This year, CISOs face a complex set of priorities, from managing a constantly evolving threat landscape to implementing new technologies – like AI – securely, and from improving operational resiliency to understanding new security regulations. As CISOs try to protect their organizations’ most valuable assets and maintain business operations, supply chain disruptions and unpredictable global events add to the challenging environment.
Security leaders also report that they are aiming to harness the potential value of AI this year. For the first time, Generative and Traditional AI was listed as a priority in our annual Leadership Perspective Survey, and CISOs immediately ranked it in their top five priorities for 2024. CISOs are trying to strike a balance between managing the risks of AI while enabling the business. In Gartner’s Top Strategic Technology Trends for 2024: AI Trust, Risk and Security Management, they report that AI initiatives “require a robust set of control measures for successful and durable deployment.”
As leaders across the business, CISOs, like their C-suite peers, are focused on optimizing costs and improving efficiencies this year. Security leaders increasingly need to communicate the value of security measures and investments and improve their alignment with the business to maximize the impact of cybersecurity.
Here, we take a closer look at security leaders’ primary goals, challenges and investment areas, based on our annual Leadership Perspective Survey of 1,900 CISOs across Evanta communities.
Top Priorities for CISOs in their Security Function
This year, CISOs cited User Access, IAM and Zero Trust as the top priority for their function. For the past two years, Cloud Security, Strategy and Architecture held the top spot.
Cloud Security, Strategy and Architecture dropped only to the #2 spot, perhaps because many organizations have already heavily invested in their cloud journey. Measuring and Communicating Risk, along with Third-Party Risk Management, continue to be top focus areas for CISOs, consistently remaining in the top five priorities for the past three years.
For the first time, Generative and Traditional AI joined the top five, demonstrating the increased importance of securing organizational AI initiatives.
Below, we take a closer look at the top three priorities for CISOs, including their key opportunities and challenges in these areas.
Securing User Access & Improving Identity Access Management
For the past three years, user access has grown in importance to CISOs. While the issue has consistently been in the top five priorities, this focus area is taking the number one spot for the first time. One security leader shared that they are “facing a lot of challenges due to the landscape of applications and business scenarios,” and several executives pointed out that “legacy systems need to be addressed from an identity perspective.”
Another CISO commented about their journey to improving identity access management: “We want to consolidate and improve the user experience and authentication process, and we’re looking at multi-year strategies to do this.”
On their specific goals and challenges, the majority of security leaders cited mitigating risk as their primary objective. Their top challenge is legacy technology, but it is closely followed by technical debt and competing priorities.
Goals for User Access, IAM & Zero Trust
72% Mitigating risks
58% Improving processes and efficiencies
38% Improving employee experience
Challenges around User Access, IAM & Zero Trust
43% Legacy technology
42% Technical debt
42% Competing priorities
Following our survey, we conduct hundreds of follow-up conversations between our teams and CISOs to learn in depth about their priorities. Here is a sample of what CISOs are saying about managing user access:
We have done heavy investing in IAM for better efficiency. But we are challenged by how to efficiently manage the hierarchy and access rights.”
Identity is a big focus. The bad guys are getting better at bypassing MFA [Multi-Factor Authentication].”
There are challenges of implementing Zero Trust for user access – trying to balance the user experience and productivity, while strengthening security.”
CISOs primarily want to learn more about user access, IAM and Zero Trust from a strategic perspective (79%), followed closely by an execution point of view (77%).
Strengthening Cloud Security, Strategy & Architecture
Many organizations have been on a cloud journey, keeping cloud security, strategy and architecture at the forefront of CISOs’ priorities for three years. As one CISO said, “The cloud landscape is always changing and will continue to be a relevant topic for years to come.”
Another security executive shared that talent is an issue, commenting, “I’m curious about how people are handling cloud security posture management – the number of people who know how to do that are limited.” Last year, in a community pulse survey about talent, CISOs cited major concerns about recruiting skilled talent in the cybersecurity function.
