Cybersecurity

Perspectives 2023

A Macro Look at How

Enterprise Security Is Evolving
Table of Contents
Section 1 : Introduction 3

Section 2 : Key Findings 4

Section 3 : Where the Threats Are 5

Section 4 : How Enterprises Are Responding 7

Section 5 : Resource Gaps: People, Technology & Budget 9

Section 6 : Market Opportunities 15

Section 7 : Where the Funding Is 17

Section 8 : Conclusion 19

Section 9 : Footnotes & Methodology 20

 SECTION 1

Introduction
CISOs, security analysts, and their teams have been navigating rising security incidents, talent
shortages, and the increasing sophistication of attacks over the last several years.

Meanwhile, geopolitical tensions are high, with a weakening social fabric, disinformation, and
economic anxiety.1 All of these factors translate into heightened on-the-ground pressures.

To help CISOs strengthen their footing, Scale Venture Partners conducts ongoing research to
understand the challenges CISOs are facing and how solutions are evolving. Now in its 10th year,
this year’s report consolidates perspectives from CISOs, CIOs, VPs, directors, and IT managers.

Our research found that cybersecurity protections that were effective against cyber threats in
2022 have lost efficacy due to new attack mechanisms.

The overarching theme is a drop in efficiency despite an

increase in effort, with even more challenges in 2024.

Identity access management (IAM) also increased in importance for security leaders, as
enterprises continue the journey to the cloud and employees login to multiple cloud services
beyond the traditional perimeter. This urgency reflects an increase in attacks, as adversaries used
valid accounts to gain initial access in 43% of cloud intrusions last year, according to CrowdStrike.2

Security leaders ranked IAM as their 2nd top priority in

this year’s survey, rising dramatically from 8th last year.

Persistent talent shortages also create bottlenecks for security leaders to focus on beyond alerts
and tools. As a result, security leaders are turning to automation — and AI in particular — to
strengthen their security postures.

Despite these measures, security programs are struggling with resource constraints. Even though
enterprise security leaders increased their budgets for emerging security solutions by 18% in 2023,
this number was down from a 27% increase from the year prior.

Keep reading for a closer, more nuanced view of these dynamics.

* Note: Unless specifically documented, all data sources are from Scale Venture Partners’ primary survey research.
 SECTION 2

Key Findings

Enterprises Are Experiencing More Security Incidents

71% of organizations experienced three or more types of security
incidents, a 51% increase from last year’s survey. Although successful
ransomware attacks and data breach attempts fell by 30%, 34% of firms
suffered software supply chain compromises.

CISOs Struggle With Not Enough People; Too Many Alerts & Tools
83% of firms are enforcing existing security policies more strictly to address
these issues. People issues were 4 of the Top 10 unaddressed challenges,
including the cybersecurity skills gap (2nd), employee threats (4th), remote
work (7th), and employee training (8th).

AI/ML Presents Opportunities and Threats for Security Teams

79% of executives believe AI/ML will be “important” or “extremely
important” to improve their security posture by 2024. 68% were also
worried that employees would upload sensitive data to ChatGPT and
49% that threat actors would poison AI/ML models.

Security Budgets Remained Resilient

Security budgets increased 20% on average at large enterprises, while
only 5% at mid-sized enterprises. Data, cloud, and application security
were the top spending priorities. Budgets for emerging security solutions
increased by 18% overall this year, down from a 27% increase last year.

Cloud and Software Security Solutions Perceived as Market Gaps

Security leaders reported a 45%+ delta between “satisfaction” and
“importance” for cloud application and CI/CD security solutions, with 33%
building in-house cloud application security solutions, 4% software supply
chain security, and 2% CI/CD security.

4
 SECTION 3

Where the Threats Are

Cloud Service and Third-Party Attacks Remain the Most Common Security Incidents

Cloud service attacks were the most common, Two new incident types were included in the
with 50% of organizations reporting at least 2023 survey: compromise through a software
one incident over the last 12 months. More supply chain vulnerability and attack/
cloud services were compromised due to an compromise of an AI model.
attack against a third party (43% this year
versus 37% last year). Software supply chain compromises were the
4th most frequently occurring attack for 34%
There was a 58% increase in the number of of firms, while 20% of companies faced an AI
firms compromised by phishing attacks that model attack or compromise incident within
resulted in stolen employee credentials. the last 12 months.

