New report reveals APIs and cloud applications are CISOs’ greatest threat to security readiness 


Research surveying more than 400 Chief Information Security Officers finds they are prioritizing Zero Trust and partner risk management to help mitigate critical security challenges.


June 1, 2022. Tysons Corner, VA – Just-published research, The CISOs Report: Perspectives, Challenges and Plans for 2022 and Beyond, reveals that Chief Information Security Officers (CISOs) are grappling with a wide range of risks and challenges, especially linked to accelerating utilization of technologies like cloud-based applications and the use of Application Programming Interfaces (APIs). The report is based on a survey of more than 400 Chief Information Security Officers (CISOs) working across a broad set of companies and industry sectors in the US, Canada and other select nations. 


Quickly evolving technologies, compounded by the effects of remote work, create new layers of risk

Recent shifts in the IT landscape have resulted from the dramatic escalation of remote work, cloud adoption, BYOD and changing development practices. The security impacts of those changes are reflected in where CISOs see the most need to strengthen their defenses.

CISOs rate their organization’s IT components most needing security improvement as:

  • APIs – 42%
  • Cloud applications (SaaS) – 41% 
  • Cloud infrastructure (IaaS) – 38% 

Industry use of API technology has exploded over the last few years due to the shift to component-based microservices architecture used extensively in modern applications, and the growing adoption of cloud services.  Not to be overshadowed, too, are web applications in general, which are proving to be particularly susceptible to a wide variety of client-side attacks (e.g., formjacking, Magecart). 

CISOs rate their organization’s security processes most in need of improvement as:

  • Data discovery and classification – 38% 
  • Data backup and recovery, as well as vulnerability remediation – 36% each
  • Development security operations (DevSecOps) – 35% 


CISOs are taking action on Zero Trust

While early on some were quick to relegate Zero Trust as hype, it is not. A full 96.5% of CISOs surveyed are either underway with or actively planning for a Zero Trust initiative. Only 7.5% claim to already have a robust implementation, but even those will require ongoing improvement to extend key practices to the application and data layers as cyber threats continue to evolve. Over 50% say implementing or enhancing their Zero Trust model is one of their top three priorities for the coming year.


Third-party risk pervades

While supply chains have become essential to the success of almost all businesses, CISOs see plenty of supplier and partner challenges to overcome. Third-party risk tops a long list of cyber vulnerabilities causing CISOs the most concern, rating 3.89 on a scale of 1 (lowest) to 5 (highest). This finding tracks with the escalation of supply chain security issues over the last two years. Supply chain attacks rate 3.93 out of 5 as the cyber threat that causes the most concern. Forty three percent of survey respondents indicate that better addressing partner or supplier risk is among their top three priorities for the coming year.

Given third-party concerns, 41% of CISOs plan to add or upgrade third-party security and risk management technology over the next year. Other technologies high on the shopping list include network/micro segmentation (65%), container security (57%) and security service edge (SSE) platform (55%).


About The CISOs Report

The CISOs Report is the only industry report representing solely the perspectives of the senior-most cybersecurity executives ultimately responsible for their organization’s safety. It provides unprecedented insights into the greatest challenges and opportunities they face, and allows CISOs to benchmark tactics and technologies they are pursuing to achieve their goals against those of their peers. 

Mario Memmo, Vice President, Chief Information Security Officer, Otis Elevator Company, said, “As a CISO, I am always interested in what my peers are experiencing and how they are dealing with the challenging cyber threats we face. The insights provided in this report are invaluable in getting that peer-to-peer perspective, and helping us benchmark against the best practices of others in our profession.”

The study was conducted by AimPoint Group, W2 Communications, and CISOs Connect, three organizations engrained in the cybersecurity industry, delivering CISO, business and marketing consulting services.

The CISOs Report would not be possible without the support of sponsor organizations: Accenture Federal Services; Beyond Identity; Black Kite, Feroot Security; Gigamon;; Lynx Technology Partners; Menlo Security; NetRise; SpyCloud; VMware; and Zscaler. To access the complete report, please visit: /thecisosreport/.


About the Authors

Aimpoint Group (APG) delivers high-impact marketing for the world’s leading cybersecurity solution providers. The company’s services include marketing consulting, cybersecurity research, and content creation. For more information, please visit:

CISOs Connect is an exclusive invitation-only interactive community of trusted cyber peers and subject matter experts.  Connected by common interests, this membership community allows cyber experts and CISOs to share knowledge and expertise through proprietary content, research, and analysis while exchanging information, ideas and collaborating with trusted colleagues to make informed business and technology decisions.

W2 Research, a division of W2 Communications, leverages industry analyst and research expertise to produce findings and reports that offer unique insights and inform client initiatives. W2 Communications is a digital marketing and public relations firm specializing in cybersecurity. Boasting a seasoned team of industry experts that blend technical expertise and deep sector knowledge W2 Communications has a reputation for building brands and driving leads. For more information, please visit: