually also the hardest to write because it always feels like it should be deeper, smarter, and more insightful than usual. The good news is that I was able to free myself from these self-imposed expectations, but the bad news is that this post is still going to feel a lot like a reflection of a sort. This has become a tradition: a year ago (gosh, it’s been a full year!) I invited readers to have an honest conversation about the state of cybersecurity, and this time around, I am going to talk about selling security as we go into 2026 and what the market expectations look like.

This issue is brought to you by… Tines.

The security leader’s playbook to GRC

Manual compliance work is costing your team time - and fueling burnout. But the path forward from planning to action can feel ambiguous. Which workflows deliver the fastest value? How should APIs be configured?

In this new security leader’s playbook to GRC by Drata and Tines guide, you’ll learn:

  • Concrete steps to replace reactive compliance with continuous, automated GRC

  • Key use cases for GRC orchestration including streamlining evidence collection, and audit preparation and response

  • Metrics of success and a sample ROI model for a more resilient, proactive GRC program

The one thing that makes selling security different than selling most other products

We can talk all we want about how security is different from other industries. I do this pretty often because not everyone understands that security is a horizontal, not a vertical; that in security, there is a unique driver of innovation that can’t really be found in any other market except for defense - the adversary, and that for a long list of reasons, everything in our industry relies on trust.

All this is true, but we’ll never be able to understand the complete picture until we discuss why selling security is different than selling most other products. The reason why that is the case is that most of the time, sales motions in cyber are defensive. What this means is that security leaders aren’t casually exploring “what new tools are available on the market” and instead, they are responding to the risk, compliance, or board-level concerns. Don’t take me wrong, CISOs and other security leaders are most definitely curious about what’s out there - what new ...

Read full article on Venture in Security →

This excerpt is provided for preview purposes. Full article content is available on the original publication.