Cybersecurity In 2024: Startling Insights from Over 1000+ CISOs

A glaringly and old area being overlooked by many industry security analysts. From IAM to AI: Unpacking the Priorities and Investments of Today's Cybers for 2024

Jan 24, 2024

Dear readers,

I want to express my gratitude for the support you've shown throughout 2023. Excited to continue writing and sharing more valuable content with you into 2024. One of the benefits of focusing primarily on cybersecurity and AI is the opportunity to spot emerging trends as they emerge. Today, I’d love to share some interesting findings from thousands of CISOs. These are feedback from reputable sources such as Morgan Stanley, Lightspeed Ventures, Scale Ventures, Gartner and more. These results have proven to be highly predictive when it comes to anticipating security demand. Let’s dive in. In other news, if you’re looking for ways to partner and work together, I provide some options at the end of the report.

Key Actionable Takeaways

Objective of this piece: My goal is to share findings on major categories in cybersecurity that are likely to grow coming into 2024. These are important themes, and areas you can expect to see my research/write-ups in 2024. This opinion was informed after analyzing six independent CISO (Chief Information Security Officer) surveys that covered data points from over 1000+ individual security leaders on categories they invested significantly in 2023 and where they planned to increase investment into 2024.
Overall security demand into 2024: One of the first takeaways is that overall security spending is expected to grow from $188B in 2023 to $215B in 2024. Key drivers include the new SEC disclosure regulations - The average data breach cost continues to increase to over $4.5 million, representing a 15% growth over the previous three years, with recent major breaches like the MGM and Clorox incidents costing these companies over $100M and $356M, respectively, in losses. Across all the sources, the data is pretty clear that 2024 is going to be a big year for cybersecurity growth.
Sub-categories expected to grow: Consistently and surprisingly, all the data pointed toward Identity Access Management (IAM) and adjacent identity security categories as major priorities for CISOs both from 2023 and into 2024. I found it fascinating how across every survey, the data was pretty consistent. Other major categories expected to see increased spending include data security, AI security and cloud security. Along the way, I explain some of the reasons for these drivers.

💡Cybersecurity & SaaS Bootcamp

We are pleased to host our fourth bootcamp! The cybersecurity bootcamp comprises of the following:

Cybersecurity Industry Overview: A 3-week bootcamp that provides an in-depth exploration of introductory cybersecurity frameworks, such as cloud, endpoint, and network security. Participants will gain a solid understanding of the cybersecurity industry using simple frameworks, as well as insights into what sets leading cybersecurity companies like Crowdstrike, Palo Alto Networks, and startups apart.
Software Modeling Foundations: In addition to the bootcamp, we offer an optional session on building SaaS metrics and a financial model for software companies. This session is led by former Morgan Stanley Analyst Thomas Robb.
Learn & Network: Participants can engage with a cybersecurity executive to gain insights into the industry and future trends. This includes networking opportunities with top-tier participants from investment and technology companies.

For full details, please visit Cybersecurity & SaaS Bootcamp. If you have any questions, let us know!

Expectations For Security Spending Into 2024

Methodology

The data was collected from surveys conducted between Q2 and Q4 of 2023. The participants were major players in the field, including CISOs, security leaders, and CIOs. I collated my data from various sources, including the Lightspeed CISO survey (200 participants), Morgan Stanley (60 participants), the Scale Ventures report (300 participants), Wolfe Research (122 participants), Gartner (300 participants), and NightDragon (100 participants).

As discussed, across everywhere it’s pretty to conclude that we can expect to see increased spending on cybersecurity into 2024. For example, Morgan Stanley’s CIO survey clearly depicts the differences between 2023 vs. 2024.

Source: Morgan Stanley, AlphaWise Survey

According to a recent NightDragon survey this January, 80% of CISOs from 100+ leading global organizations said their budgets increased or significantly increased from 2022 to 2023, up from 66% last year, but even more, the vast majority of CISOs said they expect their budgets to increase again in 2024, with 80% reporting growing budgets, compared to previous 66% growth. {**See footnotes}

Similarly, in another independent CISO report by Lightspeed Ventures, 83% of respondents reported an increase in cyber budgets year-over-year, despite macroeconomic conditions and challenges.

Cloud ratings demand index, which is a forward-looking indicator of demand for SaaS companies has been consistently showing that security is the best-performing category since November. Over 300 SaaS companies are tracked by Cloud ratings index, and they have identified Drata, Vanta, Snyk, and Wiz as the strongest performers in security in terms of interest growth over the past month. Similarly, many of these reports I’ll review share similar findings. Without beating the drum too hard, it’s pretty clear to expect a bigger year ahead for cybersecurity across public and private market companies.

