On deck for the business of cybersecurity: Fire sales and due diligence | Cybersecurity Dive

On deck for the business of cybersecurity: Fire sales and due diligence

Enterprise cybersecurity is navigating market turmoil and vendor consolidation. Here’s what experts expect to happen to the industry in 2023.

Hype around investing in cybersecurity is giving way to talk of economic headwinds and cybersecurity, seen as a cost center, is closely watching the budget chopping block. 

This turmoil in 2023 is expected to adversely affect the cybersecurity vendor landscape, spurring a spree of consolidation. One CISO even equated some of the potential market movement to a fire sale.  

Even when resources are tight, cybersecurity executives are expected to fall in line with regulation. From the CISO’s desk, there is also a lot of attention on what due diligence means following the guilty verdict of Uber’s CISO last year.

Cybersecurity Dive asked researchers and analysts what they expected to see hit the business of cybersecurity this year. Below is how four experts responded: 

Vendor and solution consolidation will continue. Large vendors with positive market momentum will get bigger as they subsume the smaller fish in the marketSecurity budgets will remain largely unaffected in 2023 because security is a board-level conversation and has budget priority. Besides not wanting to make headlines due to a breach, the conviction of Uber CISO sent shockwaves on what due diligence means.Even as security budgets remain unaffected, how budgets are spent will continue to change. Organizations will focus less on traditional security infrastructure — say firewalls — and more on cloud-delivered, SaaS-based security for securing hybrid work and cloud applications.As the cyber threat landscape continues to evolve and grow more sophisticated, the role board of directors play in cyber risk oversight is becoming increasingly important. As organizations prioritize customer trust alongside continued growth, the board can help position cyber as a strategic enabler to foster stronger relationships across customers, vendors, employees, and shareholders.Recognizing the value a robust cybersecurity posture can directly have on financial impact allows boards to more effectively oversee cybersecurity risk management activities.  emphasizing governance, risk management, strategy and timely notification to investors should encourage leaders to consider evolving and shaping their current and future business models with cyber risk and the board at the center of these initiatives.The economic headwinds will drive turbulence in the cybersecurity vendor landscape. Some vendors will raise down rounds, while others will go out of business now that the era of free money is over. Security buyers must conduct due diligence when considering cybersecurity startups. Yesterday's cool new vendor could be tomorrow's fire sale. The economy will also drive consolidation, there are over 4,000 cybersecurity vendors out there, and many of those that do survive will become features in other vendor's platforms. In speaking with my peers, I see the role of the CISO gaining even more prominence next year. The number of successful cyberattacks and widespread damage they have wrought is reaching a boiling point with new regulatory scrutiny.Proposed reporting requirements from the U.S. Securities and Exchange Commission will force public companies to be much more transparent and strengthen their cyber defenses. All this will fall on the CISO. There will be new responsibilities along with blame should a breach occur, as evidenced by the recent guilty verdict for the former Uber CISO. Our industry was already struggling to recruit qualified professionals so decisions like that present even greater challenges.With the CISO now in the spotlight, the relationship with their boards must change. ... The mounting pressures of potential personal liability will only increase the strain in the board-CISO relationship, with huge implications for an organization’s security. The main disconnect is that both parties don’t speak the same business language. CISOs must learn to tell the story of cybersecurity vulnerabilities and risks in a way that resonates with leadership. These conversations must take place regularly and in the language of business, rather than the tech jargon of security.