Hype around investing in cybersecurity is giving way to talk of economic headwinds and cybersecurity, seen as a cost center, is closely watching the budget chopping block.
This turmoil in 2023 is expected to adversely affect the cybersecurity vendor landscape, spurring a spree of consolidation. One CISO even equated some of the potential market movement to a fire sale.
Even when resources are tight, cybersecurity executives are expected to fall in line with regulation. From the CISO’s desk, there is also a lot of attention on what due diligence means following the guilty verdict of Uber’s CISO last year.
Cybersecurity Dive asked researchers and analysts what they expected to see hit the business of cybersecurity this year. Below is how four experts responded:
(Responses have been edited for length and clarity)
Mauricio Sanchez, research director at Dell’Oro Group:
Vendor and solution consolidation will continue. Large vendors with positive market momentum will get bigger as they subsume the smaller fish in the market
Security budgets will remain largely unaffected in 2023 because security is a board-level conversation and has budget priority. Besides not wanting to make headlines due to a breach, the conviction of Uber CISO sent shockwaves on what due diligence means.
Even as security budgets remain unaffected, how budgets are spent will continue to change. Organizations will focus less on traditional security infrastructure — say firewalls — and more on cloud-delivered, SaaS-based security for securing hybrid work and cloud applications.
Mary Galligan, Deloitte’s U.S. cyber crisis management leader
As the cyber threat landscape continues to evolve and grow more sophisticated, the role board of directors play in cyber risk oversight is becoming increasingly important.
As organizations prioritize customer trust alongside continued growth, the board can help position cyber as a strategic enabler to foster stronger relationships across customers, vendors, employees, and shareholders.
Recognizing the value a robust cybersecurity posture can directly have on financial impact allows boards to more effectively oversee cybersecurity risk management activities.
Recent SEC proposals emphasizing governance, risk management, strategy and timely notification to investors should encourage leaders to consider evolving and shaping their current and future business models with cyber risk and the board at the center of these initiatives.
Rick Holland, CISO and VP of strategy at Digital Shadows:
The economic headwinds will drive turbulence in the cybersecurity vendor landscape. Some vendors will raise down rounds, while others will go out of business now that the era of free money is over.
Security buyers must conduct due diligence when considering cybersecurity startups. Yesterday's cool new vendor could be tomorrow's fire sale.
The economy will also drive consolidation, there are over 4,000 cybersecurity vendors out there, and many of those that do survive will become features in other vendor's platforms.
Lucia Milică, Proofpoint’s global resident CISO:
In speaking with my peers, I see the role of the CISO gaining even more prominence next year. The number of successful cyberattacks and widespread damage they have wrought is reaching a boiling point with new regulatory scrutiny.
Proposed reporting requirements from the U.S. Securities and Exchange Commission will force public companies to be much more transparent and strengthen their cyber defenses. All this will fall on the CISO.
There will be new responsibilities along with blame should a breach occur, as evidenced by the recent guilty verdict for the former Uber CISO. Our industry was already struggling to recruit qualified professionals so decisions like that present even greater challenges.
With the CISO now in the spotlight, the relationship with their boards must change. ...
The mounting pressures of potential personal liability will only increase the strain in the board-CISO relationship, with huge implications for an organization’s security. The main disconnect is that both parties don’t speak the same business language.
CISOs must learn to tell the story of cybersecurity vulnerabilities and risks in a way that resonates with leadership. These conversations must take place regularly and in the language of business, rather than the tech jargon of security.