Lightspeed Ventures (Cyber60 Report)

Lightspeed-Fortune created a report, Cyber60 that outlined top priorities and top opportunities for cybersecurity builders. As part of the report, they conducted a survey with over 200+ cybersecurity leaders to gather information on budget plans for the upcoming year and gather feedback on their experiences with their security products. The survey, conducted in Q32023, also incorporated some data from Gartner, resulting in interesting findings.

The top areas where CISOs planned to increase spending going into 2024, ranked in order, are as follows:

In this survey, 82% of CISOs (Chief Information Security Officers) considered Identity and Access Management (IAM) as a high priority for the previous year and the coming 12 months. However, CISOs expressed dissatisfaction with the existing IAM solutions, as they were not well-suited for modern and complex identity needs of enterprise applications. Additionally, CISOs expressed the need for more automated IAM solutions to address the vast number of manual processes involved in IAM. The survey also highlighted the importance of better Privileged Access Management (PAM) and IAM lifecycle products related to cloud identity and boundary policies. IAM lifecycle products are essential tools in managing the entire lifespan of user identities, which includes everything from creating new user accounts to their eventual deactivation. I will dive deeper into these topics next month.

Other findings from Lightspeed:

Other notable themes (although smaller in budget sizes relative to areas like Identity) included plans for spending on data security/privacy products (97%) and cyber insurance (91%). For both areas to rank at over 90% indicates how critical this topic has become for CISOs into the upcoming year.

70% of CISOs surveyed mentioned using 10 or more cybersecurity products or services in their enterprise. They specifically mentioned that SASE and XDR architectures are powering the consolidation era – and their effectiveness has unlocked enterprise budgets for innovative new solutions focused on rapidly emerging threats, such as those powered by AI.
As I’ve highlighted in the past, companies are not fully spending yet on security for AI solutions yet. At the moment, leaders are still evaluating their risks and are putting plans in place to start investing over the next few years. 86% of CISOs said implementing AI tools was an important strategic priority over the next 1-2 years, but 58% said they’ve made strategy changes due to the AI revolution.

Scale Ventures Cybersecurity Perspectives

Scale Venture Partners published their 2023 scale cybersecurity perspectives report where they shared key takeaways on security buying decisions. The findings of their survey showed that Identity access management (IAM) was a major priority for enterprises. Security leaders ranked IAM as their 2nd top priority in this year’s survey, rising dramatically from 8th last year.

Identity access management (IAM) increased in importance as enterprises continue the journey to the cloud and employees log-in to multiple cloud services beyond the traditional perimeter. They further identified that automating the process of provisioning user identities was a major problem for many companies. Account takeovers as it relates to identity was another major issue identified as adversaries used valid accounts to gain initial access in 43% of cloud intrusions last year, according to CrowdStrike. In that same report from Crowdstrike, they discovered that nearly half (47%) of critical misconfigurations in the cloud are related to poor identity and entitlement practices. In 67% of cloud security incidents, CrowdStrike found identity and access management (IAM) roles with elevated privileges beyond what was required were a major source of attacks - they discovered sometimes an adversary may have subverted the role or identity of a user/employee to compromise the environment and move laterally to cause damages.

Other findings from the scale report:

It was also interesting to note that security leaders (57% of firms relative to 42% in the previous year’s survey) identified that part of the problem with achieving a strong security posture was the lack of skilled employees. The leaders in this report expressed frustration at the lack of available talent as well as security tools that provide equivalent functions to manage incidents such as alerts efficiently.

Security leaders were asked about products and tools they weren’t satisfied currently within their enterprises. The biggest market gaps were reported in cloud application and CI/CD security, with a 45%+ delta between satisfaction and importance. With only one-third of security leaders satisfied with these two commercially available solutions, founders may have an opportunity to build better tools.

Gartner’s Security Leaders 2024 Report

In the first week of January every year, Gartner publishes a report that shows their findings of what security leaders within their network are prioritizing in the upcoming year. They published an extensive report on January 2, 2024, on the top trends for the upcoming year. Similar to some of the reports early, most data is pointing toward Identity.

“IAM’s role in cybersecurity has been increasing steadily. As of 2023, IAM is the second-most-popular topic of discussion by SRM leaders who use Gartner’s client inquiry service.”
“Almost two-thirds of the respondents to a Gartner survey expect their organization to increase its investment in IAM capabilities.” - Gartner, Top Trends in Cybersecurity for 2024.