What security incidents occurred at your organization over the last 12 months?

50% 43% 41% 34%

Cloud service Compromised Phishing attack Compromised
attacked by attack on compromised by software
3rd party credentials supply chain
vulnerability

31% 30% 26% 25%

Misconfigured Employee Fined for Ransomware
cloud access stole our data privacy encrypted
rights led to information non-compliance our data
data breach

5
W H E RE T H E T H RE A TS A RE SECTION 3

Ransomware Attacks and Data Breaches Declined

Ransomware attacks and data breaches both declined over

the past 12 months — from 37% each during last year’s survey
period to 25% and 22% respectively — which is consistent with

30%
other research on the volume of attacks in 2022, according to
Verizon.3

Despite the reported decrease, both threat types topped the list decline in ransomware
of trends that will drive cybersecurity strategy over the next 12 attacks and data
months, as ransomware attacks are on the rise again in 2023, breach attempts from
according to IBM Security.4 prior survey period.

Organizations Experienced More Types of Security Incidents

71% of organizations experienced three or more types of security 71%

incidents during this year’s survey period, compared with 48% for
the same range of incidents in the prior year, a 51% increase year-
over-year. Only 8% experienced one type of cyber incident, down Experienced
significantly from 19% of companies in the previous year. The number three or more types
of firms with two security incidents also dropped, from 30% to 17%. of cyber incidents

How many security incidents occurred at your company in 2022? 2021 2022

30% 30%
27%
24%
19%
17%

11%
8% 7%
7%
3% 3% 5% 5%
2% 1%

0 1 2 3 4 5 6 7

6
 SECTION 4

How Enterprises Are Responding

Network, IAM and Cloud are the Top 3 Cybersecurity Spending Priorities for 2023

Network security and cloud infrastructure security remain top three spending priorities for enterprise
security leaders. Identity and access management (IAM) leapt from 8th place to 2nd place this year,
which mirrors increasing market concerns around identity security in a multi-cloud world. External
attack surface management moved up one place while security automation returned to the top 10 list
of priorities after dropping off last year. No emerging technologies joined the list this year.

What are your top investment priorities for cybersecurity technologies and strategies?

7
H OW E N T E RPRIS ES A RE RES P O N D I N G SECTION 4

Security Strategies Driven By Ransomware

84% 69%
Despite a reported 30% industry-wide decline,
84% of security leaders reported that
ransomware attacks would have the biggest Ransomware Third-party
impact on their overall cybersecurity strategy attacks data breaches
over the next 12 months.

Enterprises were also concerned about third-party

data breaches (69%), the cybersecurity skills gap 69% 67%
(69%), and the increased cost of cybersecurity
insurance (67%). These trends were followed
closely by the weaponization of AI and machine
Cybersecurity Cybersecurity
learning (ML) for use in cyberattacks (65%). skills gap insurance

Security Leaders Are Prioritizing Stricter Enforcement of Existing Policies

83% of firms intended to enforce existing security policies more strictly this year to address their
security challenges, while 63% of organizations sought greater visibility and transparency into the
state of security. Improving insight into the software supply chain was aso a high priority for security
leaders (60%) as well as protecting AI/ML models and data pipelines (57%). There was a nearly 20%
year-over-year increase in the number of firms that decided to consolidate security vendors. The
importance of expanding accountability for security across the business dropped from 64% in 2021
to 54% this year, followed by re-organizing security teams at 53%.

Which are your top strategic priorities over the next 12 months? 2022 2023

Enforce existing security policies more strictly Leveraging more security tools that use AI/ML
72% 61%
83% 63%
Enhance security metrics and reporting Reducing the number of security vendors we use
66% 52%
64% 62%
Provide greater visibility into security posture Using tools to automate security processes
59% 64%
63% 62%

