News, news analysis, and commentary on the latest trends in cybersecurity technology.

The CISO Shortlist: Top Priorities at RSAC 2022

The buzz on the show floor during RSA Conference is about aligning the organization's security priorities with the right technology. Will Lin, managing director and founding member at Forgepoint Capital, weighs in on the biggest security priorities for 2022 — and what kind of tech senior-level executives are looking for.

Will Lin, Managing Director, Forgepoint Capital

June 6, 2022

3 Min Read
The bar chart from the CISO Security Priorities Model shows CISOs are focusing on cloud and application security in 2022.
Source: CISO Security Priorities Model, Forgepoint Capital

At Forgepoint Capital, I have the unique, ongoing privilege of asking for help from the best and brightest in the cybersecurity space. Aggregating insights from a variety of expert sources provides a clear view of what works, what doesn’t, and where the industry is headed.

Our recent CISO Security Priorities Model report goes a step further and democratizes access to information on cybersecurity priorities and trends. For the report, we surveyed senior-level executives (CISOs, CIOs, CSOs, CTOs, CDOs, etc.) across different sectors and organization sizes.

The survey revealed several interesting patterns on cybersecurity spend, differences between small and midsize (SMB) business and large enterprise priorities, and the strategic direction organizations expect to take over the next several years. The goal of the report is to answer these three questions for 2022:

  • What are CISOs top security priorities?

  • What NIST cybersecurity framework priorities are CISOs focused on?

  • What areas of control are CISOs focused on?

Key insights from the report include:

  • Large enterprises are focused on digital transformation and incident response, and SMBs are focused on people. While some overlap exists in security concerns across organizations of all sizes, there are stark differences between priorities for large enterprises and SMBs. For example, CISOs at large enterprises report incident response as a top priority, while that was near the bottom of the list for SMBs. SMBs tend to prioritize human aspects of cybersecurity, such as talent development and security awareness instead.

  • Cloud and digital transformation is now a CISO priority. Cloud and digital transformation have traditionally been the domain of CTOs and CIOs. CISOs at large enterprises are now reporting cloud, business, and digital transformation as their top priority, so clearly that paradigm has shifted.

  • CISOs are spending on areas where they can make a measurable impact. Security budgets are growing — 76% of CISOs expect to see a security budget increase — and organizations are being very intentional with their spend. Decision-makers are prioritizing areas where they can see ROI and impact. In practice, that means focusing on areas where teams can move quickly, which tends to vary by industry. For example, security hygiene is a key focus for professional services, while healthcare is prioritizing software supply chain security and third-party risk.

  • New areas of control are growing in popularity. Traditional security control areas like network, endpoint, identity, and data remain important priorities for many enterprises. However, digital transformation is bringing new areas of control to the forefront. Specifically, DevSecOps (54%) and cloud, infrastructure, and APIs (62%) were leading areas of control organizations plan to prioritize.

  • Vendors and organizations both aim to address key NIST functions. According to the cybersecurity leaders we surveyed, the three most popular NIST cybersecurity framework priorities for 2022 are protect, detect, and identify. Interestingly, this overlaps with the focus of security vendors placing an emphasis on visibility in their products. While this overlap may be explained by mutual interest between enterprises and vendors, it could also suggest a lack of products that focus on response and recovery.

Additionally, some of the most interesting insights were the more nuanced tactical challenges facing CISOs. For example, while identity is still a top priority for many organizations, finding talent with the requisite skills across major cloud providers is proving to be a challenge for some. An AWS security engineer may not be familiar with GCP or Azure. Often, those real-world pain points are where innovation in the space can have a significant impact.

That’s just the tip of the iceberg when it comes to what we’ve learned in our survey of cybersecurity leaders. 

Here is Forgepoint Capital's full report.

About the Author(s)

Will Lin

Managing Director, Forgepoint Capital

William (“Will”) Lin is a Managing Director and Founding Member at Forgepoint Capital (FPC)

Forgepoint was founded in 2015 and is investing $770M dedicated to startups protecting the digital future; FPC is currently the largest and most active team in the category.

Will is honored to be a coach for entrepreneurs at multiple companies including: Attivo Networks, Bishop Fox, Concourse Labs, Cyberhaven, LoginRadius, Remediant, Sphere, Symmetry Systems, Uptycs and a Stealth Investment.

Will is also a Co-Founder & President of the Security Tinkerers, a non-profit organization that brings together information security professionals to share learnings, provide mentorship, and generate opportunities for the security community and its next generation of leaders. He is a Visiting Fellow at the National Security Institute at George Mason University’s Antonin Scalia Law School. He also is a regular contributor to SecurityWeek, was named a Venture Capital Journal Rising Star, and is an avid connector in the cybersecurity entrepreneur, investor, and practitioner ecosystems.

Will holds a BA from the University of California, Berkeley, and found his calling at the intersection of IT and entrepreneurship after starting businesses to help pay for college. When not in the office, you’ll find Will on the hunt for up-and-coming restaurants or talking about startups at home with his VC spouse.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights