The last post of the year is usually also the hardest to write because it always feels like it should be deeper, smarter, and more insightful than usual. The good news is that I was able to free myself from these self-imposed expectations, but the bad news is that this post is still going to feel a lot like a reflection of a sort. This has become a tradition: a year ago (gosh, it’s been a full year!) I invited readers to have an honest conversation about the state of cybersecurity, and this time around, I am going to talk about selling security as we go into 2026 and what the market expectations look like.

This issue is brought to you by… Tines.

The security leader’s playbook to GRC

Manual compliance work is costing your team time - and fueling burnout. But the path forward from planning to action can feel ambiguous. Which workflows deliver the fastest value? How should APIs be configured?

In this new security leader’s playbook to GRC by Drata and Tines guide, you’ll learn:

• Concrete steps to replace reactive compliance with continuous, automated GRC

• Key use cases for GRC orchestration including streamlining evidence collection, and audit preparation and response

• Metrics of success and a sample ROI model for a more resilient, proactive GRC program

Get the Playbook

The one thing that makes selling security different than selling most other products

We can talk all we want about how security is different from other industries. I do this pretty often because not everyone understands that security is a horizontal, not a vertical; that in security, there is a unique driver of innovation that can’t really be found in any other market except for defense - the adversary, and that for a long list of reasons, everything in our industry relies on trust.

All this is true, but we’ll never be able to understand the complete picture until we discuss why selling security is different than selling most other products. The reason why that is the case is that most of the time, sales motions in cyber are defensive. What this means is that security leaders aren’t casually exploring “what new tools are available on the market” and instead, they are responding to the risk, compliance, or board-level concerns. Don’t take me wrong, CISOs and other security leaders are most definitely curious about what’s out there - what new startups, ideas, and approaches are companies trying. Yet when it comes to actually writing checks, most security leaders have fundamental challenges they need to address first, well before they do a test drive of some new cool idea. These fundamental problems tend to also be pretty boring, but that’s a topic for another article.

Think about how the buying motion works in other fields. As a product leader, I bought and advocated for my fair share of product management tools. I did that because I had certain goals to drive, but also because I wanted to experiment with different solutions to see if they could move the needle for us. Marketers are especially notorious for this, which is why they try - buy - churn their tooling nonstop. Most other functions have some breathing room to experiment, but security teams are always so behind and so overwhelmed with their existing problems that they barely ever have time to shop for “what’s new and interesting”.

Most security purchases have historically been rooted in helping companies not get screwed, and not in achieving efficiencies or helping CISOs be more innovative. This is why fear, uncertainty, and doubt (aka FUD) have worked as the only drivers for a while. While in other markets, new ideas have usually been focused on helping companies gain new competitive advantages, achieve efficiencies, or save costs, security buyers would want to see proof that they’re making a safe choice and that they will be protected when something bad happens.

Changing reality of cybersecurity sales

Over the past several years, the way cybersecurity products are being bought and sold is changing, and old playbooks are starting to fall apart. There are too many ways in which this is happening, so here’s just a taste.

We’ve largely moved from proof of concept (POC) to proof of value (POV)

This may sound like a play on words for some, but it’s not. One of the trends I am seeing is that we’ve largely moved from doing proof of concept (POC) to doing proof of value (POV). The difference is pretty simple. When a security product relied on some real deep tech and unique novel ideas, CISOs would do the so-called proof of concept (POCs) to understand how the solution works, what it does, and how it works with everything else already configured in their environment.

Fast forward to today, and we see that most concepts are pretty well understood. When someone says words like “runtime”, “posture”, “proxy”, “firewall”, “sensor”, etc., we have a good idea how things are going to work. In 2025, CISOs don’t really need to validate concepts; they need to see value, and that is a completely different game. Just because the sensor is looking at some telemetry, doing analysis at runtime, and generating findings, it doesn’t mean there’s going to be much value. The same applies to just about anything in security. The founders today aren’t going to get asked “How does it work?”, they’re going to get asked “So what?”.

