Hype about investing in cybersecurity has given way to talk about economic headwinds, and cybersecurity, seen as a cost center, keeps a close eye on budget chopping blocks.
This disruption in 2023 is expected to negatively impact the cybersecurity vendor landscape and spur consolidation. One CISO even viewed some of the potential market moves as bargains.
Cybersecurity executives are expected to comply with regulations, even when resources are tight. There’s also been a lot of attention from the CISO’s desk on what due diligence means, following his Uber’s CISO conviction last year.
Cybersecurity Dive asked researchers and analysts what impact they expect cybersecurity will have on their business this year. Below is how the four experts responded.
(Response edited for length and clarity)
Mauricio Sanchez, Research Director, Dell’Oro Group, said:
Vendor and solution integration will continue.Large vendors with momentum in the market grow by taking the small fish in the market
Security budgets will remain largely unaffected in 2023, as security is a board-level conversation and a budget priority. Not only do we not want to make headlines for a data breach, the Uber CISO conviction has shook the meaning of due diligence.
Your security budget won’t be affected, but how you spend it will continue to change. Organizations will focus on cloud-delivered he SaaS-based security to protect hybrid work and cloud applications over traditional security infrastructure (such as firewalls).
Mary GarriganDeloitte U.S. Cyber Crisis Management Leader
As the cyber threat landscape continues to evolve and become more sophisticated, the role the board plays in overseeing cyber risk becomes increasingly important.
If an organization prioritizes customer trust along with continued growth, the board can position cyber as a strategic enabler to help strengthen relationships between customers, vendors, employees, and shareholders.
By recognizing the direct financial impact value of a robust cybersecurity posture, the board can more effectively oversee cybersecurity risk management activities.
Recent SEC Proposals By emphasizing governance, risk management, strategy, and timely notification to investors, leaders can put cyber risk and the board at the heart of these initiatives to evolve and shape current and future business models. You should consider doing so.
said Rick Holland, CISO and VP of Strategy at Digital Shadows.
Economic headwinds will disrupt the cybersecurity vendor landscape. Now that the free money era is over, some vendors will raise capital while others will go out of business.
Security buyers should conduct due diligence when considering cybersecurity startups. Yesterday’s cool new vendor could be tomorrow’s bargain.
The economy will also drive consolidation, with over 4,000 cybersecurity vendors and many of the surviving vendors will become features of other vendors’ platforms.
Lucia Milica proof point global resident CISOs:
Talking with my colleagues, I think the CISO role will become even more prominent next year. The number of successful cyberattacks and the widespread damage they have caused is reaching a boiling point with new regulatory scrutiny.
Proposed reporting requirements from the U.S. Securities and Exchange Commission will require public companies to be more transparent and have better cyber defenses. This is all up to the CISO.
As evidenced by the recent conviction of a former Uber CISO, there will be new responsibilities in addition to those in the event of a violation. Our industry was already struggling to recruit qualified professionals, so such a decision presents an even greater challenge.
Now that CISOs are in the spotlight, their relationship with the board needs to change. …
The increased pressure of potential personal liability will only add to the tension in the relationship between the board and the CISO, with significant implications for organizational security. The main disconnect is that both parties do not speak the same business language.
CISOs must learn to talk about cybersecurity vulnerabilities and risks in ways that resonate with executives. These conversations should be conducted regularly in business terms, not security jargon.