The buzz around investing in cybersecurity is giving way to talk of economic hurdles, and cybersecurity, viewed as a cost center, is closely watching the budget chopping block.
These upheavals in 2023 are expected to adversely affect the cybersecurity vendor landscape, driving a wave of consolidation. One CISO even equated some of the potential market movement to a fire sale.
Even when resources are limited, cybersecurity leaders are expected to adhere to regulations. The Office of the CISO is also paying close attention to what due diligence means following the conviction of Uber’s CISO last year.
Cybersecurity Dive asked researchers and analysts what they expect to see hit the cybersecurity business this year. Here’s how four experts answered:
(Answers edited for length and clarity)
Mauricio Sánchez, Research Director at Dell’Oro Group:
Consolidation of vendors and solutions will continue. Large suppliers with positive market momentum will become larger as they include the smaller fish in the market
Security budgets will remain largely unaffected in 2023 as security is a council-level conversation and a budget priority. Besides not wanting to make headlines for a breach, the Uber CISO conviction sent shock waves about what due diligence means.
While security budgets remain unaffected, the way budgets are spent will continue to change. Organizations will focus less on traditional security infrastructure—say, firewalls—and more on SaaS-based security to enable hybrid operations and cloud applications.
Mary galliganhead of Deloitte’s US Cyber Crisis Management
As the cyber threat landscape continues to evolve and become more sophisticated, the role of the board of directors in cyber risk oversight becomes increasingly important.
As organizations prioritize customer trust alongside continued growth, the board can help position cyberspace as a strategic tool to foster stronger relationships between customers, suppliers, employees and shareholders.
Recognizing the value that a strong cybersecurity posture can directly have on financial impact allows boards to more effectively oversee cybersecurity risk management activities.
Recent SEC Proposals the emphasis on governance, risk management, strategy and timely investor notification should encourage leaders to consider evolving and shaping their current and future business models with cyber risk and the board at the center of these initiatives.
Rick Holland, CISO and VP of Strategy at Digital Shadows:
Economic headwinds will cause turbulence in the cybersecurity vendor landscape. Some providers will raise rounds while others will go out of business now that the free money era is over.
Security buyers should do their due diligence when considering a cybersecurity startup. Yesterday’s great new seller could be tomorrow’s fire sale.
The economy will also drive consolidation, there are over 4,000 cybersecurity vendors, and many of those that survive will become features on other vendors’ platforms.
Lucia Milica, Proofpoint’s global resident CISO:
In talking with my colleagues, I see the CISO role gaining even more prominence in the coming year. The number of successful cyberattacks and the widespread damage they have caused is reaching a boiling point with new regulatory scrutiny.
Proposed reporting requirements from the US Securities and Exchange Commission will force public companies to be much more transparent and strengthen their cyber defenses. All of this will fall on the CISO.
There will be new responsibilities along with guilt if a breach occurs, as evidenced by the recent guilty verdict of Uber’s former CISO. Our industry was already struggling to hire skilled professionals, so decisions like this present even greater challenges.
With CISOs now in the spotlight, the relationship with their boards must change. …
The growing pressure of potential personal liability will only increase the strain on the board-CISO relationship, with huge implications for organizational security. The main difference is that both parties do not speak the same business language.
CISOs must learn to tell the story of cybersecurity vulnerabilities and risks in a way that resonates with leadership. These conversations should be held regularly and in the language of business, not the technical jargon of security.