Panel Summary: How Security Leaders Evaluate & Procure Tools

On January 27th, we hosted a panel featuring Devin Ertel (CISO, Menlo Security), Shirish Puranik (Ex-EVP Cybersecurity, Wells Fargo) and Adrian Ludwig (CISO, Tools For Humanity) at the SVB Experience Center in San Francisco on buyer and seller relationships in security. Their insights reveal what truly matters when evaluating security tools, what vendors often get wrong, and how startups can better align with enterprise needs.

A bit of context as to why we chose this topic to shed some light on: Today's security market is more saturated than ever before – there are over 4,000 security vendors and 10,000+ security products competing for attention. For security leaders, navigating this landscape is a daunting task. With limited budgets, evolving threats, and increasing compliance demands, every purchase decision is heavily scrutinized.

Security Budgets Are Tight - Tool Consolidation is a Priority

One of the biggest takeaways from the discussion was that most security teams are not looking to add more tools - they’re looking to reduce and consolidate. Many organizations already have too many security solutions, leading to tool fatigue, integration challenges, and wasted budget. Instead of chasing new tools, security teams are focusing on replacing outdated or ineffective solutions with fewer, more impactful platforms.

What Actually Drives a Security Purchase?

When security leaders decide to invest in a tool, it’s not because they were convinced by an impressive demo. Instead, purchases are usually triggered by one (or more) of these key drivers:

1. Regulatory & Compliance Mandates – A new requirement forces the company to adopt a tool.
2. Risk & Threat Landscape – A growing attack vector (e.g., ransomware) makes it necessary to invest in protection.
3. Operational Bottlenecks – If a tool can dramatically improve productivity or ease friction for engineering teams, it’s more likely to get buy-in.
4. Internal Buy-in from Leadership – If an executive or board member advocates for a vendor, it moves up the priority list.

Many vendors focus too much on what their tool does rather than why a company would need it right now. Successful vendors understand that security teams are asking:

• Why should we buy this tool now, rather than next year?
• How does this fit into our existing security program?
• Will this reduce risk in a measurable way?

The Misalignment Between Vendors & Security Buyers

One of the biggest disconnects in the sales process is that vendors often focus on the wrong things. Many spend too much time worrying about getting through procurement and compliance rather than proving how their tool will be used in day-to-day security operations.

For a security leader, buying a tool is not just about cost - it’s about time, integration, and workflow impact. If a tool creates more work for the security or engineering team than it saves, it’s not worth it - regardless of its features or pricing.

Top 10 Takeaways From The Panelists

Here are the top 10 insights from our panel discussion that every security vendor should keep in mind:

1. Security Budgets Are Tight & Tool Consolidation Is the Trend‍

Buyers are focused on reducing the number of tools rather than adding more. Many security teams are self-funding new purchases by replacing or removing existing tools rather than getting net-new budget approvals.

2. Risk & Compliance Drive Procurement Decisions

Security leaders prioritize tools that address immediate threats, regulatory compliance, or board-mandated initiatives. If there’s no clear justification for “why now?” in terms of risk or compliance, purchases often get delayed or deprioritized.

3. Procurement is a Multi-Stakeholder Process

It’s not just about convincing the CISO - security leaders must align with engineering, IT, finance, and procurement. Vendors who understand and support this cross-functional alignment stand a better chance of success.

4. Operational Impact Matters More Than Features

Vendors tend to overemphasize their product’s capabilities, but buyers care more about how a tool integrates into their workflows. The biggest question they ask: “Does this tool create more problems than it solves?”

5. Buyers Are Highly Skeptical of ROI Claims

Security leaders are wary of inflated ROI projections from vendors. They’re more concerned with the true cost of a tool, including implementation, ongoing management, and disruption to workflows.

6. Best-of-Breed vs. Platform Debate: No Perfect Answer

Many security teams prefer an integrated platform, but large vendors often lack innovation. Point solutions thrive when they solve a specific, pressing problem - but they must integrate well with existing systems to be viable long-term.

7. Customer Advocacy & Peer Validation Are Key

Security buyers trust referrals from their network more than cold outreach. Vendors who can connect prospects with referenceable customers (ideally in similar industries or company sizes) gain credibility and move faster in the sales process.

8. Community & Knowledge Sharing Build Trust

Buyers value vendors who foster peer discussions, provide best-practice documentation, and help security teams learn from each other’s experiences. Creating a security buyer community is an untapped opportunity for vendors.

9. The Worst Sales Tactics Backfire

‍Tactics like aggressive cold calling, sending unsolicited gifts, or going around the security team to the board/CEO can destroy trust and make a vendor an instant “no.” Respect the procurement process.

10. Security Teams Want Vendors to Be Strategic Partners‍

The best vendors aren’t just selling a tool; they position themselves as long-term partners. This means understanding a company’s security roadmap, supporting evolving needs, and continuously delivering value—not just making the sale and disappearing.

Final Thoughts: The Future of Security Buying

The security industry is evolving, and buyers are becoming more selective. As vendors, it’s crucial to move beyond just selling features and instead focus on solving real problems, reducing risk, and integrating seamlessly into existing workflows.

For startups and security vendors looking to stand out, the key is to align with how security teams think:

✅ Focus on risk, compliance, and operational impact.
✅ Make integration and automation a top priority.
✅ Build credibility through community and customer advocacy.
✅ Be a partner, not just a tool provider.

At Leen, we believe in building in public and sharing insights that help both security teams and vendors navigate the ever-changing landscape of cybersecurity. If you’re interested in more discussions like this, follow us on LinkedIn or subscribe to our newsletter.