The State of the CISO 2023: Navigating Security Challenges Resulting from Today’s Digital-first Economy
Salt is thrilled to share the findings from the just-released “State of the CISO 2023” report! We wanted to hear directly from CISOs/CSOs around the world about how digital transformation is impacting their role and understand the biggest challenges – both personal and professional – they’re contending with as a result. Salt undertook this project with independent research firm Global Surveyz, which oversaw a survey of 300 CISOs/CSOs globally, including in the US, UK, France, the Netherlands, and Brazil.
Digitalization is the lifeblood of business today, enabling the innovation that unleashes new modern online and mobile services. It has spurred new business opportunities, fostered creative partnerships, and delivered new customer conveniences across multiple industries – from mobile banking to digital payment systems to online healthcare to thousands of apps that affect our lives every day. These new services have changed how we shop, entertain ourselves, move through the world, consume our favorite foods, and interact with friends and colleagues.
But all this innovation also comes at a cost – and CISOs are on the front lines of dealing with that cost. We wanted to hear first hand how this rapid innovation is impacting them. No CISO ever wants to stand in the way of or slow down new business initiatives, but CISOs also understand companies cannot sacrifice security for speed. Without ensuring the safety of an organization’s and its customers’ critical data, companies put both brand reputation and digitalization investments at risk.
Learn how the rollout of digital services has impacted CISOs – and their organizations – around the globe.
Download Report NowSo what did we learn from these CISOs?
- Nearly 90% of CISOs worldwide say that the rapid adoption of digitalization has created unforeseen security risks
- 66% of CISOs are rolling out more digital initiatives compared with two years ago
- 95% say their organizations are making API security a planned priority over the next two years
- 94% say the speed of AI adoption is the macro dynamic having the greatest impact on their role, followed closely by macro-economic uncertainty and geo/political climate
- CISOs worldwide cite personal litigation resulting from security breaches as their top personal challenge due to digital initiatives
As Julie Chickillo, VP, head of cybersecurity at Guild Education, explains:
“Objective data like these brings more awareness to the problem set and helps us craft ways to work together to create a stronger and safer cybersecurity culture.Security requirements have grown exponentially with digitalization, and we’re moving faster than ever with those digital projects.”
The executive team, the board of directors – and security must work hand-in-hand to understand the biggest cybersecurity threats and to address these problems.
Here are additional insights on some of the key findings:
The digital-first economy has brought numerous new security challenges for CISOs
- Lack of qualified cybersecurity talent to address new needs (40%)
- Inadequate adoption of software (36%)
- Complexity of distributed technology environments (35%)
- Increased compliance and regulatory requirements (35%)
- Difficulties justifying the cost of security investments (34%)
- Getting stakeholder support for security initiatives (31%)
Notably, all rank similarly high as top challenges CISOs are facing. So CISOs are in the unfortunate situation of addressing several problems at the same time – putting extra strain on their resources and budget, not to mention their own stress levels.
Supply chain and APIs top the list of security control gaps resulting from digitalization
Because APIs are embedded throughout all digitalized services, they contribute to multiple security control gaps. APIs are implemented within the supply chain/third-party vendor integration as well as cloud applications, and represent a key vulnerability risk.
APIs definitely stood out as a key focus area for the CISOs surveyed. 77% of CISOs acknowledge APIs are already a higher priority today vs. two years ago, and 95% say that their organizations have made API security a planned priority over the next two years.
Anton Chuvakin, security advisor at Office of the CISO, Google Cloud, explains that this attention is long overdue:
“As organizations accelerate their digital transformation efforts, they naturally increase the use of APIs in many areas of business and AI. So it's promising to see that their API security efforts are finally moving upward. Sometimes companies can be penny wise but pound foolish when it comes to security investments. But given the high cost of major personal data breaches, API security has to rise in prominence, and do so sharply, in the near future.”
New personal burdens stemming from digitalization also weigh heavily on CISOs
Concerns over personal litigation stemming from breaches for CISOs worldwide topped the list of personal challenges from digital initiatives. With several high-profile CISO lawsuits making waves recently, the trend of security leaders opting for roles below CISO level, or requesting indemnification, is growing – they are fearful of being found personally liable in the event of a breach, which could put their own livelihood at risk.
As Mike Towers, Chief Digital Trust Officer at Takeda Pharmaceuticals International, comments:
“In addition to upending many traditional security approaches, the digital-first economy has impacted a lot of us CISOs on a very personal level. The fact that my peers highlighted ‘concerns over personal litigation stemming from breaches’ as their top personal concern should be alarming to everyone in the industry. Qualified leaders may decide not to pursue the role if organizations don’t have the right cyber tools or processes, or if they consider the personal risk too high.”
Speed of AI adoption is the global trend having the greatest impact on the CISO
CISOs on average worldwide say speed of AI adoption is the global trend having the most impact on their role, topping even the challenges presented by today’s macro-economic uncertainty and the current geo/political climate.
CISOs understand that AI serves as both a defensive and offensive tool in the cyber arena. Cyber criminals are already tapping into AI for its ability to instrument and accelerate new ways to attack organizations. With widely available generative AI technologies, such as ChatGPT, for example, bad actors can generate and scale their malicious attacks faster. But AI is also an essential tool for cyber defense. No security team can analyze the large volumes of data to pinpoint and stop attacks without leveraging AI.
Ed Amoroso, founder and CEO of TAG InfoSphere, adds:
“These findings underscore the new reality of the “AI era” of cyber. CISOs know that AI attacks are evolving and becoming increasingly sophisticated – and that they’re growing at an unprecedented rate. With security teams already at capacity defending a broad attack surface, the impact of escalating AI threats – as well as the necessity to implement an AI offense –clearly weighs heavily on today’s CISOs.”
The bottom line – CISOs can’t do it alone
The survey findings clearly show that CISOs feel more pain points and face more challenges due to modern digital services. With new obstacles and threats to overcome, CISOs can’t do it alone. The business ramifications warrant that these serious security risks become a top priority across the executive suite – not just within the security team. In addition, business leaders must take steps to reassure CISOs in regards to their own personal liability. By equipping their teams with security solutions that provide a comprehensive view into critical correlated security gaps, organizations can help lower that risk and alleviate CISO concerns.
We invite you to download the full report to learn more about these findings. If you want to learn more about how the Salt Security API Protection Platform can bring visibility to growing API security threats, contact us for more information.
