The hype surrounding cybersecurity investments is giving way to economic headwinds and discussions of cybersecurity, seen as a cost center, are being closely watched for budget cuts.
The turmoil in 2023 is expected to adversely affect the cybersecurity vendor landscape, triggering a wave of consolidation. One CISO even equated some potential market moves with a fire sale.
Even when resources are stretched, cybersecurity executives are expected to comply with regulations. On CISO desks, there’s also been a lot of focus on what due diligence means after Uber’s CISO was found guilty last year.
Cybersecurity Dive asked researchers and analysts what they expect to hit the cybersecurity business this year. Here are the responses from four experts:
(Response edited for length and clarity)
Mauricio Sanchez, Research Director, Dell’Oro Group:
Supplier and solution integration will continue.Large suppliers with positive market momentum can grow bigger if they gobble up smaller fish in the market
Security budgets will be largely unaffected through 2023 because security is a board-level conversation and has a budgetary priority. In addition to not wanting to grab headlines for a breach, the Uber CISO’s conviction sent shockwaves through what due diligence means.
Even if the security budget is unaffected, how the budget is spent will continue to change. Organizations will focus less on traditional security infrastructure, such as firewalls, and more on cloud-delivered, SaaS-based security to protect hybrid workloads and cloud applications.
Mary GalliganDeloitte US Cyber Crisis Management Leader
As the cyber threat landscape continues to evolve and become more complex, the board’s role in cyber risk oversight has become increasingly important.
If organizations prioritize customer trust while continuing to grow, boards can help position networking as a strategic enabler to build stronger relationships among customers, suppliers, employees, and shareholders.
Recognizing the value of the direct financial impact of a robust cybersecurity posture enables boards to more effectively oversee cybersecurity risk management activities.
Recent SEC Proposals Emphasis on governance, risk management, strategy and timely investor notification should encourage leaders to consider developing and shaping their current and future business models, placing cyber risk and the board at the center of these initiatives.
Rick Holland, Chief Information Security Officer and Vice President of Strategy, Digital Shadows:
Economic headwinds will drive turmoil in the cybersecurity vendor landscape. Some providers will raise capital, while others will fail when the era of free money is over.
Security buyers must do their due diligence when considering a cybersecurity startup. Yesterday’s cool new vendor could be tomorrow’s great sale.
The economy will also drive consolidation, with over 4,000 cybersecurity vendors today, many of which survive to become features of other vendors’ platforms.
Lucia Milica, point of proof global resident Chief Information Security Officer:
In talking to my peers, I see the CISO’s role becoming more prominent in the next year. With new regulatory scrutiny, the number of successful cyberattacks and the widespread damage they cause is reaching a boiling point.
The reporting requirements proposed by the SEC will force public companies to be more transparent and strengthen their cyber defenses. It will all fall to the CISO.
If a breach occurs, there will be new responsibilities and blame, as evidenced by the recent guilty verdict against the former Uber CISO. Our industry is already struggling to recruit qualified professionals, so decisions like this present an even greater challenge.
With the CISO now in the spotlight, the relationship with the board must change. …
The growing pressure of potential personal liability will only increase the relationship between the board and the CISO, with a huge impact on the security of the organization. The main disconnect is that the two sides don’t speak the same business language.
CISOs must learn to tell the story of cybersecurity vulnerabilities and risks in a way that resonates with leadership. These conversations must take place regularly in business language, not security technical jargon.