At Forgepoint Capital, I have the unique, ongoing privilege of asking for help from the best and brightest in the cybersecurity space. Aggregating insights from a variety of expert sources provides a clear view of what works, what doesn’t, and where the industry is headed.
Our recent CISO Security Priorities Model report goes a step further and democratizes access to information on cybersecurity priorities and trends. For the report, we surveyed senior-level executives (CISOs, CIOs, CSOs, CTOs, CDOs, etc.) across different sectors and organization sizes.
The survey revealed several interesting patterns on cybersecurity spend, differences between small and midsize (SMB) business and large enterprise priorities, and the strategic direction organizations expect to take over the next several years. The goal of the report is to answer these three questions for 2022:
- What are CISOs top security priorities?
- What NIST cybersecurity framework priorities are CISOs focused on?
- What areas of control are CISOs focused on?
Key insights from the report include:
- Large enterprises are focused on digital transformation and incident response, and SMBs are focused on people. While some overlap exists in security concerns across organizations of all sizes, there are stark differences between priorities for large enterprises and SMBs. For example, CISOs at large enterprises report incident response as a top priority, while that was near the bottom of the list for SMBs. SMBs tend to prioritize human aspects of cybersecurity, such as talent development and security awareness instead.
- Cloud and digital transformation is now a CISO priority. Cloud and digital transformation have traditionally been the domain of CTOs and CIOs. CISOs at large enterprises are now reporting cloud, business, and digital transformation as their top priority, so clearly that paradigm has shifted.
- CISOs are spending on areas where they can make a measurable impact. Security budgets are growing — 76% of CISOs expect to see a security budget increase — and organizations are being very intentional with their spend. Decision-makers are prioritizing areas where they can see ROI and impact. In practice, that means focusing on areas where teams can move quickly, which tends to vary by industry. For example, security hygiene is a key focus for professional services, while healthcare is prioritizing software supply chain security and third-party risk.
- New areas of control are growing in popularity. Traditional security control areas like network, endpoint, identity, and data remain important priorities for many enterprises. However, digital transformation is bringing new areas of control to the forefront. Specifically, DevSecOps (54%) and cloud, infrastructure, and APIs (62%) were leading areas of control organizations plan to prioritize.
- Vendors and organizations both aim to address key NIST functions. According to the cybersecurity leaders we surveyed, the three most popular NIST cybersecurity framework priorities for 2022 are protect, detect, and identify. Interestingly, this overlaps with the focus of security vendors placing an emphasis on visibility in their products. While this overlap may be explained by mutual interest between enterprises and vendors, it could also suggest a lack of products that focus on response and recovery.
Additionally, some of the most interesting insights were the more nuanced tactical challenges facing CISOs. For example, while identity is still a top priority for many organizations, finding talent with the requisite skills across major cloud providers is proving to be a challenge for some. An AWS security engineer may not be familiar with GCP or Azure. Often, those real-world pain points are where innovation in the space can have a significant impact.
That’s just the tip of the iceberg when it comes to what we’ve learned in our survey of cybersecurity leaders.