← Back to Library

Going into 2026: What founders and security leaders need to know

Ross Haleliuk · Venture in Security · ·14 min read
Commentary by Hex Index staff

Ross Haleliuk cuts through the annual industry noise to deliver a stark truth: the era of selling cybersecurity on fear is over, and the market is now demanding hard proof of business value. This isn't just a prediction for 2026; it is a diagnosis of why hundreds of startups are currently stuck in a growth limbo while CISOs face impossible budget scrutiny. For the busy executive trying to cut through the marketing fluff, Haleliuk's analysis offers a rare, unvarnished look at the shifting mechanics of the security marketplace.

The Death of the Defensive Pitch

Haleliuk begins by dismantling the assumption that security buyers are curious experimenters. Unlike product managers or marketers who constantly swap tools to find a competitive edge, security leaders are driven by necessity. "Most security purchases have historically been rooted in helping companies not get screwed, and not in achieving efficiencies or helping CISOs be more innovative," Haleliuk writes. This distinction is crucial because it explains why the traditional sales motion fails. In other sectors, a new tool is a chance to innovate; in security, it is a reaction to a threat or a compliance mandate.

Going into 2026: What founders and security leaders need to know

The author argues that the industry has long relied on Fear, Uncertainty, and Doubt (FUD) because buyers were desperate for safety. However, the market has matured. "CISOs are starting to ignore tools trying to scare them, and instead look for enablers of business resilience and efficiency," Haleliuk observes. This shift is ironic, given that vendors have spent years preaching that CISOs must become business-savvy leaders. Now that CISOs are finally adopting that mindset, they are rejecting the very vendors who created the criteria they can no longer satisfy.

Critics might argue that FUD will never fully disappear as long as the threat landscape evolves, but Haleliuk's point is about saturation. When every vendor screams "you will get breached," the message loses its power, leaving only those who can demonstrate tangible return on investment.

"The reason why that is the case is that most of the time, sales motions in cyber are defensive."

From Proof of Concept to Proof of Value

The article identifies a critical evolution in how deals are structured: the move from Proof of Concept (POC) to Proof of Value (POV). Haleliuk explains that in the past, buyers needed to validate that a novel technology actually worked. Today, the underlying mechanics of sensors, firewalls, and runtime analysis are well understood. "Just because the sensor is looking at some telemetry, doing analysis at runtime, and generating findings, it doesn't mean there's going to be much value," Haleliuk notes. The question has shifted from "How does it work?" to "So what?"

This creates a difficult hurdle for startups. As Haleliuk puts it, "Founders today aren't going to get asked 'How does it work?', they're going to get asked 'So what?'" This aligns with the broader theme of ROI discussed in related industry deep dives, where the focus has moved from theoretical capability to measurable business outcomes. The challenge is that quantifying the value of attacks that didn't happen remains notoriously difficult, yet it is now the primary metric for budget approval.

The author highlights the immense pressure on CISOs to justify security spend in an environment where revenue-generating projects are prioritized. "Any CISO who can get their executive team bought-in to fund new security initiatives when everything is about cost-cutting and top-line growth, is a master communicator, negotiator, and evangelist," Haleliuk writes. This reframes the CISO not as a cost center, but as a high-stakes diplomat who must prove security is an enabler of growth, not a brake on it.

The Trap of "Better" and the Inertia of the Status Quo

Perhaps the most damning critique in the piece is directed at the startup ecosystem. Haleliuk argues that the biggest gap in the industry is not a lack of communication skills, but a lack of clarity among entrepreneurs. "The biggest industry gap, in my view, has nothing to do with the ability of security leaders to communicate the value of security controls... Instead, it is the fact that way too many entrepreneurs have no idea what problem they are solving," Haleliuk asserts.

This point is reinforced by referencing Eyal Worthalter's observation that the "better mousetrap" pitch is dead. Enterprises have already built their foundations with EDR, SIEM, and other core tools. To displace them, a new solution must offer a tenfold improvement, not a marginal gain. "Unless you're 10X better (not 50% - 10X), you're fighting a losing battle against organizational inertia," Haleliuk quotes. The cost of ripping out existing integrations and retraining teams simply outweighs the benefit of incremental improvements.

