Skip to content

Forgepoint Capital Builds First-Ever CISO Security Priorities Model

June 6, 2022

  • Blog Post

Survey of More Than 100 Security Leaders Outlines Top CISO Priorities for 2022 across Companies of All Sizes & Sectors

View summary infographic here.

The cybersecurity industry has only gotten more complex as it has continued to evolve. Multiple new vendors are created daily, and new categories are named by industry analysts quarterly with the aim to solve fundamental security needs. Threat actors continue to keep Chief Information Security Officers (CISOs) on their toes and security leaders as such are always looking for new ways to counter their organization’s technology threats.

As such, the importance for security leaders to prioritize their time, budgets and defenses has never been greater – especially when coupling in the impact of digital transformation. With the severity and high costs to recover from ransomware attacks, data breaches, IP theft and more, cybersecurity remains a top strategic business objective for all executives and in years to come, regardless of company size or sector.

Of course, CISOs have a myriad of responsibilities related to information and data security, and in today’s landscape of ever-evolving cybersecurity threats and enterprise-wide security awareness, the CISO role can grow more nuanced depending on a variety of factors including the size of the company, the industry, business continuity risks, compliance drivers and more.

To better understand CISOs’ top cybersecurity concerns and priorities, Forgepoint Capital surveyed more than 100 CISOs from large enterprises and SMBs across the financial services, software, healthcare, and professional services industries. The survey focused on answering three key questions:

  • What are your organization’s top security-related priorities in 2022?
  • Which controls along the National Institute of Standards and Technology (NIST) cybersecurity framework are you working on in 2022?
  • Which areas of control are you focused on in 2022

 

A Multitude of Perspectives

The survey revealed unique differences between CISOs on all dimensions including vertical, company size and cloud migration status. To better understand the results, we’ve hosted multiple working sessions using this data with voiceovers. Our key takeaways include:

Size Matters

Organizations have unique security priorities with three primary segments based on headcount: Greater than 1,000 employees, 50 – 1,000 employees and less than 50 employees. Very large (>10k FTE) and large (1-10k FTE) organizations had similar business priorities with cloud/digital/business transformation and incident response being their top two priorities.

Meanwhile organizations with 50 – 1,000 employees prioritized security hygiene and software supply chain/vendor risk as their top two priorities. Security hygiene is critical, since most breaches are due to unpatched systems, misconfigurations, poor passwords and other easily avoidable issues. Typically, organizations of this size don’t have the budget to build multiple backups and failovers, with real scenarios where a security incident can put the company out of business.

Finally, organizations with less than 50 employees prioritized talent development and social engineering awareness as their top two priorities. At smaller organizations, talent departure and social engineering attacks can have major ramifications. Due to the small size of their employee base, these companies can realistically affect more change by focusing on human capital than a large organization can. As companies grow larger, no matter how much access control is established, threat vectors will remain. Thus, the focus shifts from personnel to security automation and incident response.

“Small companies rely more on human capital. For small companies, if you lose one person, that could be literally five percent of your company.” – CISO of a Small Software Company

Cloud Migration Drives Priorities

This is where we saw the biggest difference between very large enterprises (>10k FTE) and large (1-10K FTE) enterprises and saw the shift in results at 10k FTE.

In part, this is because very large companies typically have more customized architecture and require an exponential lift in their digital transformation journey. Meanwhile, small companies have a higher proportion of workloads on software as a service (SaaS) apps, which drives differing priorities around incident response as well.

“As a small company, due to the nature of our footprint and architecture, we don’t have a lot of security incidents relative to the larger companies that have a more diverse footprint.” – CISO of a Medium Healthcare Company

ROI Dictates Security Prioritization
When examining CISOs’ views of security prioritization by industry, the survey found that all security professionals prioritize areas with the highest return on investment (ROI). For example, 50% of professional services companies marked security hygiene as an essential focus, but healthcare professionals are focused more on the software supply chain and third-party vendor risk, such as the security of connected medical devices, given its bigger tie to ROI in their field.

