No two CISO roles are quite the same, but one thing they all have in common is the fact that a CISO needs to juggle many unique security disciplines. This can make prioritization difficult. Sure, there are the priorities that always make the list, like reducing the risk of breaches. However, each year, new topics come up more and more, competing for time in a CISO’s ever-growing to-do list.
Bugcrowd recently released a new report, Inside the Mind of a CISO. While conducting research for the report, we found that several CISO priorities were trending. They were coming up in our own survey data, in analyst reports, during qualitative interviews with CISOs, and more. Here are 8 CISO priorities in 2024 that are coming up more than ever before.
CISO priorities
1. Regulatory obligations
With regulatory obligations and government oversight of cybersecurity on the rise, CISOs need vendors who can provide solutions to these challenges. One specific area where this is increasing is with AI policy and legislation. Between the European Union’s AI Act and the United States releasing Executive Order 14110, governments around the world are responding to the rise of AI and its inherent safety and security risks. You can read more about considerations for rational, effective, and ethical AI regulation in another blog post.
2. Burnout
50% of current CISOs will have changed jobs in the next year as a result of burnout. This can partly be attributed to the immense burden of potential breaches. A security breach is an incredibly jarring event. When a breach occurs, a CISO must manage the response within their team, protect their team, and communicate to the C-suite what is happening and what the team is doing about it. For the organizations that deal with breaches two to three times a year, this can really take a toll.
3. Closing the cybersecurity skills gap
Gartner predicts that by 2028, the adoption of GenAI will close the hiring gap for entry-level skills. Bugcrowd’s research found that 24% of security leaders have already reduced their security headcount with the adoption of AI technologies, with 48% planning to follow in the next five years. This is especially true for larger teams.
4. Security outcomes
Instead of approaching solutions through the lens of security silos and products, CISOs are focusing on outcomes. Security leaders could drown in the sheer amount of point solutions and products marketed to them every single day. They are focusing on finding products that speak to their overall security outcomes improving, especially those that take a platform-approach to do so.
5. Risk vs compliance
CISOs are taking a risk-driven approach to security in addition to ticking compliance boxes. A great example of this market shift is penetration testing. Up until recently, compliance was the dominant driver of pen testing. Today, according to industry research, 69% of adopters do pen tests to assess security posture. Compliance can be an opportunity for organizations with less mature cybersecurity practices to secure investments for security initiatives. However, more and more CISOs are focusing on actually reducing risk.
6. Professional development
69% of top-third CISOs prioritize recurring professional development time. CISOs are often pulled into meetings and it can be difficult if not impossible to find time for professional development, however, leading CISOs still prioritize professional development time. This can take many forms, such as networking, catching up on security news, taking time to work with various groups in security, and more. One way to stay sharp on technical skills is by engaging in ethical hacking. Many CISOs have to sacrifice some technical aspects of their job to take on tasks like budget management, stakeholder relationship management, and presentation building. By hacking on the side, CISOs can maintain their technical touchpoints and skills.
7. Legal exposure
Gartner predicts that by 2027, two-thirds of Global 100 organizations will extend D&O insurance to CISOs due to personal legal exposure. D&O insurance (otherwise known as directors and officers insurance) covers executives of a business if a lawsuit is brought against them. This is especially key for the CISO role, where breaches are bound to come up and can be costly for a business.
8. Cyber insurance premiums
CISOs want to demonstrate a proactive approach to security risk management to reduce insurance premiums. By doing this, it signals to insurers that the organization is taking measures to mitigate potential cyberthreats. Insurers may view these organizations as having better security hygiene and a reduced risk profile and are less likely to experience a data breach. You can read more about how bug bounty engagements reduce cyber insurance premiums in the Forrester Total Economic Impact Report.
View the graphic from Inside the Mind of a CISO for a quick overview of the conversations CISOs are having around the board room.
To learn more about what CISOs are prioritizing, download Inside the Mind of a CISO.