Salt Security identifies biggest security control gaps and priorities - report
Salt Security, the API security company, has released key findings of the new State of the CISO 2023 report. Conducted by Global Surveyz for Salt, the global CISO survey gathered feedback from 300 CISOs/CSOs around the world on issues resulting from digital transformation and enterprise digitalisation.
The results highlight significant CISO challenges including the biggest security control gaps they must manage, the most significant personal struggles they face, and the impact that broader global issues are having on their ability to deliver effective cybersecurity strategies.
Today's digital-first economy has transformed the role of the modern CISO, increasing threats and changing security priorities, the report finds.
Key findings include:
- 89% of CISOs report that the rapid deployment of digital services has generated unforeseen risks to securing critical business data
- Digital initiatives have produced new individual concerns, the top being the risk of personal liability and litigation resulting from security breaches, with 48% of CISOs citing that challenge
- 94% of CISOs worldwide say the speed of AI adoption is the macro dynamic having the greatest impact on their role
- 95% of CISOs plan to prioritise API security over the next two years, a 12% increase compared with that priority two years ago
As the glue connecting all of today's digital transformation initiatives, APIs stood out as a key focus area for CISOs. 77% of CISOs acknowledge APIs are already a higher priority today versus two years ago. In addition, API adoption presented the second highest security control gap, after supply chain/third party vendors, resulting from organisations digital initiatives.
Roey Eliyahu, CEO and co-founder of Salt Security, says, "The findings from this worldwide survey clearly show that CISOs face more pressures than ever before as a result of the acceleration of the digital economy over the past two years.
"APIs are the building blocks of every digital service and a significant amount of risk has shifted towards them. These findings reinforce that organisations must prioritise assessing their API security strategy to ensure they are solving today's risk and not yesterday's risk."
Biggest CISO challenges in a digital-first economy
The 2023 report shows that the digital-first economy has brought new security challenges for CISOs. Interestingly, most of the challenges cited by CISOs represent nearly equal levels of concern, forcing CISOs to address multiple challenges at the same time.
CISOs cite the following top security challenges:
- Lack of qualified cybersecurity talent to address new needs (40%)
- Inadequate adoption of software (36%)
- Complexity of distributed technology environments (35%)
- Increased compliance and regulatory requirements (35%)
- Difficulties justifying the cost of security investments (34%)
- Getting stakeholder support for security initiatives (31%)
Also notable, while most CISOs (44%) report security budgets are about 25% higher than two years ago, nearly 30% identify lack of budget to address new security challenges from digital transformation as a key challenge, and 34% of CISOs cite difficulty justifying the cost of security investments as a challenge, the report finds.
Examining the responses more closely, 82% of CISOs say the security budget is higher than two years ago, while 87% say company revenue is higher. This disparity indicates that CISO spending power, as a percentage of revenue, has decreased in the last two years.
Supply chain and APIs top security control gaps
Two thirds of CISOs state that they have more new digital services to secure compared to 2021. In addition, 89% of CISOs state that the rapid introduction of digital services creates unforeseen security risks in protecting their companies vital data. API adoption and supply chain/third party vendors presented the two highest security control gaps in organisations digital initiatives.
CISOs rank security control gaps resulting from digital initiatives as follows:
- Supply chain/third party vendors (38%)
- API adoption (37%)
- Cloud adoption (35%)
- Incomplete vulnerability management (34%)
- Outdated software and hardware (33%)
- Shadow IT (32%)
Because APIs are embedded throughout all of todays modern digital applications, including integrated third-party services and cloud applications, the above findings underscore the particular importance of API security to close the above cited security control gaps. In addition, most organisations lack a complete inventory of their APIs, making APIs another component of shadow IT.
Global trends impacting the CISO role speed of AI adoption ranks number one
The vast majority of CISOs admit to feeling the impact of a number of global trends. More CISOs cited the speed of AI adoption as having significant impact, followed by macro-economic uncertainty, the geo/political climate, and layoffs. Specific CISO responses regarding the impact of global trends were:
- Speed of AI adoption (94%)
- Macro-economic uncertainty (92%)
- Geo/political climate (91%)
- Layoffs (89%)
Threat of litigation and increased liability top CISOs personal concerns
The digital-first economy has also impacted CISOs on a personal level. Among the personal challenges reported were:
- Concerns over personal litigation stemming from breaches (48%)
- Increased personal risk/liability (45%)
- Expanded responsibilities and not enough time to fulfil (43%)
- Increased job-related stress (38%)
- Bigger teams to manage (37%)
Nearly 50% of CISOs cite litigation concerns. With several high-profile CISO lawsuits making waves recently, CISOs are fearful of being found personally liable in the event of a breach, putting their livelihood at risk.
CISOs say their boards of directors are knowledgeable about cyber risks and mitigation
On a positive note, 96% of CISOs worldwide report that their boards of directors are knowledgeable or very knowledgeable about cybersecurity issues, the report finds. In addition, the survey showed that 26% of CISOs present to the board on cyber risks mitigation and business exposure once a quarter or more, and 57% present to the board at least once every six months.