How CISOs Are Spending Their New Budgets
By Andy Ellis
In 2023, the outlook for cybersecurity companies seemed dire.
Andy Ellis of YL Ventures
Across-the-board, it seemed like the golden heyday where chief information security officers got more money every time they turned around had come to an end, with a third of CISOs reporting their budgets had dropped, and another fifth having frozen budgets, meaning only committed money would be spent.
For cybersecurity companies, this is often troubling news. While some vendors can close deals and displace incumbent solutions with a combination of cost reduction and better features, in a tight market, it’s a rare CISO that can juggle trying something new when they’re busy keeping their head above the security poverty line.
Image source: CISO Circuit 9, August 2023, YL Ventures.
A year later, it seems like that trend is starting to reverse. While a quarter of CISOs are still reporting decreased budgets, 2 in 5 are now seeing budget increases. While not a complete turnaround, this indicates that CISOs have flexibility to solve new (and long-standing) challenges.
Image source: CISO Circuit 10, July 2024, YL Ventures.
So what are they working on?
My firm, YL Ventures, reached out to 218 CISOs or equivalents (actually, we asked almost 250, but a few dozen either didn’t want to answer the question, or regrettably didn’t have any strategic projects underway). We didn’t prompt them with a long list — these are the top-of-mind projects that these security buyers tossed our way.
Image source: YL Ventures internal data.
Identity is identified as No. 1: While user identity was the core project, 6% of respondents are now looking into NHI, or nonhuman identity, management (sometimes also called machine identities). As companies build their enterprise and product ecosystems increasingly in cloud and SaaS environments, the use of NHIs is exploding. CyberArk Software notes that nonhuman identities now outnumber human identities by a factor of 45 to 1. The risk of unmanaged NHIs is posing an increasing threat to stability and security, and CISOs are starting to respond to that challenge — but are still paying attention to human identities as the core building block of the modern enterprise.
Generative AI is generating a lot of sassy buzz: Generative AI burst onto the scene with the release of so many GPT companions, from ChatGPT to Copilot, Gemini, Grok and others, and CISOs are scrambling to gain some control over the risks here. Some of these projects are closer to SaaS security — and have certainly taken some of the wind out of the non-generative AI SaaS security market — but other projects are focused around LLM security.
The data suggests DLP is back: Almost half of data security projects involve data loss prevention, or DLP. This perennial market seems to be blooming under the possibilities that AI brings to the classification side of the problem; and while data security posture management as a separate category seems to be dwindling, secrets management, data vaulting and tokenization all showed up as projects in our conversations.
The whole software supply chain needs a healthy application of security: In the past, applications security conversations were dominated by references to point solutions — SAST, DAST, WAF, PenTesting — now CISOs are looking more holistically at application security posture management projects, especially as those affect their software supply chain, and are studying application detection and response in live runtime environments.
CISOs have a lot of problems to solve. While they might be seeking some product consolidation within given ecosystems, the sprawl of enterprises across cloud, SaaS, application and identity ecosystems is going to keep CISOs busy for a long time to come — and gives cybersecurity vendors a lot of opportunity to innovate in all of these problem spaces.
Andy Ellis is a seasoned technology and business executive with deep expertise in cybersecurity, managing risk and leading an inclusive culture. He is the author of 1% Leadership, a partner at YL Ventures and an adviser to cybersecurity startups.
Illustration: Dom Guzman