Most organizations are increasing their cybersecurity budgets with CISOs planning to widen spending on identity and access management (IAM) and cloud security services. That’s according to Team8’s 2023 CISO Village Survey, which quizzed 130 global CISOs on a variety of security issues. It found that, along with expected increases in IAM and cloud security spending, CISOs are also looking for improved third-party risk management, AI security, and human error/insider risk reduction solutions.
Separate research published in June suggested that security budget hikes are missing the mark, with knee-jerk reactions and impractical expectations hampering the ability of CISOs to make business-critical security investments. The research came from risk and cybersecurity solutions provider BSS, which surveyed 150 security leaders, indicating that misguided expectations of budget holders regarding security spend are causing problems for CISOs despite notable budget increases.
IAM, cloud security top security investment areas
More than half of respondents (56%) reported a budget increase from 2022. Around 63% of CISOs operating in the technology domain saw security budgets increase, rising to 76% of CISOs in industrial, manufacturing, mobility, and energy domains. Most businesses with more than 50 cybersecurity employees now have an annual budget exceeding $10 million, according to the report. Budgets cuts were cited by just 19% of respondents, mostly observed in larger companies with over 100 cybersecurity employees, while 25% noted no change.
Budget expansions are widely anticipated in two categories. The first is IAM (46%), encompassing identity governance and administration (IGA), privileged access management (PAM), authentication, and machine identity management. Unmet needs in existing IGA tools/programs, triggered by the COVID-19 pandemic, and rapid adoption of remote working and accelerated adoption of cloud technologies, which requires both on-premises and cloud IAM products, are the primary drivers of expanded investment in IAM, according to the report.
The second is cloud security (46%), encompassing cloud native application platforms (CNAPP), cloud security posture management (CSPM), cloud workload protection platforms (CWPP), and cloud detection and response (CDR). The spike in cloud usage has increased the need for dedicated cloud security solutions to address new security complexities that were not needed with standard on-premises environments, respondents said.
In contrast, spending in the areas of risk assessment (16%), security services (11%), and infrastructure protection (10%) is likely to be significantly less common, the report found. Security information and event management (SIEM) was the product that CISOs are most keen to remove or replace, with the survey indicating that many CISOs consider traditional SIEM lacking in performance due to staffing, funding, and data stack constraints. Managed services and legacy scanning tools were also among the frequently mentioned products to remove or replace.
Third-party risk management, AI security, insider threats CISOs’ biggest problems
Respondents overwhelmingly cited third-party risk management (48%), AI security (48%), and insider threats (40%) as the most acute problems their organizations face, with existing solutions failing to meet needs in these areas, according to the report.
The increased integration of third-party infrastructure including software-as-a-service (SaaS), platform-as-a-service (PaaS), and logging-as-a-service (LaaS) products has heightened companies’ vulnerability to third-party risks, the report read. Meanwhile, the market for third-party risk management solutions remains fragmented, forcing CISOs to compromise when selecting their risk management products, it stated.
Some third-party risks, such as those associated with SaaS, are amplified by generative AI, which introduces new threats that are not currently understood, the report said. Attackers can abuse generative AI to identify vulnerabilities, while ensuring that agents/models perform as intended is another problem. Data used must be reliable, and there is a growing need for solutions that address threats such as data tampering or manipulation, the report read.
Regarding insider threats and human factors, CISOs continue to face potential threats introduced by workers that outweigh the benefits of speed and convenience over risk management, along with deliberate harm or sabotage. As a result, the number of organizations with formal insider risk management programs is expected to rise from 10% today to 50% by 2025, according to the report.