Top 3 Goals & Challenges for CISOs in 2023

In 2023, security leaders remain ever-vigilant in protecting their organizations from an expanded threat landscape and more sophisticated attacks, while securing investments in advanced technologies. At the same time, as business leaders, they are not immune to the uncertain economic outlook and heightened focus on resources. CISOs are trying to maintain a balance between necessary security investments, the need to support growth and innovation, and the responsibility to spend wisely. 

In Gartner’s Top Cybersecurity Trends for 2023, they mention the need for a balanced approach to security initiatives, as well: “Security and risk management leaders must rethink their balance of investments across technology, structural and human-centric elements as they design and implement their cybersecurity programs.”

In our annual Leadership Perspective Survey results, the number one goal across the organization for CISOs continues to be reducing risk, the same as it was in 2022. Here, we take a closer look at security leaders’ specific goals and objectives, based on our survey of more than 1,300 CISOs from the world’s leading companies.    
 

Top Priorities for CISOs

CISOs from across Evanta communities cite cloud security, strategy and architecture as their number one priority in 2023. Cloud initiatives are followed by user access/IAM/Zero Trust, coming in at number two, and measuring and communicating risk, which takes the number three spot this year. These three initiatives have been among CISOs’ top priorities – especially cloud security – for three years in a row.

Based on feedback from CISOs, Zero Trust was added as a sub-category this year, and incident response and ransomware is a new answer option, which promptly moved into the top five areas of focus.

Maturing Cloud Security, Strategy & Architecture

In our survey, we ask CISOs about the specific goals and challenges to making progress on their top priorities -- in this case, cloud security, strategy and architecture, user access/IAM/Zero Trust, and measuring and communicating risk. CISOs most often said that mitigating risks was their most important goal regardless of the initiative they are working on, while they cite a variety of challenges. 

Cloud security is CISOs’ number one area of focus for the second year in a row. Some security executives report that their organizations remain on a cloud journey or are still determining which functions should be in the cloud. These are their specific goals and challenges in implementing cloud security, strategy and architecture.

Here is a sample of what security leaders told us anecdotally about managing and securing the cloud: 

Maturity takes time and skills and upskilling to take advantage of cloud services. How do we transition the workforce into optimizing the benefits of the cloud?”

We are moving to the cloud and need different cloud providers to manage different workflows. One challenge of moving to the cloud is the lack of control it provides -- how do you overcome this from a security perspective?”

Before the cloud, the risk was data confidentiality – but now, it's losing data availability.”

CISOs primarily want to learn more about this topic from a strategic perspective (79%), but are also interested from an execution point of view (69%).

The topic of cloud security and strategy was part of a recent Town Hall discussion on “Achieving Business Outcomes in the Cloud.” You can find some takeaways from the discussion here. 
 

Managing User Access, IAM, and Zero Trust

In the area of user access, IAM, and Zero Trust, CISOs’ second highest priority in 2023, executives report that mitigating risks (74%) is again their top goal, while legacy technology (49%) is an obstacle to achieving that goal. 

Here are some of the responses from CISOs when we asked them to elaborate on their opportunities and concerns about user access: 

We are on a Zero Trust journey and thinking differently about giving access to users. We're strengthening our identity foundations, so we move away from traditional VPN to more of a Zero Trust model.”

Instead of knowing what to do, the focus should be on how to do it at scale and fast. For customers, they usually don't want too much friction… Therefore, this is an evolving space.”

Identity touches every part of the business and touches all processes. We do a lot of work around customers and identity, but we should also be thinking about it from a workforce perspective.” 

CISOs want to explore more about user access from an execution perspective (76%), but they also want to strategize on this topic (74%).

User access and cybersecurity were the topics of a recent session at the Dallas CISO Executive Summit on “Digital Transformation – Survive and Thrive.” The community discussed the value of cybersecurity transformation and how to scale and simplify cloud security across the organization; the highlights from their session are here. 
 

Measuring Risk and Communicating Effectively About It

The other top priority for CISOs this year is how to measure and communicate risk — particularly to other C-suite leaders and the board. The increasing focus on security breaches requires CISOs to provide information, metrics and updates about risk in a way that their peers outside of security can understand. Security leaders cited mitigating risks as their top goal, while competing priorities was their biggest challenge.

CISOs shared more on their concerns around risk measurement and communication, including the following: 

Communicating risk to the board is difficult as you can’t present a cyber topic in the same way. And, how do you define meaningful KPIs for non-security focused board members?”

We try to communicate risk at an enterprise level, while also having traceability to each business unit. This is crucial because not all areas will have the same level of risk, and if not managed correctly, one area could bring down the entire enterprise.”

Placing an ROI on security doesn’t work, so you must assign a value to risk, which doesn’t have to be monetary. And, frame it with business language so security is more on par with the other lines of business.”
 

CISOs are interested in learning more about risk measurement and communication from a strategic perspective (74%), and also from a leadership point of view (65%).

The topic of communicating risk to the organization was part of a recent Town Hall discussion on “Communicating Risk – Translating Insight into Action.” You can explore the key takeaways from the discussion here. 
 

CISOs’ Priorities Across the Enterprise

In addition to their functional priorities, we also survey CISOs each year about their priorities across the enterprise. CISOs report that reducing risk is their number one priority, which is consistently close to the top every year. Increasing operational efficiencies and productivity came in second, and optimizing or reducing costs was third. Optimizing costs jumped up in the top ten, demonstrating the impact of the current economic climate on CISOs. 

Here is how CISOs’ top enterprise initiatives compare to their peers across the C-suite.

The focus on finding operational efficiencies and cost optimization are in the top five for nearly all C-suite leaders as enterprise priorities this year – perhaps not surprising given the economic environment. CISOs, like their C-suite counterparts, have to do more with less, or may be looking at how they can expand their vendor relationships to take on more tasks. While keeping an eye on resources, CISOs remain focused on driving growth and accelerating digital business, which come in fourth and fifth, respectively.
 

What’s Next for CISOs

The role of the CISO has evolved over the past several years as they’ve balanced advanced security threats with the need for growth and digital business acceleration. They are tasked with growing the business in a secure manner and providing a holistic view of risks to the organization. For security leaders, it means an increased need for effective communications and the ability to assess and offer a measurement of risks. 

One CISO noted that a challenge in this area is how to articulate the “non-financial impact.” “Their priority might be operational impact, human impact, or reputational impact – not the bottom line,” he continues. “We’re trying to rebrand risk from cyber risk to operational risk.”

In addition, as organizations come out of the pandemic focused on growth and innovation, CISOs don’t want to be the ‘bad guy’ inhibiting the business – but they also have to protect it. As another CISO noted, “Digital transformation is happening, and the business is driven by timelines. How do we ensure systems are in place across the business – and the digital transformation follows best practices – so no security breach occurs due to shortcuts along the way?”

As they navigate this balance between security and growth, they are also negotiating the current economic climate. As another security leader told us, “We have come a long way… but we can’t protect everything. We need to prioritize based on criticality, risk, and budget constraints.”

To continue the conversation on CISOs’ goals, challenges and mission critical priorities, Evanta offers regional communities of CISOs that meet throughout the year. Join them to discuss the topics in this survey report, or explore an upcoming opportunity to connect with your CISO peers in person.

This article is an update to last year’s survey report, which you can find here: Top 3 Goals & Challenges for CISOs in 2022.

Based on more than 1,300 CISOs’ responses to Evanta’s 2023 Leadership Perspective Survey.

by CISOs, for CISOs

Join the conversation with peers in your local CISO community.