Gartner succinctly discusses how identity has steadily grown as an important topic of discussion amongst security leaders. They specifically pinpointed several sub-categories within identity that are expected to see increased spend over the next 12 months. These include fraud detection, authentication, customer identity, workforce identity governance and administration (W-IGA), and privilege access management (PAM).

The core driver behind this trend in identity is that increasingly recent attacks in 2023 against organizational identity infrastructure have been more common. Companies are finding that the best way to defend themselves is to adopt Identity Threat Detection and Response (ITDR) technologies. This also explains the rise of ITDR startups and acquisitions in 2023. For example, Okta acquired Spera (ITDR), Proofpoint acquired Illusive Security (ITDR) etc. In 2023, Crowdstrike announced the growth of their identity business, which is predominantly, ITDR, into $200M. This is impressive, considering they began their strategy of growing their identity biz in 2020 after acquiring Preempt for $98M (when the business was only single-digit ARR!).

Again, in a future report, I’ll discuss these topics in more depth. But briefly, ITDR is a specialized area in cybersecurity focused on detecting and responding to threats, specifically targeting identity services and infrastructure. This can include user accounts, authentication systems, and identity repositories like Active Directory. ITDR is particularly good at the detection of anomalous behaviour, acting against this behaviour, and integrates widely with other systems. Its a core security product for protecting identity infrastructure.

Other findings from Gartner:

Spending on data privacy and cloud security are projected to record the highest growth rates in 2024, with each segment increasing more than 24% year-over-year (see Table 1). Privacy remains a top organizational priority as regulations that impact the processing of personal data continue to emerge, including those related to the use of AI. Gartner predicts that by 2025, 75% of the world’s population will have its personal data covered by modern privacy regulations.

GenAI was identified as a major critical area for spending for companies. Through 2025, they estimate generative AI will cause a spike in the cybersecurity resources required to secure it, causing more than a 15% incremental spend on application and data security.
They identified Continuous threat exposure management (CTEM) as a new important area that started to grow in interest this year compared to last year, especially with the expansion of the attack surface. The growth in the attack surface for many companies has expanded in recent years with the adoption of SaaS, Cloud etc. This increased attack surface has left organizations with potential blindspots, as well as a larger number of potential exposures to address. CTEM is a new way to scope and categorize potential issues to manage major risks.

Morgan Stanley Q42023 CIO survey

MS conducts their survey on Enterprise Chief Information Officers (CIO) on a quarterly basis to gauge how their sentiments are changing on security spending throughout the year. Their survey similarly shows a big spending intent on identity security going into 2024. It’s important to note that, for most large enterprises, identity security is always a larger spending category that takes a good chunk of their budget, which can explain these factors. However, there are other bigger spending categories like network security, email, or endpoint in some cases. Also, MS has been conducting this study for quite a few years, and interestingly, this IAM trend has only been growing.

The interesting part of their survey is that it further probes Value-Added Resellers (VARs) (These VARs are crucial middlemen within cybersecurity that influence buying decisions for companies). It’s interesting that 100% expect Identity and Access Management (IAM) to see the largest benefits from cloud migrations. Looking further into their report, 53% of CIOs indicated a positive impact on IAM, while only 7% indicated a negative impact. That’s quite the contrast to express their interest.

NightDragon: Cyber Leaders On 2023 And 2024 Outlook Findings

The NightDragon Advisor Council includes 100+ leading CISOs, cyber experts and former government officials. These leaders come from Fortune 500 and other large enterprise organizations from a variety of critical verticals, including healthcare, finance, travel, critical infrastructure and more.

The 2024 special report dives into key risk areas CISOs faced in 2023, from geopolitical to third-party risks. They further asked about categories where leaders planned to invest more heading into 2024. Although NightDragon didn’t rank their responses, it's clear that identity security, as well as threat detection and management technologies, ranked as an important category on their list.

Source: NightDragon Special Report: Cyber Spending 2024

In parts of the report, they further highlighted sub-categories of identity, like passwordless, as the core areas where these leaders plan to spend more into 2024. They didn’t go into further depth. They also highlighted other areas of increased budgets allocation like ransomware resiliency, cloud security, operational technology security, and artificial intelligence, among others.

Wolfe Research CISO Survey

Wolfe Research, an independent sell-side and Wall Street research firm surveyed 122 CISOs regarding their security budget growth for 2024, their expectations for spending on sub-sectors and vendors (57% from enterprises, and 43% from SMBs). The result showed that 68% of respondents anticipate an increase in their budgets for 2024 (compared to 62% in 2023). Additionally in-terms how big these budgets are expanding, 43% of respondents expect their budgets to increase by more than 10%, up from 31% the previous year.

