Four maturity stages, two persona levels, one fit matrix. The teaching beat to keep:
executives buy confidence, operators buy relief.
The Maturity Ladder
Four stages of security operating maturity. Each carries its traits, common buyers, best-fit motions, and a single GTM message. Scan the strip; drop into any card for the full profile.
Bespoke / API-first tools that fit detection engineering workflows
High-end MDR with co-managed model
The Two Personas
Two distinct buyer levels — executive and operational. They want different things. The pitch that lands with one rarely lands with the other.
CISO / VP Security
executiveBuys confidence
Cares about
Defensibility to the board, auditors, customers
Material risk reduction (quantifiable)
Program coherence — fewer fights, clearer story
Talent retention through tool sanity
Does not want
Yet another dashboard nobody operationalizes
Tools that require team headcount the org doesn't have
Vendor pitches that ignore the existing stack
Renewal surprises
"We help you tell a coherent story to the board — fewer tools, sharper metrics, defensible outcomes."
SecOps / Engineering Operators
operationalBuys relief
Cares about
Time saved on alert triage and toil
Tool quality (low false-positive rate, fits the workflow)
Reliable detections on the threats they actually see
Integration with existing pipelines (SIEM, ticketing, ChatOps)
Does not want
More noise to triage
Tools that require six weeks to deploy before any signal
Vendor marketing pretending the product reads minds
API gaps that block automation
"We absorb the toil your team is drowning in — alerts triaged, false positives suppressed, your day shorter."
The Confidence–Relief Axis
Two ordered axes: where an account sits on the maturity ladder, and what the buyer is actually after — relief from operational pain, or the confidence to defend a decision upstairs. They move together. Low on the ladder, the buyer wants relief; as the program formalizes, the purchase becomes about confidence. A pitch aimed at the wrong point on this diagonal is the most common reason strong product loses to product that simply read the buyer right.
The same account buys relief early and confidence late. Win the wedge on operator relief, then re-pitch the renewal in executive-confidence language — the strongest vendors track the whole diagonal.
The Security-Ownership Ladder
Company size is the envelope; security maturity is the letter inside it. A 900-person financial-services firm under SOC 2 and customer-security review often runs a more formal security operation than a 4,000-person manufacturer still routing everything through an infrastructure director and an MSP. Headcount proxies endpoint and user scale and little else — it does not reveal who owns security, and ownership is what decides how an account buys. The ladder below tracks who owns security across the whole range — the variable a campaign actually has to match. It is the structure behind Persona Bleed: a motion inherits an enterprise persona and runs it down-market, where that persona is scarce.
Rung
Likely security owner
Typical title
SecOps maturity
How they buy
Informal
Owner / outsourced IT / MSP
Owner, Office Manager, IT Consultant
Incidental — AV, firewall, backup
Bundles; insurance- and compliance-driven controls; relief from the burden
IT-managed
IT, as part of infrastructure
IT Manager, Director of IT
Reactive, tool-light, provider-dependent
Simplicity, low admin load, “works with Microsoft,” clear escalation
Outsourced
IT director over an MSP / MSSP
VP IT, Director of IT
Monitoring and tooling run by a provider
Augment, specialize beyond, or displace the incumbent provider
The trap is building a CISO-centered motion for a market that does not consistently contain CISOs. Below the enterprise, the buyer rarely wants a security philosophy — they want competent help, the phone to ring when something breaks, and someone credible on the other end. Size is the envelope. Maturity is the letter inside.
The Buying Committee
Eight roles that shape an enterprise cyber deal. The CISO is rarely buying alone — and the role that kills the deal is often the one nobody mapped.
Economic
Economic Buyer
Function in the deal
Owns the budget and the final justification. Has the authority to say yes or no to the contract. Usually does not evaluate the product directly.
Enters when
After technical validation. The economic buyer wants to see the business case, not the demo. In enterprise security deals, this is the CISO for security-budget items, the CIO for IT-budget items, the CFO for anything above a threshold.
Cares about
Outcome, cost, risk, and what gets retired or absorbed. Wants to know how this deal moves the strategic narrative.
Kills the deal when
The business case is fuzzy, the savings story is unproven, or the deal does not fit the strategy they have already committed to the board.
Technical
Technical Buyer
Function in the deal
Validates that the product actually works in the customer's environment. Runs the POC. Makes the recommendation that the economic buyer signs.
Enters when
Early in the cycle, often before the economic buyer is engaged. Owns the shortlist. In security deals, this is the SOC lead, the cloud security lead, the identity lead, or the AppSec lead depending on category.