8
 SECTION 5

Resource Gaps: People

Cybersecurity Talent Remains Scarce What are the biggest barriers to

achieve your security posture?
Enterprise security leaders are still
struggling to attract, hire, and retain skilled Not enough security personnel
cybersecurity professionals to respond to 42%
57%
ongoing cyberattacks and recent threats.
Too many alerts and false positives
34%
In fact, 57% of firms indicated the biggest 53%
barrier to achieving their desired security Too many cybersecurity tools deployed
posture was not enough security personnel, 32%
up 42% from last year’s survey period. 47%
Complex legacy data center infrastructure
Security teams are also facing other 39%
45%
barriers, including too many alerts, too
Insufficient budget
many false positives, and too many tools to 37% 2022
achieve their desired security posture. 44% 2023

Cloud Security Roles Difficult to Fill How much of an impact is the

cybersecurity skills shortage having
Sixty percent of security leaders considered on your ability to hire and retain the
cloud security the most difficult role to fill, following types of cybersecurity staff?
with network security (56%) and application
60%
security roles (55%) not far behind. 53% 55% 56%
49%

Talent shortages for these key roles may

be a source of concern for security leaders
who rated network security (71%) and cloud
infrastructure security (70.6%) as their two IT AI/ML App Network Cloud
security security security security security
most important security strategies. roles roles roles roles roles

9
RES O U RC E GA P S : PE O PL E SECTION 5

Security Leaders Want Tools to Amplify Cybersecurity Talent

Over the next 12 months, security leaders are seeking to implement

strategies to improve the effectiveness of their limited cybersecurity
teams. 63% of companies reported an interest in leveraging security
tools with AI and Machine Learning capabilities, while 62% were
interested in tools to automate manual security processes to identify, C-Suite
contain and remediate the most urgent cybersecurity threats.
Support:

63% 62% 44%

74%
of security leaders
believed their C-suite
understands the
Leverage more Use tools Too much manual business impact of
security tools that to automate labor associated security
use AI/ML security processes with security

People Issues Were 4 of the Top 10 Unaddressed Challenges

Security leaders were given an opportunity to respond to an open-

ended question about their single, greatest unaddressed challenge.
Unsurprisingly, four of the top 10 challenges related to persistent
people issues, including the cybersecurity skills gap (2nd), employee
threats (4th), remote work (7th), and employee training (8th).
Malicious
Insiders:
Unaddressed Challenges in Security Leaders’ Own Words

Cybersecurity skills gap

Employee threats
“Lack of skilled labor to prevent issues.”

“Employees unaware of cyber risks.”

66%
of security leaders
Remote work “Protecting remote workers.” believed their security
protections were
ineffective against
Employee training “Lack of security training for employees.” malicious insiders

10
 SECTION 5

Resource Gaps: Technology

Cybersecurity Protections Are Losing Efficacy Against Common Cyber Attacks

Cybersecurity protections that were Compared to last year’s survey, security

effective against cyber threats in the prior leaders reported a drop in the effectiveness
survey period have lost efficacy — as threat of cybersecurity protections against several
actors unleashed new attacks, unsettled types of cyber attacks. The most extreme
AI/ML data models, and discovered new decline related to the exploitation of
attack mechanisms. Only 48% of security unpatched vulnerabilities, which fell from 53%
leaders indicated their cybersecurity last year to 44% this year. Additional declines
defenses were effective against common in protection between last year and this year
security threats. Threat actors haven’t were from malware / advanced persistent
stood still over the past year and security threats, ransomware, supply chain threats
leaders can’t afford to do so either. and targeted phishing attacks.

How “effective” or “extremely effective” are your current cybersecurity protections?

Effectiveness Declined: Effectiveness Increased: 2022

2023
Exploitation of unpatched vulnerabilities Nation-state attacks
53% 33%
44% 44%
Malware/advanced persistent threats General phishing attacks
55% 47%
48% 55%
Ransomware Negligence by employees/insiders
55% 40%
48% 46%
Supply chain threats Breach of sensitive information
52% 47%
47% 49%
Targeted phishing attacks Non-compliance with data privacy regulations
53% 50%
50% 52%

11
 RES O U RC E GA P S : T E C H N O LO GY SECTION 5

The Rise of AI/ML is a Potential Blessing and a Curse for Security Leaders

Four out of five security leaders indicated 62% of firms were worried about governing
that AI and Machine Learning would be AI/ML models and 52% about observing
“important” or “extremely important” by and monitoring both malicious and non-
2024, up from one in five two years ago. malicious AI model drift.