The top 5 categories where CISOs plan to increase spending were (ranked):

Cloud Security
Data Governance
Privileged Access Management (PAM)
Identity Governance & Administration (IGA)
Access Management (AM)

Wolfe provided over 10 categories to their CISO participants, and Identity emerged as a reoccurring theme across their top 5 list. Although it was interesting to see how they ranked they ranked their categories.

Other findings by Wolfe Research:

Other findings include SASE dropping from the 3rd spot in 2023 to the 6th spot in 2024 as a CISO priority and EDR/XDR moving up two spots to the 7th spot. Firewall had the fewest respondents expecting an increase in spending, while the majority mentioned a reduction in spending in 2024. The sentiment around firewalls relative to emerging architectures like SASE seems accurate based on other reports too.
One interesting finding that came out here was that in terms of vendor preferences, it is surprising that the majority (46% of respondents, compared to 34% in 2023) indicated a preference for point solutions to solve security challenges rather than using a vendor consolidator (26% of respondents). This number has also increased from 2023. This likely suggests that for new threat vectors (like AI, software supply chain, data security etc.) that might not be catered toward by large vendors, companies are resorting to point solutions.
Microsoft (MSFT), Palo Alto Networks (PANW), CrowdStrike (CRWD), and CyberArk (CYBR) all had approximately 56% of respondents stating their intention to adopt more of those vendors' platforms. As the budget environment improves, there is a possibility that best-of-breed solutions could regain some market share, but customers are likely to continue adopting more from their existing vendors.

What does this all mean?

As we begin 2024, the cybersecurity landscape presents challenges and exciting opportunities. Could we end 2024 with record deals back to the 2019/2020 levels? The volume of M&As and fundraises that have already occurred/announced in the first 23 days of this year is a good indication of the year ahead. We might not reach 2021 levels, but I can be certainly sure we’ll surpass 2023 levels with regard to deal activity.

My article has tried to glean into the insights from comprehensive surveys painting a likely picture of priorities for the upcoming year. The trend of identity being important for more investment is consistent across the board. As the year unfolds, it’ll be interesting to see how these intentions for increased investments into areas like Identity get fulfilled. Will we see more identity companies? More funding deals in categories like ITDR? Will CISOs get what they want from existing legacy vendors like Microsoft and Okta, or will startups rise to the occasion?

Other key areas to watch for more M&A and fundraising activity includes data security, AI security, cloud security, SASE, services, cyber insurance and risk management and many more.

Example of My Planned 2024 Reports (& Collaboration Opportunities)

I wanted to take the time to share the types and categories of reports I plan to write about in the upcoming year. Many of my topics are based on my curiosity and a desire to delve further into each of these areas CISOs want to see change going into 2024. Throughout this report, I’ve only provided a high-level overview of the top areas that showed up from these CISOs, but from further analysis of each of these reports - many of the topics I’ve planned for the year are the results of probing deeper. I’ve broken them up into industry reports, themes, and company-specific reports.

Some Industry Reports:

Unveiling the Detailed Cybersecurity Landscape for 2024 (Part 2)
Navigating Identity Consolidation: Key Players & Categories in the Industry.
What is Truly Zero-Trust: Decoding Its Constructs & Identifying Key Players.
Exploring GenAI Security: Key Players Taking Center Stage.

Company-Specific Reports:

ZScaler Beyond SASE: What's Next? A Comprehensive Deep-Dive.
What is next for Crowdstrike?
Post $100B Thesis on Palo Alto Networks.

Important Themes:

Software Supply Chain Evolution (v2).
Demystifying the Evolution of SIEMs: Key Players
Navigating Security Compliance, GRC & Privacy.
Exploring Cloud Data Security and DSPM.
AI in Security vs. Security for AI.

Data Infrastructure Topics:

A panoramic view of the Generative AI Landscape.
The latest in the Snowflake vs. Databricks AI Race.

Anticipated IPOs: I will write a comprehensive analysis of upcoming IPOs and security companies as they come up throughout 2024.

Collaboration

This is the first time I’ll share my email. I want to open up the opportunity for any company, individual or organization intrigued by any of these topics/themes/categories and wants to chat about partnering, sponsoring, or collaborating on any of these reports throughout 2024; I'm eager to connect! Feel free to reach out at francis@softwareanalyst.ca

Sign-Up & Subscribe:

If you want to be kept up-to-date on each of these reports/themes/analysis, feel free to subscribe and join the newsletter.

I would also be grateful if you shared my report with your friends or anybody who might benefit from reading these reports!

Share The Software Analyst Newsletter

The Software Analyst Cyber Research

Discussion about this post