Taking Strategic Purchasing Steps to Buy Cybersecurity Outcomes, Not Projects

Paul Lupo

May 23, 2024

Taking Strategic Purchasing Steps to Buy Cybersecurity Outcomes, Not Projects

Traditional security operations have followed a consistent pattern for decades. This evolution has transformed cybersecurity into a fragmented project management function. Teams are overwhelmed by numerous alerts, leading to missed critical events and increased system vulnerabilities. What was meant to serve as comprehensive coverage of rapidly expanding threat surfaces has increased complexity across the security stack, making it hard for teams to identify important information, put it in context, and resolve issues quickly and efficiently. 

Security leaders need solutions that prioritize simplicity and swift value delivery, ensuring investments translate into immediate, tangible outcomes. This allows organizations to stay one step ahead of increasingly sophisticated adversaries and deliver robust and efficient security services that empower and enable business operations. 

The Downsides of a Project-Based Purchasing Decisions 

A project-based focus often causes security teams to miss the broader objectives, getting bogged down in details. This approach results in inefficiencies, as teams are preoccupied with maintaining outdated tools rather than empowering business growth. 

Details become so overwhelming and the work so mundane that they forget why they implemented a tool in the first place and whether it still makes sense in the context of business objectives. Basic questions like, “Do we still need an AV solution?” or “How do we protect remote end devices?” go unanswered because we’ve always done things a certain way and it’s easier to keep doing something than enact change. 

A project-based approach to cybersecurity ultimately leads to gross inefficiency. If you’re not focused on the things that contribute to growth or improve productivity or enable new opportunities, then what are you doing? You run the risk of running in place, spinning your wheels, completing tasks that don’t matter. And now it has become a budget issue. Each box you check comes with a line item in the budget. As the security stack expands and grows more complex, so does your cost to the organization. And, in today’s business environment where everyone needs to justify their contribution to the cause, being seen as a cost center is a big problem. 

One reason teams fall into this trap is their reliance on outdated, inefficient cybersecurity solutions. When all you’re doing is pouring over dozens of logs, trying to find a needle in a haystack, it’s easy to forget that your main objective is empowering the business. Finding the right solution that cuts through the noise to give you exactly what you need allows you to align your technology decisions with immediate business outcomes. 

Taking an Outcome-Focused Approach to Cybersecurity 

Transitioning from a project-focused strategy to an outcome-based approach involves navigating uncertainties but is essential for success. Adopting the right tools and strategies is critical to support this shift, enabling security teams to align their efforts with business goals effectively. Change is hard. But it is also necessary. Making purchasing decisions that empower an outcome-based approach to cybersecurity sets you up for success, makes you more efficient, and changes the perception that security is an inhibitor to getting things done. But you can’t just change how things are done without having the right tools in place to support your new strategy. The right solutions should provide the visibility and context you need to align cybersecurity with business objectives as well as the features and capabilities that enable efficiency and empower users to be more productive.

Here are four ways cybersecurity decision makers can change how they evaluate and ultimately choose the right tool for the job: 

1.Identify Critical Business Processes and the Impact of Downtime 

Ensuring zero downtime is essential. Security teams must identify critical assets and assess the impact of their downtime on business operations. Any downtime impacts that ability and endangers business agility. Security teams need to identify the most critical assets in the organization and the effect that their downtime would have on operations. Does the traveling sales force even use their desktops anymore? What percentage of sales are made through the ecommerce site? What would happen if email went down? Or if no one could access Microsoft 365? Choosing the right solution requires getting the answers to these questions and providing context into every business system – including who uses it, for what purpose, and how downtime would impact people’s ability to do their job.  

2. Hit the Pavement and Talk to Business Stakeholders

Engaging with stakeholders across the organization is crucial. Understanding business processes and workflows helps align security strategies with organizational goals. Find out what matters to them, and, just as important, what isn’t important. There may come a time when you will be asked to provide guidance on critical initiatives, so it is important to have the context you need to make those decisions confidently.

3. Start with Visibility and Centralized Control

Implementing tools that offer visibility and centralized control is fundamental to achieving an outcome-based cybersecurity strategy. Tools that provide comprehensive visibility and centralized control are essential for informed decision-making and effective security operations. These capabilities enable security teams to have a holistic view of their environment and efficiently address vulnerabilities. 

 4. Align Solution Capabilities with Business Objectives 

Features such as automated workflows, seamless integrations, and recommendation engines can support an outcome-based cybersecurity strategy. Ensure that the tools you choose simplify security operations, enhance productivity, and scale easily to meet future needs. Testing solutions before purchase ensures they meet security requirements and fit team culture. Evaluate how quickly a solution can be deployed, its user interface, and whether it can accommodate analysts with varying levels of experience. Assess how soon you can start demonstrating value from the solution. 


The traditional approach to protecting against malicious threats is evolving. Rather than working off a checklist of requirements, security teams need to address the actual security concerns and needs of the business. This requires identifying the organization’s crown jewels and most important assets, talking to business-level stakeholders, and determining how downtime would impact users’ ability to meet their responsibilities. You can then make purchasing decisions that are better aligned to business objectives. Security outcomes should be measured by their impact, not the completion of projects, ensuring users have reliable access to essential tools and information they need to succeed. 



You might also like