This is a harsh reality for the hundreds of new startups in stealth mode. They are competing against "good enough" solutions that are already deeply embedded in the corporate stack. As Haleliuk summarizes, "Most honest feedback I got last year was: 'Your solution is better. But 'better' isn't worth the change management overhead.'" The market is no longer rewarding novelty; it is rewarding necessity and massive efficiency gains.

"Unless you're 10X better (not 50% - 10X), you're fighting a losing battle against organizational inertia."

The Path Forward for 2026

Despite the grim outlook for mediocre startups, Haleliuk remains optimistic about the maturation of the industry. The pressure is forcing a necessary clarity. The article points to recent positive signs, such as the SEC dismissing the case against the CISO of SolarWinds and the support shown for CISOs at companies like Coinbase. These moments suggest a cultural shift where leadership is beginning to understand that security failures are systemic, not just individual failures.

However, the path ahead is narrow. Deals will only close if they solve a net-new problem or address a specific compliance requirement that existing stacks cannot touch. "Going into 2026, the market will only become more competitive," Haleliuk warns. The noise from vendors will only make it harder for security leaders to distinguish signal from static. The silver lining, according to the author, is that this pressure will force both buyers and sellers to refocus on the fundamentals.

Bottom Line

Ross Haleliuk's argument is a necessary corrective to the industry's obsession with hype, correctly identifying that the "better mousetrap" strategy is dead in a market saturated with "good enough" solutions. The piece's greatest strength is its unflinching diagnosis of why startups fail to grow: a lack of clear problem definition rather than a lack of technology. The biggest vulnerability of this analysis is that it assumes a rational market where CISOs have the leverage to demand 10X value, potentially underestimating the continued pressure of regulatory fear that still drives many enterprise purchases. Readers should watch for which startups can pivot from selling "features" to selling undeniable business outcomes, as those will be the only ones surviving the 2026 shakeout.

Deep Dives

Explore these related deep dives:

  • Return on investment

    The article centers on the shift from FUD-based selling to ROI-based justification for security purchases. Understanding ROI as a formal business metric, its calculation methods, and limitations helps readers grasp why demonstrating security ROI is particularly challenging.

  • Proof of concept

    The article discusses the evolution from proof of concept (POC) to proof of value (POV) in security sales. Understanding the formal definition and history of POC in technology and business contexts illuminates why this transition represents a fundamental change in buyer expectations.

Sources

Going into 2026: What founders and security leaders need to know

by Ross Haleliuk · Venture in Security · Read full article

The last post of the year is usually also the hardest to write because it always feels like it should be deeper, smarter, and more insightful than usual. The good news is that I was able to free myself from these self-imposed expectations, but the bad news is that this post is still going to feel a lot like a reflection of a sort. This has become a tradition: a year ago (gosh, it’s been a full year!) I invited readers to have an honest conversation about the state of cybersecurity, and this time around, I am going to talk about selling security as we go into 2026 and what the market expectations look like.

This issue is brought to you by… Tines.

The security leader’s playbook to GRC

Manual compliance work is costing your team time - and fueling burnout. But the path forward from planning to action can feel ambiguous. Which workflows deliver the fastest value? How should APIs be configured?

In this new security leader’s playbook to GRC by Drata and Tines guide, you’ll learn:

Concrete steps to replace reactive compliance with continuous, automated GRC

Key use cases for GRC orchestration including streamlining evidence collection, and audit preparation and response

Metrics of success and a sample ROI model for a more resilient, proactive GRC program

The one thing that makes selling security different than selling most other products.

We can talk all we want about how security is different from other industries. I do this pretty often because not everyone understands that security is a horizontal, not a vertical; that in security, there is a unique driver of innovation that can’t really be found in any other market except for defense - the adversary, and that for a long list of reasons, everything in our industry relies on trust.

All this is true, but we’ll never be able to understand the complete picture until we discuss why selling security is different than selling most other products. The reason why that is the case is that most of the time, sales motions in cyber are defensive. What this means is that security leaders aren’t casually exploring “what new tools are available on the market” and instead, they are responding to the risk, compliance, or board-level concerns. Don’t take me wrong, CISOs and other security leaders are most definitely curious about what’s out there - what new startups, ideas, ...