In this year’s survey, CISOs cited these specific goals and challenges in continuing to implement and improve their cloud security, strategy and architecture. Primarily, their goal is to mitigate risks, and the lack of skilled talent is their main challenge.
Goals for Cloud Security, Strategy & Architecture
62% Mitigating risks
49% Improving processes & efficiencies
44% Improving resiliency
Challenges around Cloud Security, Strategy & Architecture
49% Lack of skills
37% Lack of resources
37% Competing priorities
Here is a sample of what CISOs are saying about cloud security and strategies this year:
Keeping the threats in control with the cloud. We are early on the cloud transformation journey… and need to improve our grip on the cloud environment.”
We have immature cloud governance, and there was a lack of a cloud owner… Our actions are to establish cloud governance frameworks, while defining standards.”
There is a need for robust security strategies. I’m interested in leveraging AI and automated tools to enhance cloud security and reduce resource overhead.”
CISOs would like to learn more about cloud security from a strategic perspective (84%), followed by an execution point of view (74%).
Improving Risk Measurement & Communication
Measuring and communicating risk is a consistent focus area for CISOs in Evanta communities. They face ongoing challenges in finding the right KPIs for risk management and in communicating complex security challenges to the board and other stakeholders. In our follow-up conversations, security leaders also mentioned concerns with their ability to “sell the value” of risk management, with one CISO asking, “How do you communicate risk in a money value to the business?” Another security executive shared that “a priority for me is to connect cyber risks to ROI.”
They consistently comment on communicating the right level of information about risk. One CISO noted, “I’m not interested in scare tactics, but am keen to get proper buy in.” This year, others noted that they are trying to ensure they communicate about compliance effectively.
CISOs’ primary goals in this area are to improve their metrics (60%) and mitigate risk (60%). Their main challenge is all of the competing priorities in the security function.
Goals for Measuring & Communicating Risk
60% Improving metrics & KPIs
60% Mitigating risks
51% Making data-driven decisions
Challenges around Measuring & Communicating Risk
43% Competing priorities
38% Lack of resources
35% Company culture
CISOs shared more on their challenges to achieving better risk measurement and communication, including the following:
There is often a struggle between enterprise risk and communication with the board. How do we aggregate risk and translate it into a story the board understands?”
We need to sell risk. We need to identify the right strategies to address the topic with the board.”
Super meaningful communication is key. Insights are key. [Stakeholders] are only interested in reports that result in actions.”
CISOs want to discuss and learn more about measuring and communicating risk primarily from a strategic perspective (74%).
CISOs’ Budgets & Top Investment Areas in 2024
Forty-eight percent of CISOs reported in the survey that their operating budgets remain the same this year as last year. Thirty-six percent say that their budget increased. Even with some lingering economic uncertainty, most security executives – 84% – have the same or more budget than last year.
In alignment with their operating budgets, CISOs say that their planned spending on technology and services will increase (38%) or remain the same (45%) this year. Only 17% expect their planned spending to decrease year over year.
CISOs’ planned areas of spending are closely aligned to their top priorities. Forty-four percent say they will invest in IAM/MFA/Zero Trust this year, and 37% cite Generative & Traditional AI as a top spending area. Relatively similar percentages (34%) of CISOs say they will invest in Governance, Risk & Compliance, Cloud Security/CASB and Data Loss Prevention.
As companies try to innovate, drive growth and remain competitive, CISOs are responsible for securing new tools and technologies. They are vocal in their survey comments this year about securing AI implementation, believing in some cases that executives are more focused on the opportunities of AI than the risks. However, they remain positive on the possibilities for AI applications in security, with one CISO commenting, “How can we treat AI as a security super power?”
If your organization offers solutions for CISOs to help with critical cybersecurity priorities like these, contact us to learn more about how you can connect with security leaders by sponsoring Evanta CISO events and communities.
Based on 1,900 CISOs’ responses to Evanta’s 2024 Leadership Perspective Survey.
by C-Level, for C-Level
Become a Sponsor.
