Stop Cybersecurity Consumerism (Part 1/2): The BNPL Trap

It’s a new year and that means it’s time to renew resolutions. Almost immediately after budgets have been allocated for security teams to support massive transformational projects, window shopping has started. They are looking at this year’s hottest “AI-powered,” “best in class,” “award winning” tool.  When they’re asked about progress on the projects that were funded? You might receive a stuttered response only Porky Pig could match.   

The problem: this is a tool-centric mindset and may not be aligned nor effective at balancing costs and outcomes. 

We are in the beginning of 2026 and New Year’s resolutions are starting strong. Just as some friends and family reignite their health journey through overconsumption by purchasing gym equipment, supplements, and memberships, few will prevail through the year and put in the work long enough to see the results months from now. 

Just as consumerism exists at an individual level, cybersecurity consumerism is where cybersecurity teams are more focused on the procurement of tools and projected benefits than on taking realistic approaches to maximizing actual outcomes. In this series, I’ll explore three indicators of cybersecurity consumerism, beginning with purchasing habits.

Buy Now, Perform Later (BNPL)

One of the most popular New Year resolutions is to become healthy. The unfortunate first step for many of us is to default consumerism: purchasing gym clothes, gym equipment, and/or a gym membership before even performing the first exercise. Historically, some gyms experience a 79% increase in average sign-ups just in the month of January. 

We spend more time finding the “right” gym, equipment, and attire rather than building a plan and doing the hard work to actually get in shape. Performance is often punted to a wishful “later”.

Technologists fall into the same trap when looking at processes that could be improved or outcomes that could be enabled by technology. Tools can improve task efficiency, consistency, and free up more time for higher-value work. However, many tool decisions are made in anticipation of a future operational state that is idealistic rather than realistic. 

Sometimes there is not even an inefficient process in place today that would benefit from such tools. Other times, the organization already has tools that can perform the same function with some elbow grease, which is magnitudes less expensive over the procurement, deployment, and maintenance of a brand-new tool. 

BNPL in cybersecurity usually looks like this:

• Buying a tool before the underlying activity exists

• Buying for a future-state operating model without staffing 

• Buying for a capability without practical integration considerations or ownership

What should you do to counter cybersecurity consumerism?

Start by determining if there is a need for the technology in the first place. It is admirable to build for an intended future state, but you need to truthfully ask yourself if all the beneficiaries and supporting functions are in a state where they would benefit. 

At SUSA, our design thinking services help you identify when cybersecurity consumerism is creeping into your space and clouding your ability to perform to your full potential. Through a people-centric, outcomes-driven approach, we clarify value drivers and co-create a strategy for performance. 

In the next part, I’ll cover the next two indicators that help you rationalize spend and optimize value.