Respondents from advanced companies tended to share these concerns, but they also paid attention to future threats. Among this smaller group, 74% said that the threat of AI-based attacks was a critical concern, and 73% said the same about AI-enabled social engineering. These responses reflected other aspects of their culture: stronger employee awareness of security issues, and greater executive support for cybersecurity investment. Because these companies have basic cybersecurity capabilities in place, their CISOs have the backing and capacity to think innovatively about meeting the coming wave of threats.
Among the practices that differentiate these more farsighted companies is an emphasis on return on investment (ROI). About 56% of advanced firms’ CISOs said that they consistently measure ROI for their cybersecurity spending. By contrast, only 39% of the overall survey respondents reported consistently measuring ROI for cybersecurity spending. For companies in the unprepared archetype—the bottom quintile of cyber maturity—the figure was 22%.
Advanced companies gain their ROI by deploying skilled people, well-designed processes and up-to-date technologies. In the advanced group, 48% deploy network detection and response (NDR), a cybersecurity strategy that involves consistently tracking communications patterns to detect, investigate, and respond to threats that might otherwise remain hidden. Use of application security testing (AST) to identify vulnerabilities in source code is championed by 42% of the same group, and cloud workload protection (CWP), which entails monitoring cloud services for potential threats, by 38%. These higher-than-average adoption rates among advanced companies reflect the companies’ nature as early adopters and the very recent emergence of the technologies. At the same time, these percentages indicate that there is much room for improvement and more need for best practices—even among advanced companies.
The Consolidation Trend
This year, many cybersecurity leaders reported that they are looking for larger, consolidated vendors that can provide multiple services in a single offering. CISOs say that mature cybersecurity technologies—traditional endpoint protection platforms, firewalls, governance risk and compliance services, network access control, secure email gateways, and unified endpoint management— offer the highest level of bundling. In these categories, the percentage of survey respondents looking to consolidate is larger than the percentage looking to expand procurement.
A few other solutions also involve mature technologies, but for a variety of reasons they are less likely candidates for consolidation or expansion. These offerings include risk management solutions from IT vendors, secure web gateways, user authentication and access management solutions, and endpoint detection and response systems.
In general, advanced companies think differently about sourcing security capabilities than the other companies do. For example, many companies are now consolidating their cybersecurity vendors. When asked about their reasoning, most CISOs cited cost savings as the primary motive. CISOs from advanced companies, however, said that they were looking for improved security outcomes. Evidently, they view having fewer vendors but more robust integrated relationships with those vendors as a way to achieve both goals. (See Exhibit 3.)