Security takes a front seat

Information security has always been important, but never as sexy as legacy modernization, AI, or pretty much anything else IT spends money on. In general, security is the sort of thing CIOs wish they’d invested more money on—after they’ve had a breach. But things have changed. As Merritt Baer, CISO at Reco AI, said to me, “You can’t do any other form of ‘business’ if you can’t be secure.” You can argue that this has always been true, but I’m hearing much more emphasis on security in my discussions with enterprises.

To paraphrase Baer, if security isn’t your priority, do any of your other priorities matter?

Security first

Every time I board a plane, I hear the message, “The safety of our customers is our first priority.” It’s roughly the same line whenever CIOs answer budget surveys, but look back a few years and you’ll find other initiatives (server virtualization, cloud, etc.) taking the front seat. During the past decade, however, security breaches have become so prevalent and so persistent that enterprises have stopped pretending that security is their first priority, and are actually spending accordingly. Although security spending declined globally in 2021, it’s been booming since then and is projected to top $87 billion in 2024. In a 2022 Morgan Stanley Research CIO survey, security was the top budget item that would be protected from the axe, with more than twice as many “least likely to be cut” votes as any other budget item, no matter a looming recession or other budgetary pressures.

In my own experience working with large enterprises, the conversations have shifted from, “Tell me about what your software can do, and also fill me in on security,” to “Tell me about your security, and if that passes muster we can then discuss what your software can do.” It went from one priority among many to the priority. As one CISO of a Fortune 500 company told me, “Security has become non-negotiable” in IT purchasing discussions.

CEOs, by contrast, may still think of other IT priorities. For example, one Foundry survey of CEOs pegged digital transformation ahead of security. That makes sense, given that CEOs tend to think of customer-facing initiatives first. However, even in this survey, security was an exceptionally close second. This is very different from how things were; if you asked a CEO in 2014 what she prioritized, as Gartner did, growth took the top spot. Security was way down the list. 

This is one reason I’ve suggested so-called open source “community” people stop fixating on the wrong issues. Open source security, not licensing ideology, needs to be the focus, whether to capture CIO or newbie developer interest.

How’s your posture?

It’s also why vendors should focus on improving their security posture. “Historically, cybersecurity spending was just a fraction of total IT expenditure,” a Bessemer Venture Partners report notes, but now it’s taking an ever-increasing share. This will continue as workloads shift to the cloud, which “introduces unique risks, including limited visibility, dynamic attack surfaces, identity proliferation, and misunderstandings around shared responsibility, compliance, regulation, and sovereignty,” as my InfoWorld colleague David Linthicum posits. Generative AI takes this further, introducing a host of new problems for security-conscious enterprises.

What’s the solution? “AI-enabled threats have just raised the bar for all of us in needing to increase our security hygiene—there is no silver bullet,” argues Geoff Belknap, LinkedIn’s CISO. The way to raise the security bar may not involve silver bullets, but it will involve a lot of silver, as it were. If security isn’t your company’s first priority, hacks and breaches will make it so. One key way to ensure security remains top of mind is to ensure the CISO sits on the executive leadership team. This helps weave security into all of the company’s plans, rather than as an afterthought, as it was in the past.