CISO Investment Priorities for Cybersecurity 2023

Examines key CISO investment priorities for 2023. CISOs and CIOs view cybersecurity as a significantly higher priority than two years ago and are investing in multiple areas to meet escalating regulatory demands, protect new digital channels, and counteract ongoing cyber incidents. Improving protections for cloud services and platforms is the top-rated priority (attacks against cloud services were the most-seen incident type during the past year), followed by protections against ransomware attacks. CISOs and CIOs see a range of issues within apps, cloud platforms, data, and on-premises infrastructure requiring ongoing and higher investment in 2023. They are budgeting accordingly.

The data presented in this white paper is from a survey of CISO and CIO respondents at 284 organizations in the United States with more than 1,000 employees.

KEY TAKEAWAYS

• Regulation, digital channels, and economics driving cybersecurity
  The top trends and challenges driving how organizations approach cybersecurity in 2023 are escalating regulatory demands for cybersecurity and data privacy; growing use of digital channels for engagement with customers, employees, and partners; and the declining economic outlook. CISOs attribute greater impact to all trends and challenges than the CIO (with one exception).
• Top priorities are cloud security, ransomware protections, and data
  Cloud security and ransomware protections are the top two investment priorities in 2023 out of more than 20 areas. For the investment priority to be high, the most common pre-conditions are high concern that the current security protections are insufficient along with the requirement for a significant financial outlay to bring the area up to the internal standard of the organization.
• Better risk management leads to higher security prioritization and budget
  Organizations with a greater ability to manage the business risks associated with apps, cloud platforms, data, and on-premises infrastructure assigned higher security prioritization to the key issues associated with each area, as well as a higher budget, compared to organizations with lower risk management efficacy.
• Budgets have increased 11% since last year and are expected to increase further
  The average budget increase from 2022 to 2023 is 11%, with a further average increase of 19% forecast for the 2023 to 2024 budget cycle. However, CISO and CIO respondents believe they could put an average of twice as much budget to productive and effective use in 2023. Some CISOs and CIOs say they could put three to five times as much budget to productive use in 2023.
• How the board views cybersecurity has significant flow-on effects
  Boards that view cybersecurity as a business risk show greater proclivity toward proactive investment, concern with technical risks, and approval of funding. Among these boards, fewer take a reactive approach to cybersecurity threats. If the board only pays attention to cybersecurity threats after a breach or incident, cybersecurity is viewed as a technical risk and budget is approved only grudgingly.

This white paper has been prepared by Osterman Research