In regards to the use of AI/ML, 63% were Less than 50% of companies were
concerned about the risk of employees concerned about the risk of AI/ML models
uploading confidential company being poisoned by threat actors, despite
documents to services like ChatGPT. more potential damage to the organization.

79% 63% 49% 45%

Believe AI/ML is important Concerned employees Concerned poisoned Concerned poisoned

to improve their security will expose sensitive data AI/ML models will AI/ML models will
posture by 2024 to ChatGPT circumvent security alter business decisions

Security Leaders Need More Tools, Want Less Vendors

88% of security leaders intended to deploy more security

88%
want to deploy
tools over the next 12 months, up from 64% in the previous more security tools
year. On average, organizations allocated budget for four over the next 12 months
new tools. However, 37% of firms were unable to find the right
cybersecurity solutions in the market to address their needs. +4
Average # of new tools
Although security leaders wanted more tools, 62% indicated they budgeted for this year

+9
were interested in consolidating security vendors. This disparity
could indicate a desire to deploy integrated software platforms.
The number of organizations that wanted fewer security tools Average # of new tools
over the next 12 months fell from 29% last year to 15% this year. preferred to deploy

12
 SECTION 5

Resource Gaps: Budget

Security Spending at Large Enterprises Increased, while Mid-Size Spending Grew Less

Despite inflationary and recessionary fears, Data, application, cloud and endpoint
cybersecurity budgets at large enterprises security were the top spending categories
(more than 1,000 employees) remained in 2023, each representing 10% of security
resilient in early 2023, with a 22% year- budgets. Budgets for security awareness
over-year increase. Mid-sized enterprises training, endpoint security, and identity
(500-999 employees) saw a small 5% management increased the most between
increase, falling sharply from 51% budget 2022 and 2023. AI/ML security and software
growth last year. However, some CISOs are supply chain security debuted on this year’s
preparing for belt-tightening measures, survey with 6% and 5% of security budgets
greater scrutiny over spending decisions respectively. Security budgets per employee
and longer decision-making timeframes, averaged $3,653 this year, up 20% from
according to The Wall Street Journal.5 $3,033 per employee last year.

What is your total budget and category allocations for security solutions in 2023?

$4,440
Software
supply chain Other ( 1% )
$3,653
Security Data security $3,200
awareness training $3,033
$2,744
Application $2,523
AI/ML 5% 10% security
6%
security
6% 10%
Cloud
Identity 8% security
management 10%

8%
Information 10%
security 9%
9% 9% Endpoint
security 2022 2023 2023 (Ideal)
Network
security Disaster
recovery
Infrastructure Mean budget Median budget
security per employee per employee

13
RES O U RC E GA P S : B U D G E T SECTION 5

Budgets for Emerging Security Solutions Increased By Less

Enterprises continue to invest in emerging security solutions to

address perceived weaknesses in the available solutions from leading
vendors. Security leaders increased budgets for new, innovative, and Mid-sized Enterprises
experimental security solutions by 18% this year, although this was (500-999 employees)
down from a 27% increase last year. In dollar terms, the budget for
new solutions from emerging cybersecurity founders increased from

5%
$321 to $457 per employee on average across companies of all sizes.

Year-over-Year
Budget Growth

11% 13% 18%

$75K-$9M
Budget Range
Percentage Percentage Year-over-Year
of 2022 total budget of 2023 total budget budget growth
for emerging solutions for emerging solutions for emerging solutions

CISOs Would Spend More on Security Awareness Training

8

If ideal security budgets for 2023 were approved, security leaders

would have gained 46% more budget, compared to the 20% year-
over-year gain above approved budget levels. Enterprises would have
requested more budget for security awareness training, infrastructure
Large Enterprises
security, and cloud security and less budget for disaster recovery,
(1,000+ employees)
network security, and AI/ML security.

