An Overview of Current CISO Challenges and Buying Trends

Gauging the pulse of what other CISOs and relevant decision-makers believe are their main pain points, priorities, budgets and motivations is an underrated way to improve your own company’s cybersecurity posture. This blog post takes a high-level look at some key findings from Nuspire’s second annual CISO Research Report on Challenges and Buying Trends, which surveyed 200 CISOs and IT decision-makers. 

Key CISO Challenges 2023

Rapidly Changing Security Risks

A crucial finding from the report was the ongoing challenge of trying to stay current with the prevailing cybersecurity risks. As threat actors evolve their methods, tactics and targets, companies have to adapt to what’s happening today, not last year or two years ago. This is not an easy task because it can take time to tweak processes, implement new tools and refine strategies for cyber defense.

A look at the perceived areas of cybersecurity vulnerability and how they differ from our 2022 report tells its own story about the swiftly changing cyber risk landscape. The perception of which digital elements are most susceptible to attack sees email and collaboration tools as well as software apps jump significantly from last year’s survey (up 5 and 7 percentage points respectively).

Collaboration tools play an important role in today’s hybrid workforces, but high-profile Slack channel breaches of video game developers EA and Rockstar demonstrate the risks. When it comes to software apps, the increased use of unsanctioned SaaS apps alongside growing inventories of open-source and third-party code makes vulnerabilities more likely to go undetected and get exploited.

Attracting and Retaining Cybersecurity Professionals

The perennial struggle in attracting and retaining talented cybersecurity professionals appears to show no sign of slowing down. Keeping up with the latest threats is not just a matter of tools; companies need skilled security personnel to help defend their IT environments. Our survey found no change versus 2022 in the percentage (60) of respondents who find it difficult to attract and retain skilled cybersecurity professionals.

Of course, outsourcing remains an attractive option to mitigate the impact of the cybersecurity skills shortage. As for the must-have security services to augment in-house capabilities, EDR/MDR (34%), cloud access security broker (CASB) at 36% and security information and event management (SIEM) at 35% rank highly among CISOs and decision-makers.

Implementing Effective End-User Education

Perhaps reflecting the perceived risks from email and collaboration tools, effectively educating end-user employees remains a primary cybersecurity challenge. Too often, training programs get treated as a box to tick for internal compliance or an annoying exercise to complete rather than providing actionable and engaging materials that prime employees to better defend against attacks and prevent errors.

In ranking the main reasons for IT vulnerabilities, survey respondents viewed human error and lack of employee training as the number one reason (although the figure dropped 9 percentage points versus 2022’s Nuspire CISO survey). Here are four tips that could help improve the effectiveness of end-user education:

• Make It Relevant: Use real-world examples that are relevant to your industry and the specific roles of your employees. This will make their training more engaging and memorable.
• Provide Regular Training: Cybersecurity threats are constantly evolving, so training should be ongoing and not just a one-time event. It should be updated regularly to address the latest threats.
• Simulate Phishing Attacks: Regularly test employees with simulated phishing emails to help them recognize and avoid real attacks. Provide feedback and additional training to those who fall for the simulated attacks.
• Provide Resources: Make sure employees have access to resources where they can learn more about cybersecurity, ask questions and report potential threats. This relates to building a company culture of cybersecurity.

CISO Buying Trend Insights

Aside from CISO challenges, our survey also delved into cybersecurity buying trends.

Is Cybersecurity Spending Recession-Resistant?

With even tech giants like Amazon and Google laying employees off, the 2023 recession forecasted by 58 percent of economists appears to be in motion, although it’s now thought that the contraction will begin later in the year than initially thought.

In times of recession, cybersecurity was an area of business that formerly may have been one of the main candidates for budget reductions. But a more menacing cyber threat landscape comes with new business priorities—58 percent of respondents reported an increase in cybersecurity budgets. Interestingly, of those 58 percent, a further 42 percent reported that they’ll likely get a further budget increase.

Alongside increased threats, regulatory forces ensure that it’s too risky to cut back on cybersecurity, which bolsters this area’s resilience against recession more than ever.

Maximizing Value of Existing Investments

Another interesting buying trend revealed by the survey responses was the desire to maximize the value of existing investments through overall upgrades and enhancements. This finding (from 30 percent of respondents) signals the growing concern about security tools sprawl. Companies often end up with a mish-mash of tools that are unnecessary and ultimately hamper efforts to defend against threats.

A desire to streamline and simplify makes sense. A focus on maximizing existing value does not mean that new tech and services will be ignored or abandoned, but it appears CISOs and ITDMs will get more selective and more thoroughly vet the new tools and services they procure.

Going More In-Depth into CISO Challenges

This article presented just a sample of the useful findings and data contained in the Second Annual CISO Research Report on Challenges and Buying Trends. To go more in-depth with facts, trends and figures, download the full report.