Chief information security officers (CISOs) are grappling with a wide range of risks and challenges, especially linked to the accelerating utilization of technologies like cloud-based applications and Application Programming Interfaces (APIs). 

The CISOs Report, Perspectives, Challenges and Plans for 2022 and Beyond is based on a survey of more than 400 CISOs working across a broad set of companies and industry sectors in the US, Canada and other select nations. The study was conducted by AimPoint Group, W2 Communications, and CISOs Connect.

Recent shifts in the IT landscape have resulted from the dramatic escalation of remote work, cloud adoption, BYOD and changing development practices. The security impacts of those changes are reflected in where CISOs see the most need to strengthen their defenses.

CISOs rate their organization’s IT components most needing security improvement as:

  • APIs 42%
  • Cloud applications (SaaS) 41%
  • Cloud infrastructure (IaaS) 38% 

“It should come as no surprise that APIs ranked as the #1 IT component most in need of security improvement,” says Michelle McLean, Vice President at Salt Security, a Palo Alto, Calif.-based provider of API security. “For truly secure APIs, CISOs need to consider the three pillars of API security: complete visibility into API traffic; continuous and dynamic analysis of APIs in runtime; and access to remediation insights to identify risks before they become exploited. To gain all of those insights, organizations need a breadth of context into all of their APIs and API behaviors, so that they can correlate activities across them and provide real-time analysis of all that data.”

CISOs rate their organization’s security processes most in need of improvement as:

  • Data discovery and classification 38%
  • Data backup and recovery, as well as vulnerability remediation 36% each
  • Development security operations (DevSecOps) 35%

CISOs are taking action on zero trust

While early on some were quick to relegate zero trust as hype, it is not. A full 96.5% of CISOs surveyed are either underway with or actively planning for a zero trust initiative. Only 7.5% claim to already have a robust implementation, but even those will require ongoing improvement to extend key practices to the application and data layers as cyber threats evolve. Over 50% say implementing or enhancing their zero trust model is one of their top three priorities for the coming year.

Third-party risk pervades

While supply chains have become essential to the success of almost all businesses, CISOs see plenty of supplier and partner challenges to overcome. Third-party risk tops a long list of cyber vulnerabilities causing CISOs the most concern, rating 3.89 on a scale of 1 (lowest) to 5 (highest). This finding tracks with the escalation of supply chain security issues over the last two years. Supply chain attacks rate 3.93 out of 5 as the cyber threat that causes the most concern. Forty-three percent of survey respondents indicate that better addressing partner or supplier risk is among their top three priorities for the coming year.

Given third-party concerns, 41% of CISOs plan to add or upgrade third-party security and risk management technology over the next year. Other technologies high on the shopping list include network/micro-segmentation (65%), container security (57%) and security service edge (SSE) platform (55%).