CISOs are making cybersecurity a business problem

U.S. enterprises are responding to growing cybersecurity threats by working to make the best use of tools and services to ensure business resilience, according to ISG.

Enterprises face growing cybersecurity threats

The report for the U.S. finds that the U.S. security landscape changed significantly in 2022, with breaches declining in number but increasing in size and the federal government tightening compliance rules.

Many organizations began to improve visibility and risk management to better protect themselves from the broader business effects of breaches, such as damage to reputation and fines for lack of compliance.

“It was a tumultuous year for cybersecurity in the U.S.,” said Doug Saylors, partner and co-lead, ISG Cybersecurity. “Attacks became more sophisticated and severe, while businesses stepped up efforts to respond to and survive increasing threats.”

Small and medium businesses, often linked to large enterprises through supply chains, are now recognizing their exposure to threats and investing in managed security services. Digital maturity, more than size, determines how U.S. companies approach cybersecurity, ISG says.

CISOs focus on extracting more from existing investments

Many CISOs are now trying to derive more value from existing investments, the report says. Among other things, enterprises are investing in risk assessments, outsourcing more services and seeking integrated solutions such as security service edge (SSE) and extended detection and response (XDR).

As C-level executives become more aware of the need for cyber resilience, security investments have expanded beyond detection and response to include rapid recovery and business continuity.

“CISOs are making cybersecurity a business problem rather than a technology problem. They want more solutions and services that help them align security measures with enterprise objectives,” said Jan Erik Aase, partner and global leader, ISG Provider Lens Research.

As attackers increasingly target specific industries, such as healthcare, utilities, automotive and education, organizations are looking for cybersecurity solutions that align better with threats, attack vectors and regulations in their own sectors, ISG says.