The Art of AI Procurement, Grounded in Risk and Deep Understanding of Organizational Need

As AI-driven cyber threats evolve, cybersecurity leaders are investing millions in AI. The problem is that many are doing so without a clear data strategy. While this lack of strategy can lead to a disconnect between AI systems and organizational infrastructure, it also makes it difficult to quantify the return on that investment. Without a clear strategy and ROI metric, many leaders are unable to fully rationalize the cost of these platforms.

It’s a challenge that technologist and cybersecurity leader Aruneesh Salhotra knows well. As CEO, CISO, and Principal at SNM Consulting, Salhotra combines deep technical expertise with strategic leadership to advance industry standards. Through his work as a project lead at the OWASP Foundation and as Co-Chair of the Governing Board at the GlobalCISO Leadership Foundation, he has led the charge for modern, effective cybersecurity standards. He says that before pouring more money into tools, security leaders must first address a much more fundamental issue of understanding organizational needs.

"AI security is only as effective as your data security or data classification," Salhotra says. "If you do not know where your assets are sitting, you are flying blind." Salhotra argues for a return to disciplined, risk-based prioritization. In practice, this means grounding strategy in a sober assessment of risk and an understanding of data, even if it means resisting executive pressure to simply "do something with AI." Such an approach requires risk-based prioritization to guide security investments and for leaders to evaluate likelihood, exposure, and financial impact before reacting.

• Un-balancing act: While it's clear to Salhotra that AI is a crucial new technology, the rush to adopt it shouldn't undermine long-standing organizational needs. "I've seen organizations become lopsided by prioritizing AI under the assumption that it's the biggest risk. Work that was supposed to be done five years ago gets stalled because the business is asking for something very different from what the organization actually needs." Such reactive behavior can lead to severe consequences. The rush to adopt AI security capabilities fuels fragmented purchasing decisions, driving tool sprawl across large enterprises where dozens of vendors already exist.

• Threat theater: That sprawl, in turn, can create greater operational risks beyond the threats it is meant to solve, raising questions about the value of investments that can reach multi-million-dollar levels. "When a new threat emerges, leadership often changes direction," he says. "You have to look at these threats from multiple lenses: What is the likelihood of it happening? What is the real exposure? Are you looking at a financial risk or a reputational one? All of those things should dictate where your investment should happen."

While Salhotra acknowledges the pressure on leaders to "bite the bullet" and procure AI solutions to move the business forward, he stresses that any such spending must be deliberate. For many leaders, this reality presents a difficult strategic choice, often pitting large enterprise platforms against specialized "best-in-breed" solutions. Or, more concretely, the decision between fewer, larger vendors or a web of boutique innovators.

• Deflating the vendor balloon: Working with vendors is just the cost of doing business in any enterprise, but for Salhotra, a solid AI vendor security strategy can dictate how large your pool has to be. "Any sizable enterprise already has 60 to 90 security vendors. With AI security now entering the mix, the question is whether strategic planning will mean you grow from 60 to 70 vendors, or if a lack of planning will let that number balloon to 100. That long-term vision is absolutely vital."

But this isn't the whole story for the AI vendor market. Recalling how the CNAPP market consolidated around major players like Palo Alto, Salhotra says that for a large enterprise, a vendor's financial stability and ability to absorb liability are just as important as its technical capabilities. "A large enterprise should prefer working with major vendors that have the collateral and financial backing to absorb liability," he says. "If you're using a small solution from a company without deep pockets and they get hit with lawsuits, they're going to be out of business."

• Experiment, then shop: Furthermore, organizations don't need to adopt the "best" solutions right out of the gate. Salhotra suggests using open-source solutions to help with immediate problems and promote experimentation. "You can actually use open-source solutions to understand what's happening, what needs to be done. That gives you a buying time to say, 'I understand this particular problem a lot better.' And once you're speaking to a large vendor, you skip the fluff."

Ultimately, Salhotra’s prescription is a call for more deliberate preparation before any major investment. He advises leaders to experiment thoughtfully, understand the problem space deeply, and map business objectives to security solutions before committing to large vendor platforms. This supports a risk-based approach to security and connects it with organizational goals like ROI: "Do you really understand the nitty-gritty of what needs to happen? If not, companies are gonna sell you stuff that you may not need. You might need only a fraction of that functionality. But you don't know that unless you can really boil down, in terms of security or governance, what you need."