“CISOs focus on things we can make progress in. Some things are hard to make progress in due to dependencies on others, so CISOs prioritize items that are within their control and have the ability to move quickly.” – CISO of a Large Software Company

Interestingly, digital transformation emerged as a top priority for CISOs in every industry except for professional services. This could be explained by the inherently remote-first nature of providing technology support to large organizations with a highly mobile workforce.

New vs. Traditional Areas of Control

When asked about the control areas they expect to prioritize in 2022, CISO survey respondents focused on a combination of new and traditional security controls. This was interesting, because historically speaking, network, endpoint, identity, and data were the initial areas of focus, followed by intelligence and incident response.

However, with the rise of digital transformation in the last decade, new security access controls like cloud infrastructure and application programming interfaces (APIs), as well as  development, security, and operations (DevSecOps) have become the focus at 62% and 54%, respectively. This is largely driven by digital transformation, multi-cloud architecture, and embedding security into agile application development, i.e. DevSecOps.

Survey respondents said traditional access control areas like data (40%) and identity (41%) are still top priorities for organizations. As companies across the board have become more data driven, the ability to protect an exploding amount of data while adhering to evolving data privacy laws has created a new set of challenges. Likewise, identity remains a key area of control — expanding beyond customers and employees into machines as machine-to-machine communication, and continues to explode with the proliferation of APIs and SaaS apps.

“Somebody well versed in AWS infrastructure security may not have the same skill set in a GCP or Azure context. One of the challenges – if an organization wants to have a multi-cloud strategy – the teams need to have three distinct pillars of skills and competencies. Even though, conceptually, access control is access control, how it’s handled differs among cloud providers.” – CISO of a Very Large Financial Services Organization

More than a quarter (28%) of CISOs highlighted incident response and cyber insurance as top areas of control. With ransomware, malware, APTs and other cyberattacks at all-time highs, organizations of all sizes need to consider investing in cyber insurance to mitigate risk and any fallout from a breach. Security operations teams must also have a strong incident response (IR) playbook at the ready, to control and contain the damage of a cyberattack.

Organizations and Vendors Share Focus on Key NIST Functions
The survey also found that the three most popular functions as defined by the NIST cybersecurity framework were protect (68%), detect (66%), and identify (59%). The NIST prioritization for the survey respondents aligns with the focus of security vendors that usually advertise capabilities around visibility, which fall within the identify, protection, and detection buckets. The focus of respondents and cybersecurity vendors is likely either because of mutual interest or it could be the result of a lack of products that provide response and recovery capabilities.

While the trends identified through this survey are enlightening, security innovation doesn’t fit cleanly into predefined categories. Instead, vendor capabilities tend to overlap NIST functions and access control areas.

“A lot of the innovation doesn’t fit into a normal defined category. We’re in a fascinating transitional period with respect to our security architecture and the types of tools that we use. I feel sorry for CISOs that have to squeeze stuff into a predefined budget category. Hopefully, in two-years’ time, there’ll be a little bit more clarity on these categories that will help make it easier for them.” – CISO of a Medium-sized Professional Services Organization

Increasing Security Budgets in 2022
Three-quarters (76%) of CISO survey respondents say they expect security budgets to increase this year. This is a telling signal that cybersecurity will continue to remain a priority and focus for CISOs now and in the future, for companies of all sizes. As cybersecurity budgets increase, it’s expected that budgets will become more flexible to accommodate new and emerging products that defy the limitations of the currently identified categories.

 

***

Survey Methodology: Forgepoint Capital surveyed 102 senior level executives, including CISOs, CSOs, CIOs, CTOs, CDOs and others, across several sectors including healthcare, financial services, professional services and software. The survey classified company sizes into very large (more than 10K employees), large (between 1K and 10K employees, medium (50 to 1K employees) and small (under 50 employees).