How CISOs Are Spending Their New Budgets
go through Andy Ellis
In 2023, the future looks bleak for cybersecurity companies.
Overall, the golden age of chief information security officers making more money with each job appears to be over. One-third of CISOs Reporting that their budgets have fallen, another fifth have frozen their budgets, meaning only committed funds will be spent.
This is typically troubling news for cybersecurity companies. While some vendors can close deals and replace existing solutions with lower costs and better features, in a tight market few CISOs can try new things while busy staying above the security poverty line.
Image source: CISO Circuit 9, August 2023, YL Ventures.
One year later, It looks like the trend is starting to reverse. While one-quarter of CISOs still report budget reductions, two-fifths are now seeing budget increases. While this isn’t a complete transformation, it shows that CISOs can be nimble to address new (and long-standing) challenges.
Image source: CISO Circuit 10, July 2024, YL Ventures.
So what are they doing?
my company, YL Venture Capital218 CISOs or equivalents were contacted (actually, we asked nearly 250 CISOs or equivalents, but dozens either didn’t want to answer the question or unfortunately didn’t have any ongoing strategic projects). We don’t provide them with a long list – these are the most important items that these security buyers are selling us.
Image source: YL Ventures internal information.
Identity is recognized as first: While user identity is a core project, 6% of respondents are now working on NHI (Non-Human Identity Management) (sometimes called machine identity). The use of NHI has exploded as companies increasingly build enterprise and product ecosystems in cloud and SaaS environments. Cyber Ark Software points out that non-human identities now outnumber human identities 45 to 1. The core components of modern enterprises.
Generative AI is attracting a lot of trendy attention: With the release of many GPT companions, generative AI suddenly appeared on the scene, Chat GPT Co-pilot, Gemini, Gronk And elsewhere, CISOs are working to gain some control over the risks here. Some of these projects are closer to SaaS security – and have certainly taken some traction from the non-generative AI SaaS security market – but others are focused on LLM security.
Data shows DLP is back: Almost half of all data security projects involve data loss prevention (DLP). This perennial market appears to be booming with the possibilities that artificial intelligence brings to the classification side of the problem; while data security posture management appears to be declining as a separate category, secrets management, data storage, and tokenization are all emerging as projects. Now in our conversation.
The entire software supply chain requires healthy security applications: Where in the past the application security conversation was dominated by point solutions (SAST, DAST, WAF, PenTesting), CISOs are now looking more holistically at application security posture management projects, particularly those that impact their software supply chains, and Research is underway on application detection and response in a live runtime environment.
CISOs have a lot of problems to solve. While they may seek some product integration within a given ecosystem, the proliferation of enterprises in the cloud, SaaS, app and identity ecosystems will keep CISOs busy for a long time to come and provide a strong foundation for cybersecurity. Suppliers offer numerous opportunities for innovation.
Andy Ellis is an experienced technology and business executive with deep expertise in cybersecurity, managing risk, and leading an inclusive culture. He is the author of 1% Leadership and the YL Venture Capital and advisor to cybersecurity startups.
Illustration: Dom Guzman
Learn about recent funding rounds, acquisitions, and more with Crunchbase Daily.
2024-12-05 12:00:46