More Budget is Ideal for 2023

Security awareness training (+12%)
Less Budget is Ideal for 2023
Disaster recovery (-8%)
22%
Year-over-Year
Budget Growth
Infrastructure security (+8%) Network security (-6%)
Cloud security (+7%) AI/ML security (-6%)
Identity management (+5%) Software supply chain security (-5%) $100K-$100M
Budget Range
Information security (+3%) Endpoint security (-4%)

14
 SECTION 6

Market Opportunities

Cloud Application and CI/CD Security Solutions Perceived as Biggest Market Gaps

Security leaders reported gaps between The biggest market gaps were reported in
the “importance” of and “satisfaction” cloud application and CI/CD security, with
with commercially-available cybersecurity a 45%+ delta between satisfaction and
solutions. Network security (75%), identity importance. With only one-third of security
and access management (73%), and cloud leaders satisfied with these two commercially-
infrastructure security (69%) were ranked available solutions, founders may have an
the most important security tools. Security opportunity to build better tools. Of the firms
leaders were least satisfied with AI/ML intending to build in-house, 34% would build
model security (34%), CI/CD security (35%), cloud application security solutions, while only
and cloud application security (36%) tools. 2% would build CI/CD security solutions.

Current “importance” vs. “satisfaction” for commercially-available cybersecurity tools:

Network security Security automation technologies

75% 64%
52% 46%
Identity and access management (IAM) Data center / server security
73% 64%
53% 49%
Cloud infrastructure security Data loss protection (DLP)
69% 64%
44% 43%
Cloud application security Zero-trust network access
68% 64%
36% 48%
Data privacy CI/CD security
68% 64%
44% 35%
External attack surface management Endpoint security
66% 62%
48% 44%

15
M A RKE T O PP O RT U N I T I ES SECTION 6

Large Enterprises Intend to Build In-House Solutions to Address Market Gaps

43% of organizations intend to build in-house security solutions this year, compared with 39% last
year. Of those companies, large enterprises with more than 1,000 employees were more likely
to build in-house (83% this year vs. 57% last year) than mid-sized firms with 500 to 999 employees
(17% this year vs. 43% last year). Threat intelligence (36%) and network security (35%) remained in
the top three focus areas this year, while endpoint security (38%) displaced cloud infrastructure
security as the top in-house development priority this year.

In what areas are you planning to build an in-house solution over the next 12 months?

38% 36% 35% 34%

Endpoint Threat Network Identity & access
security intelligence security management

34% 33% 31% 28%

Cloud application Data center/ Data API
security server security privacy security

27% 20% 16% 16%

Insider Security Zero-trust Cloud infra-
risk analytics automation network access structure security

Security Automation Needed to Make Constrained Security Teams More Effective

82% of security leaders sought security automation tools to help contain and mitigate malware, as
well as identify misconfigurations in cloud services. Another 76% of firms expressed a need to stop
data privacy leaks, provision identities and access rights for new employees, and configure new
cloud services securely. Security automation efforts were also driven by continued cloud attacks,
difficulty in hiring cloud security professionals, and the desire for greater cloud security protections.

16
 SECTION 7

Where the Funding Is: $17.5B

Global cybersecurity
VC deal activity in 2022

Cybersecurity Funding Declined 32% From Last Year’s Peak

Global security $8.4B
investment by
After breaking all-time cybersecurity funding records in 2021, the funding stage
pace of investment decreased last year, amidst rising interest rates,
$4.4B
industry-wide layoffs, and fears of recession. Overall deal value
declined 26.5% in 2022, with cybersecurity companies finishing the
year with $17.5B, down from $25.6B during the prior year, according $1B
to Pitchbook.6 Despite the reduction, cybersecurity investment
remained 75% higher than the $10B raised in 2020, and up more than
800% over the last decade from the $1.9B invested in 2012. Angel Early Late
& seed stage stage

Funding Rounds, Deal Volume, and Exits Remained Down

Deal count declined 14% year-over-year, dropping from 890 deals in

2021 to 769 deals in 2022, driven by fewer early-stage deals closing -26.5%
than late-stage deals, according to Pitchbook.7 In fact, cybersecurity Year-over-Year
deal flow dropped the past four quarters, with only $2.4B invested in 2022 Funding
in Q4 2022, according to Crunchbase.8 Exit values also reached their
lowest levels in six years at $2B in 2022, falling from the industry’s Angel Early
all-time peak at $29.4B in 2021, and even dropping below the $2.4B & seed stage
( 6% ) (Series
in exit value the industry saw in 2016. A & B)
21%
25%
Angel, Seed, and Early-Stage Funding Actually Increased
48%
Although overall cybersecurity funding decreased last year, late-stage
(Series C and D) and venture growth (Series E+) were responsible for Venture Late
the biggest decline, while angel, seed, and early-stage (Series A and B) growth stage
(Series (Series
investment increased. Angel and seed funding grew 43% year-over- E, etc.) C & D)
year, increasing from $700M to $1B last year and doubling from 3% to
6% of overall cybersecurity funding. Early-stage deal value also went
up 12% last year, growing from $4B in 2021 to $4.4B in 2022, rising (Source: Pitchbook
from 16% to 25% of all cybersecurity funding. Emerging Tech Research)

