ITWeb contributor Phillip de Wet.
As an enterprise buyer, there are occasional windows of opportunity to lay in some IT products and services ahead of drought, or price spikes.
We mostly get to see those in retrospect, the way we now know that early 2022 would have been an excellent time to stock up on AI chips, despite what appeared to be high post-pandemic prices.
For once, though, we can actually see the favourable conditions as they develop, in this case to buy some security. Or, possibly, a complete overhaul of threat detection and identity management.
Last week, we got to spend some time looking beneath the bonnets of Okta, CrowdStrike and Palo Alto, as all three released quarterly results. And their numbers confirmed what we’ve been hearing from corporate users: the need is deep, and the vendors are moving to a war footing.
AI is going to be one long Christmas if you’re selling security.
Perhaps the biggest element that makes for good timing is internal politics. Security leaders say that everyone at the top, C-level executives and their non-executives too, are petrified by the fast-ramifying AI attack surface. They know shadow AI is infiltrating their organisations, they’re seeing threats go from theoretical to proof-of-concept – and for once they’re giving budget priority to CISOs.
That’s not what has the vendors so excited. They’re happy for the revenue, sure, but they’re not trying to sign stupidly high-margin business. They’re pitching some very attractive deals, with good prices and lots of flexibility, to get a foot in the door wherever they can. They know how much money agentic AI is going to make them in the long run. Endpoints springing entirely new types of leaks, big new infrastructure going up everywhere, a complete democratisation of ransomware capabilities − AI is going to be one long Christmas if you’re selling security.
Get the threat-detection work now and you can upsell to the non-human identity management later, as it were.
The bit the vendors aren’t saying out loud is that they’re also being forced into an uncertainty discount. Oh, they’re all terribly confident about exactly what kind of security architecture is most important, but the buyers are smart enough to realise that nobody can predict what new threats may arise and how they’ll best be mitigated at a granular level.
Or which security vendor will get it wrong next, leading to an outage or a breach that embarrasses the hell out of the purchasing decision-maker.
So, the corporate chequebooks are open, and if you negotiate well, the price is right.
There is also the little matter of genuine need and urgency.
Cyber insurance is in flux, investors are asking harder and harder questions, and nobody can claim the risk was unforeseen. If you go down because it seemed more productive to give everyone admin rights than to have tiered permissions, heads will roll.
At least nobody is talking about shortages yet; this is not an area where we’re dependent on fabs or long supply chains. Implementers, integrators and consultants are, however, not hurting for business.
On the solid assumption that the necessary skills don’t multiply all by themselves just because there is greater need, it’s probably not a bad idea to get in ahead of the inevitable stampede after the next big incident.
