← Back to Library

Three critical but rarely discussed aspects of the security market

By Ross Haleliuk · Venture in Security · · 10 min read

I often discuss what makes security unique or different from other industries. Today’s article is another one in this series: I am looking at what the real drivers of cybersecurity buying are, how security is a services-first space, and how the moat has a different shape in security than it does in other industries. This week, I am doing something different and instead of writing a deep dive, I am publishing a brief take on three separate but very much connected topics.

This issue is brought to you by… Vanta.

VantaCon: Join the event in-person or virtually this November

AI is fast transforming every aspect of security and compliance—and no aspect of GRC will be left unchanged.

This year at VantaCon, join Vanta for a full-day GRC community event.

Be the first to hear exciting product announcements, discover how industry peers and leaders are preparing for big changes while uncovering unique opportunities for growth, and take part in new breakout sessions designed for collaboration—not just on what’s next for GRC, but how we’ll write its future together.

Join Nov 19 live in San Francisco or virtually to:

  • Hear from the GRC and security leaders shaping the industry

  • Network with the best

  • Help write the future of GRC

There are only two real drivers of cybersecurity demand

Why do companies buy security? Conventional wisdom is that it is to pretect the so-called CIA triad - confidentiality, integrity, and availability of data. I think this view is too simplistic, and it begs for more details.

Regardless of the industry, I have observed that business cares about one thing: protecting its ability to increase shareholder value. In practical terms, this means ensuring that the company can continue operating normally and therefore generating revenue, and ensuring that the company won’t incur unexpected monetary losses.

Ensuring continuous operations has two aspects:

  • Business continuity, or making sure that assets that produce value (people, equipment, etc.) are functioning as normal. This is why ransomware is such a big deal - when a business stops producing whatever it is producing, it stops making money.

  • Mandatory compliance requirements (SOX, etc.) are met and certifications required to establish trust with buyers (SOC2, etc.) are obtained. The difference between these two types of compliance is simple: the former allows the company to exist, while the latter allows it to sell.

Avoiding monetary losses also has two aspects:

  • Preventing significant penalties

    • ...
Read full article on Venture in Security →

This excerpt is provided for preview purposes. Full article content is available on the original publication.