Here’s What CISOs are Building (Because No One’s Making Software for Them to Buy)
Scale conducts an annual survey of enterprise CISOs and senior security executives, covering topics from threats to budgets to strategy. We recently released this year’s report: Cybersecurity Perspectives 2021. The report is valuable reading for anyone in the cybersecurity space, and especially for founders (or future founders!) seeking white space market opportunities. The following breaks down the data, the larger trends, and the opportunities that CISOs themselves are talking about.
How Enterprises Responded to SolarWinds and COVID
The majority of enterprise security leaders (63%) responded to the events of 2020 — a year bookended by the pandemic and the SolarWinds cyberattack — by increasing budgets to fortify their organizations against security threats, with 45% of those nearly doubling spend.
Headcount also expanded, growing by 40% last year alone. This data underscores a central theme in the report: Security departments have more resources and visibility inside their organizations than ever before. But those resources are stretched very thin.
Therein lies the opportunity for new startups with targeted solutions.
Build Versus Build: Where CISOs Are Investing
Security’s growing influence and buying power coincides with data showing enterprises are needing to build security tools in several areas: 51% built in-house tools in the past year because they couldn’t find what they needed in the market.
Topping the list of homegrown solutions were:
- Network security (35%)
- Operation technology (28%)
- Data privacy (25%)
- Security automation technology (23%)
To put that in context, 100+ enterprises decided they needed to build custom network security solutions because they weren’t satisfied with what was available in the market (if anything). This runs counter to the conventional wisdom that all the basic problems in cybersecurity have been solved; when in fact opportunities remain in many fundamental areas.
Another peek inside enterprises comes from the data on investment priorities. In the years that Scale has been running this survey, cloud infrastructure security, cloud application security, and network security have been mainstays atop the list of enterprise spending. Here’s a look back at the past 4 years:
The rush to remote work accelerated cloud adoption and exposed new vulnerabilities to unsecured home networks and cloud services. Those areas are likely to remain enterprise priorities moving forward. The investment trends around data privacy and security technology automation, however, tell a more interesting story of opportunities on the horizon.
Don’t Forget Data Privacy
One surprise from the report was that data privacy experienced the largest year-over-year rise on the list of investment priorities, jumping from 5th in 2020 to 2nd in 2021. Even though regulations like GDPR and CCPA have been in place for a few years, enforcement has lagged, giving the industry time to better understand compliance requirements and the solutions available in the market.
But clearly there’s a lot of work still to be done. In fact, the number of enterprise privacy technology solutions climbed from 204 in 2020 to 365 this year. With regulators, governments, and consumers watching how companies collect, use, and protect sensitive data, data privacy has been elevated from a security risk to an opportunity to create a competitive edge from security and reliability.
Who’s buying privacy solutions? The survey showed that security executives who report to their CEO are more focused on high-level issues like data privacy, network security, and regulatory compliance. When asked who was ultimately accountable for security, 21% said the CEO, followed by other C-level executives, including the CISO (16%), CIO (15%) and the CTO (11%).
The key insight from this data is this: knowing who your buyer reports to can tell you a lot about how that organization prioritizes different areas of security.
Security Automation Solutions Are Needed Yesterday
Enterprise CISOs are desperate for a more scalable approach to enterprise security management.
For some time now, security leaders have responded to threats by expanding their arsenal of security point solutions and then adding headcount to manage the endless alerts those solutions generate. There are signs that things are changing.
3.5 million unfilled cybersecurity jobs means that security leaders can’t keep growing their teams at past rates -- yet they also can’t abandon many (or any) of their security tools. Security automation technology might be the answer and we saw it move up the list of investment priorities from 8th in 2018 to 6th in 2021. We think this trend is likely to continue as tool sprawl and the tight hiring environment means enterprises will happily open their checkbooks to buy security automation in practically any form.
Originally published June 8, 2021.