Blog

Study Reveals CISOs’ Top Cybersecurity Concerns and Purchasing Priorities

Nuspire recently announced findings from its annual research study revealing CISO challenges, priorities and key trends, as well as the drivers behind their purchasing decisions. Nuspire leadership, including Michelle Bank, CMO and CPO, and J.R. Cunningham, CSO, hosted a webinar to review the data in detail and explain its implications. Read on to get the highlights.

The purpose of the study

“There are a lot of reports out there about buying trends and concerns, but you don’t necessarily see them together,” said Michelle. “In this report, we wanted to not only learn about CISOs’ biggest concerns, but also how those correlate to their buying decisions. What we’ve learned is that just because a CISO is concerned about an issue doesn’t necessarily mean they’re going to outsource solutions to address it.”

Michelle added that the goal was to focus specifically on mid-market, as this space comprises a lot of Nuspire clients and often doesn’t get the research attention garnered by large enterprise or SMB. In addition, the report will be annual, allowing Nuspire to identify trends and market shifts over time.

Where are CISOs spending their time?

One of the first areas Nuspire wanted to explore was how CISOs and IT decision makers are spending their time. Not surprisingly, most are focused on business, IT and security program strategy, at 46%. Other top areas include managing the security technology stack and threat research, awareness and hunting.

“If you go back in time and look at security strategies, they stayed relatively constant,” said J.R. “However, this data shows something we’re seeing more and more – CISOs are making changes more rapidly to stay on top of our ever-evolving threat landscape.”

CISO confidence in security strategy

Most of the respondents indicated confidence in their current cybersecurity programs and overall strategy, however they acknowledge the challenge of attracting and retaining qualified professionals, and that they’re still vulnerable to attack. Two-thirds said they’re vulnerable, with cloud applications, end users and endpoints at the top of the list in terms of worrisome attack vectors. Just 2% said they were not at all vulnerable to attack.

“I really want to meet that 2% who feel they’re not vulnerable,” said J.R. “The truth is, we should all be worried about potential vulnerabilities and attacks, regardless of how secure we think we are.”

CISO’s biggest cybersecurity challenges

There’s no question that with the accelerated shift to remote work, many organizations say their biggest challenge is securing this expanded attack surface. Additional challenges include the rate of change and being able to adapt to new threats, as well as endpoint security and making sure employees know their role in keeping the organization safe from attack.

“When COVID hit, we quickly swung our focus to protecting the home environment, and we knew we’d have some cleanup to do to mitigate any risks associated with making a big change in such a short period of time,” said J.R. “What’s interesting now is CISOs not only have to pay attention to the people at home, but also those who have returned to the office full time or are working a hybrid model – it’s a huge paradigm shift.”

CISOs’ top driver of system vulnerabilities

One of the clear messages from the research data is that CISOs have a lot of concerns when it comes to internal training. In fact, 50% said human error/lack of internal employee training was the main reason for IT system vulnerabilities.

“The truth is, this is still a human profession,” said J.R. “Sometimes we get caught up in the idea that cybersecurity is all about the technology, when in reality, some of the biggest worries CISOs have deal with the people aspect.”

Addressing CISO concerns vs. what they’re willing to purchase

Part of Nuspire’s analysis dealt with what’s called a Duo MaxDiff methodology. Duo MaxDiff allows for a deeper understanding of where a respondent is coming from by asking them to make a choice between two dimensions of interest versus one. The benefit is that it forces respondents to pick what’s truly most important to them (versus a common response of, “it’s all important”).

Top concerns

Top concerns for CISOs include (ranked by importance):

  1. Overall security program improvements (staying current with threats and updates based on industry and threat intelligence)
  2. Monitoring, detecting and responding to threats 24/7
  3. Vulnerability/posture assessments
  4. Cloud migration
  5. Technology optimization and integrations to ensure best use of technology
  6. Skills gap
  7. Compliance management
  8. Security metrics and reporting
  9. Incident response
  10. Employee education and awareness training

Top outsourced services

However, when it comes to what CISOs will outsource, the list is a bit different:

  1. Overall security program improvements (staying current with threats and updates based on industry and threat intelligence)
  2. Monitoring, detecting and responding to threats 24/7
  3. Technology optimization and integrations to ensure best use of technology
  4. Cybersecurity insurance
  5. Cloud migration
  6. Threat hunting (proactive or on demand)
  7. Digital transformation/AI/ML
  8. Security metrics and reporting
  9. Employee education and awareness training
  10. Vulnerability/posture assessments

“What these two lists show is that simply because a CISO is concerned about something doesn’t necessarily mean they’ll outsource it,” said Michelle. “We saw concerns about employee education and awareness crop up throughout the study, but when asked to choose where they want to get outside support, CISOs wanted to put their dollars elsewhere.”

J.R. added, “What I’m seeing from a consulting perspective is that a lot of CISOs want to do what they consider the ‘cool stuff.’ The problem is, they soon realize how hard it is to get the resources they need to build up those areas of the security team – especially if you consider the 24x7x365 nature of today’s cybersecurity environment. And that’s why they’re willing to outsource.”

Get more details on Nuspire’s annual study

To learn more about the research report, which surveyed over 200 U.S.-based CISO and IT decision makers from large to mid-size enterprise organizations, you can view the webinar here.

You can also download a copy of the slides here.

Have you registered for our next event?