17
W H E RE T H E F U N D I N G IS SECTION 7

Application Security Grew 34%+ Year-Over-Year in Angel, Seed & Early-Stage Funding

Application security was the only category Early-stage funding decreased in all but two
that experienced funding growth across categories last year, with application security
angel, seed, and early-stage rounds last year, and security operations at or near $1B in total
with more than 34% growth in 2022. funding, nearly double all other categories.

Although identity access management Application security software funding

companies received a staggering 156% more increased from $739M in 2021 to $1B in 2022,
angel and seed funding last year, from $54M while investment in security operations tools
in 2021 to $138M in 2022, early-stage funding increased by 8% since 2021, up from $916M in
for the category dropped 58% overall. 2021 to $992M in 2022.

Data security funding at the angel and seed Network and endpoint security companies
stage also grew 34%, up from $161M in 2021 fared worse, competing for a smaller pool of
to $215M in 2022, with declines elsewhere. angel, seed, and early-stage funding last year.

Angel/seed: YoY % Early-stage (Series A & B): YoY %

Application $169M $739M

security $226M +34% $1B +35%
Data $161M $665M
security $215M +34% $533M -20%
Endpoint $80M $573M
security $122M +35% $135M -76%
Identity $54M $520M
& access $138M +156% $219M -58%
Network $107M $443M
security $52M -53% $407M -8%
Security $183M $916M
operations $115M -37% $992M +8%
2021 2022 (Source: Pitchbook Emerging Tech Research)

18
 SECTION 8

Conclusion
Given the findings from this year’s survey, a question we’re thinking about at Scale is how to
support the next generation of emerging enterprise security startups.

Funding is down, which means every dollar matters to

early-stage companies and founders more than ever.

With an investing focus at the application and security layers, particularly with respect to AI/ML
solutions, we’re paying close attention to solutions that address data integrity, role provisions,
and models of production. We’re also looking at compliance-driven approaches, particularly with
respect to AI explainability and governance, as we anticipate that more enterprises will be defining
their security frameworks at the data layer.

What past years teach us, however, is that new attack

vectors will continue to pop up.

While automating certain security practices to ensure better and more consistent coverage is a
good first step, however, the industry may be looking at short-lived solutions without the necessary
human capital to think strategically and problem-solve in the year ahead. We’ll know more in 2024.
 SSECTION
E C T I O N 94

Footnotes
1. Edelman, 2023 Edelman Trust Barometer: 5. Kim S. Nash, Cybersecurity Budgets Aren’t
Navigating a Polarized World, January 2023 Untouchable, The Wall Street Journal, May
2023
2. CrowdStrike, 2023 Cloud Risk Report:
The Rise of the Cloud-Conscious Adversary, 6, 7. Pitchbook, Emerging Tech Research:
February 2023 Q4 2022 Information Security Report:
VC trends and emerging opportunities,
3. Verizon, 2023 Data Breach Investigation January 2022
Report, June 2023
8. Chris Metinko, Cybersecurity Funding
4. IBM Security, Cost of a Data Breach Continues Slide In Q3, Crunchbase News,
Report 2022, July 2022 October 2022

Methodology
Scale Venture Partners commissioned Everclear Marketing and Osterman Research to conduct a
survey of 300 security leaders in the United States who are responsible for buying decisions, the
success of security deployments, or the overall security of the company. The web-based survey was
fielded May 9-13, 2023, focused on the 12 months prior and 12 months upcoming, with a +/- 2.21%
margin of error.

You can view Scale’s past Cybersecurity Perspectives reports here:

2022 | 2021 | 2020 | 2019 | 2018 | 2017
scalevp.com