A new global survey by Salt Security has found that a digital-first economy has introduced unforeseen risks for nearly 90% of CISOs. The findings were revealed earlier this week in a new “State of the CISO 2023” report. Conducted by Global Surveyz for Salt, the global CISO survey gathered feedback from 300 CISOs/CSOs around the world on issues resulting from digital transformation and enterprise digitalisation. The results highlight significant CISO challenges including the biggest security control gaps they must manage, the most significant personal struggles they face, and the impact that broader global issues are having on their ability to deliver effective cybersecurity strategies.
APIs, which underpin a lot of digital innovation initiatives, stood out as a key focus area for CISOs. 77% of CISOs acknowledge APIs are already a higher priority today vs. two years ago. In addition, API adoption presented the second highest security control gap, after supply chain/third party vendors, resulting from organisations’ digital initiatives.
Roey Eliyahu, CEO and co-founder of Salt Security, adds: “The findings from this worldwide survey clearly show that CISOs face more pressures than ever before as a result of the acceleration of the digital economy over the past two years. APIs are the building blocks of every digital service and a significant amount of risk has shifted towards them. These findings reinforce that organisations must prioritise assessing their API security strategy to ensure they are solving today’s risk and not yesterday’s risk.”
Biggest CISO challenges in a digital-first economy
The 2023 report shows that the digital-first economy has brought new security challenges for CISOs. Interestingly, most of the challenges cited by CISOs represent nearly equal levels of concern, forcing CISOs to address multiple challenges at the same time.
CISOs cite the following top security challenges:
Lack of qualified cybersecurity talent to address new needs (40%)
Inadequate adoption of software (36%)
Complexity of distributed technology environments (35%)
Increased compliance and regulatory requirements (35%)
Difficulties justifying the cost of security investments (34%)
Getting stakeholder support for security initiatives (31%)
Supply chain and APIs top security control gaps
Two thirds of CISOs state that they have more new digital services to secure compared to 2021. In addition, 89% of CISOs state that the rapid introduction of digital services creates unforeseen security risks in protecting their companies’ vital data. API adoption and supply chain/third party vendors presented the two highest security control gaps in organisations’ digital initiatives.
CISOs rank security control gaps resulting from digital initiatives as follows:
Supply chain/third party vendors (38%)
API adoption (37%)
cloud adoption (35%)
Incomplete vulnerability management (34%)
Outdated software and hardware (33%)
Shadow IT (32%)
Earlier this year, Salt Security released their annual State of API report. The report found that there has been a 400% increase in attackers, perhaps why API security is front and centre in the minds of CISOs.
Anton Chuvakin, security advisor at Office of the CISO, Google Cloud says: “As organisations accelerate their digital transformation efforts, they naturally increase the use of APIs in many areas of business and AI. So it’s promising to see that their API security efforts are finally moving upward. Sometimes companies can be penny wise but pound foolish when it comes to security investments. But given the high cost of major personal data breaches, API security has to rise in prominence, and do so sharply, in the near future.”
Global trends impacting the CISO role
The vast majority of CISOs admit to feeling the impact of a number of global trends. More CISOs cited the speed of AI adoption as having significant impact, followed by macro-economic uncertainty, the geo/political climate, and layoffs. Specific CISO responses regarding the impact of global trends were:
Speed of AI adoption (94%)
Macro-economic uncertainty (92%)
Geo/political climate (91%)
Layoffs (89%)
Ed Amoroso, founder and CEO of TAG InfoSphere adds: “These findings underscore the new reality of the “AI era” of cyber. CISOs know that AI attacks are evolving and becoming increasingly sophisticated – and that they’re growing at an unprecedented rate. With security teams already at capacity defending a broad attack surface, the impact of escalating AI threats – as well as the necessity to implement an AI offence –clearly weighs heavily on today’s CISOs.”
Threat of litigation and increased liability top CISOs’ personal concerns
The digital-first economy has also impacted CISOs on a personal level. Among the personal challenges reported were:
Concerns over personal litigation stemming from breaches (48%)
Increased personal risk/liability (45%)
Expanded responsibilities and not enough time to fulfil (43%)
Increased job-related stress (38%)
Bigger teams to manage (37%)
Nearly 50% of CISOs cite litigation concerns. With several high-profile CISO lawsuits making waves recently, CISOs are fearful of being found personally liable in the event of a breach, putting their livelihood at risk.
CISOs say their boards of directors are knowledgeable about cyber risks and mitigation
Finally, on a positive note, 96% of CISOs worldwide report that their boards of directors are knowledgeable or very knowledgeable about cybersecurity issues. In addition, the survey showed that 26% of CISOs present to the board on cyber risks mitigation and business exposure once a quarter or more, and 57% present to the board at least once every six months.