CISOs are starting to ignore FUD and look for ROI

As I am starting on this paragraph, I am realizing that this whole section could have very well been called “going from one three-letter word to another”. Kind of expanding on the previous point, I am seeing that more and more security leaders are tired of FUD. Every startup keeps telling them, “If you don’t buy what we’re selling, you’re going to get breached”, and because everyone is repeating the same pitch while selling different solutions, I think this argument has become completely overused.

CISOs are starting to ignore tools trying to scare them, and instead look for enablers of business resilience and efficiency. Security leaders are starting to ask how the tool is going to help them make their company more successful - eliminate manual work, answer requests from other teams quicker, and so on. A part of me feels like this whole situation is pretty ironic. For the longest time, security vendors have been investing a ton of marketing dollars in helping spread the message that CISOs should be “business savvy and business enablers”. Now when we are at the point when CISOs are doing exactly that, we are learning that most of these vendors aren’t actually “enabling” anything for the business. They’ve helped create a buying criteria that they can’t satisfy, so to speak.

The fact that CISOs are looking for ROI doesn’t make it easier to communicate it

This is where what we want faces the harsh reality of cyber: just because we want to show ROI, it doesn’t make it any easier to do it. Money is no longer free, so most companies today are becoming smarter about their budget allocation. This is bad news for security because every time a CISO is pitching a security initiative to get the budget, it gets evaluated against other, revenue-generating projects. If a company is trying to double its revenue year-over-year, is it more likely to invest in a new security initiative, or something that marketing, product, or sales say is going to increase revenue and improve gross margin? The answer is obvious.

I don’t think most people truly recognize how hard it is for CISOs in many companies to secure new budgets. We often hear the nonsense that “many CISOs aren’t business leaders”, but I haven’t seen anyone recognize that any CISO who can get their executive team bought-in to fund new security initiatives when everything is about cost-cutting and top-line growth, is a master communicator, negotiator, and evangelist.

The challenge of communicating the value of security starts even before communication. How do we measure risk reduction? How do we explain the ROI and quantify the savings of the attacks that didn’t happen because we had security controls in place? These are rhetorical questions, but when a CISO is working to secure the budget for critical initiatives, they are forced to think about this. To be completely fair: many other execs have trouble tying their spend to outcomes, not just CISOs. Take marketers who struggle to attribute any sales activity to the specific initiatives they are driving. What’s different about CISOs, though, is that they also get less attention, and the only outcome boards are happy with (zero breaches) is not at all realistic.

Cyber sales in 2025 are stuck in a limbo

My conclusion is that cyber sales are getting stuck in a limbo. On one hand, FUD no longer works, unless the company has so much mindshare that buyers simply see it as the safest option (startups rarely fall under this category). On the other hand, we are continuing to struggle trying to communicate the business value of security controls, and with that, to come up with an alternative to FUD (which, by the way, hasn’t served the industry well, but which has most definitely enriched plenty of companies).

The biggest industry gap, in my view, has nothing to do with the ability of security leaders to communicate the value of security controls, even though that’s what is often being brought up at conferences and on social media. Instead, it is the fact that way too many entrepreneurs have no idea what problem they are solving. I remember having a chat with my friend Jonathan Haas, who put it really well: the reason most early-stage startups aren’t growing is that they haven’t figured out what it is they should be growing. To say it differently, they have no idea in what direction they’re moving, or even simply what problem they are trying to solve. Behind all that “next-gen” and “AI-powered” fluff is the fact that they can’t pinpoint which workflow they are addressing, what tool they are replacing, and who they are trying to sell to. It’s fine to not have these answers at the seed stage (after all, that’s what the seed stage is for - to get these answers), but shockingly, you’ll meet some companies that have been around for 5+ years and that are still struggling to figure out who they are and why they exist.