Cares about
Capability depth, integration with the existing stack, operational cost (alert volume, false positives, tuning burden), and roadmap.
Kills the deal when
The POC reveals operational pain the demo hid, the integration story doesn't hold up, or the vendor cannot answer technical questions without escalation.
Champion
Champion
Function in the deal
Internal sponsor who feels the pain the product solves. Pushes the deal through the organisation's objections, navigates internal politics, schedules the meetings that need to happen.
Enters when
Often the first person the vendor talks to. Has to exist for the deal to move; if the vendor cannot identify the champion, the deal is not real.
Cares about
Career outcome (solving a visible problem gets noticed) and risk to themselves (a bad pick reflects on them). Will negotiate hardest on the parts that affect their team directly.
Kills the deal when
Champion leaves the company, gets reorganised, or loses internal political capital. Champion-loss is the most common late-stage deal death.
Blocker
Blocker
Function in the deal
Resists the deal. May own an incumbent tool that would be displaced, or may have a process / preference / territorial interest that the new product threatens.
Enters when
Surfaces when the deal becomes real. The earlier blockers are identified, the more options there are to neutralise; late-surfacing blockers usually kill deals.
Cares about
Maintaining their current operational footprint, avoiding the work of switching, or protecting their political position. The objection is rarely the real objection.
Kills the deal when
The blocker has veto power and the champion cannot neutralise it. Common forms: 'we standardised on incumbent X', 'we need procurement to approve a competitive process', 'security cannot approve this until SOC 2 / penetration test / etc.'
Procurement
Procurement
Function in the deal
Controls the vendor management, contract, and risk-review process. Operates on policy, not on outcome — their job is to apply the company's rules consistently.
Enters when
After the champion identifies the vendor as preferred, before the contract can be signed. In enterprise, often the longest pole in the tent — six-month procurement cycles are not unusual.
Cares about
Vendor risk (financial, security, operational), contract terms, payment terms, and process adherence. Will not advocate for the deal but can slow or kill it for non-compliance.
Kills the deal when
The vendor fails the security review, refuses to accept the standard MSA, will not provide insurance evidence, or cannot demonstrate financial viability. Often kills via inertia rather than rejection.
Legal
Compliance / Legal
Function in the deal
Reviews contract terms, data-processing agreements, security certifications, and regulatory exposure. Defines what evidence the vendor must produce and what contract language is acceptable.
Enters when
During procurement for any deal involving customer data, PII, regulated workloads, or vendor risk above a threshold. Earlier in industries with heavy regulatory exposure.
Cares about
Liability, breach notification obligations, data-residency, sub-processor disclosure, audit rights, and certification status (SOC 2, ISO 27001, FedRAMP, GDPR / DPA, HIPAA BAA).
Kills the deal when
The vendor lacks required certifications, refuses to accept liability terms, will not sign a BAA / DPA, or cannot meet data-residency requirements. Often produces a multi-month back-and-forth that the champion is not equipped to manage.
Finance
Finance
Function in the deal
Challenges the ROI claim, the consolidation claim, and the budget impact. Pushes for shorter terms, fewer commitments, and more measurable outcomes.
Enters when
For deals above a budget threshold or when the deal is positioned as a cost-takeout / consolidation. Always present when the CFO is the economic buyer.
Cares about
Total cost of ownership, payback period, what existing line items get retired, and whether the savings are real or theoretical. Sceptical of vendor ROI math by default.
Kills the deal when
The savings story falls apart under scrutiny, the contract structure looks unfavourable (large upfront, all-or-nothing, hard to exit), or the cumulative spend across security tools triggers a portfolio review.
Board
Board / Audit Committee
Function in the deal
Does not evaluate the product. Creates the pressure that makes the deal happen — sets the expectations, asks the uncomfortable questions, signs off on the strategy.
Enters when
Indirectly. The CISO is preparing for the board meeting; the board's agenda becomes the CISO's buying agenda. After a regulatory development (SEC cyber disclosure) or peer incident, board attention sharpens fast.
Cares about
Defensibility, reportable outcomes, regulatory posture, and 'are we doing what our peers are doing'. Wants narrative and metrics, not architecture.
Kills the deal when
The strategy the deal supports loses board support. Rare to kill specific tooling directly; common to kill the budget that funds it.
The Fit Matrix
How cybersecurity categories map to buyer maturity, company size, industry fit, and GTM motion.
A category appears in multiple lanes when its buyer-maturity range spans stages. Stage 1 is conspicuously sparse — only the categories that fit Reactive / Underbuilt teams land there, which is itself an insight about cyber's addressable market at the bottom of the ladder.