Going into 2026: challenges and opportunities for security leaders

I don’t think the lives of CISOs are going to get much easier going into the new year, but I do hope that they will continue to get more support from their leadership. In 2025, we’ve seen several cases when company founders and CEOs stood by their CISOs instead of throwing them under the bus when things went wrong, the most prominent being the story of Coinbase. Also recently, we saw the SEC dismissing the case against Timothy G. Brown, the CISO of SolarWinds, who, by the way, remained the CISO of the company while going through the nightmare of continuous litigation.

The signs are pretty positive for CISOs, but for obvious reasons, I don’t think their jobs will get any easier. The budgetary pressure will continue to force them to do more with less, and the noise from all the vendors in the space will only make it harder to tell the difference between what’s real and what’s BS. The silver lining is that all this noise should serve as an opportunity for security leaders to refocus on fundamentals, because they are what truly matters. Companies continue to get breached because they are not doing the basics well, and not because they haven’t bought some next-gen whatever.

Going into 2026: challenges and opportunities for founders

Going into 2026, the market will only become more competitive. Over the past several years, tens (or maybe hundreds?) of new startups were founded, most of which are still in stealth, but all of which are trying to solve various problems and offer new solutions. Most of them aren’t trying to address new problems - they’re going after the exisign markets, which means they’ll have to convince buyers to replace their existing solutions. That’s going to be pretty hard. Nearly a year ago, Eyal Worthalter published this post on LinkedIn that I strongly agree with:

“The “better mousetrap” pitch is dead in cybersecurity. Here’s why. Most enterprises have already laid their security foundation. EDR, SASE, SIEM, CSPM - the core stack is in place. Not perfect, but good enough to handle almost everything.

Last year taught me this: After demonstrating 40% better detection rates in a flawless POC, the CISO still walked away. Why? Because “better” isn’t enough anymore. Think about what we’re really asking when we pitch a “better” solution:

• Rip out existing integrations

• Retrain the entire security team

• Rebuild automated playbooks

• Revise procedures and documentation

All for what? Incremental improvement. The hard truth? Unless you’re 10X better (not 50% - 10X), you’re fighting a losing battle against organizational inertia. “Good enough” is your real competitor, not other vendors. I think in 2025 we are only going to see deals close when:

1. Compliance requirements force change (i.e. your product solves a niche industry requirement)

2. We solve a net-new problem their stack can’t touch

Both A and B depend on the product. So not much sellers can do about it. Instead, if we demonstrate order-of-magnitude improvement that justifies the organizational pain and drives better business outcomes, we can land better deals. Everything else is just contributing to option fatigue in already overwhelmed security teams. Most honest feedback I got last year was: “Your solution is better. But ‘better’ isn’t worth the change management overhead.” - Source: Eyal on LinkedIn.

Eyal’s words were true a year ago, and they’re going to be even more true a year from now. Obviously, as founders, we have to be betting on the fact that there will continue to be enough interest from CISOs to buy from the new generation of companies. I am sure there will be, but the bar for startups will continue to go up. While it’s not going to get easier, I think when the pressure is on, and survival instincts kick in, people will figure out what they stand for faster and more efficiently.

To close the year off, I must say that the industry continues to mature, and I continue to be incredibly optimistic about where things are headed (if you are not, please read the Cyber optimist manifesto: why we have reasons to be optimistic about the future of cybersecurity). May the new year be the year when more companies develop clarity about their purpose, and may they have enough runway to be able to do it. Building startups is hard, and I wish everyone who is working tirelessly to defend our present and the future lots of success in the New Year! CISOs, founders, marketers, investors, security professionals, - regardless of who you are, we are all on the same side. Happy New Year!

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do.

If you are a builder - current or aspiring startup founder, security practitioner, marketing or sales leader, product manager, investor, software developer, industry analyst, or someone else who is building the future of cybersecurity, check out my best selling book, Cyber for Builders.

If your company is interested in sponsoring Venture in Security, check out Sponsorships.

Lastly, check out the Inside the Network podcast where we bring you the best founders, operators, and investors building the future of cybersecurity.

Share