Just like waiting for the bus, three pieces of European-focused research I authored have published over the last few days. I have looked at three topics: that of European cyber regulations, European CISO budgetary trends in 2021, and finally the career paths of CISOs at major UK FTSE 100 organizations. What becomes apparent from working on these pieces of research is that European CISOs are shifting how they spend on security in response to the COVID-19 pandemic and are having to adopt to a raft of new proposed EU cyber regulations. Here are some key messages I took from the research reports:

  • European leaders shift new spending to cloud-based security services. One of the key trends that I have seen very strongly in my client inquiries has been the aggressive shift not only to the cloud, but also rapidly increasing interest in delivering security controls from the cloud. European security leaders no longer wish to be burdened with the complexity involved with managing on-premises infrastructure. Ninety percent of security leaders we surveyed are planning to maintain or increase the amount they spend on securing the cloud and delivery of security controls from the cloud. This represents a big shift from prior models, and growing interest in Zero Trust security models in Europe makes me confident that this trend will continue. Watching how this correlates with the increasing trend of European data sovereignty will be fascinating, given the heavy dependence of Europe on non-European vendors to secure their enterprises.
  • Proposed EU cyber regulations hint at a model for cyber regulations that start to up the ante. The EU has recently announced bold proposals for reforming the Network Information Systems Directive (NISD). With more consistent penalties, more prescriptive security measures mandated, and a broader scope for capturing companies than the existing directives, this has caused some concerns with my clients this year that have hitherto not been impacted. Along with bold proposals from the proposed Digital Markets and Digital Services Acts, the EU is moving into bold territory with the proposed regulations regarding impacts on cybersecurity. If these regulations pass, it will set the marker for bold cybersecurity regulation for the wider world to take notice of, particularly the US.
  • UK security leaders have less time to make their mark on their organization than in the US. In the first of a series of reports I’m writing looking at the career path and experiences of CISOs in Europe, we have completed our analysis of career paths taken by UK FTSE 100 CISOs and compared these to the analysis of the Fortune 500 in the US undertaken by my colleagues Jeff Pollard and Melissa Bongarzone. There are some fascinating results: First, UK CISOs have a much shorter tenure than we see in our US client base, lasting 31 months on average compared to just over 4 years for US-based CISOs. However, and not surprisingly, CISO diversity is also dire, with only 9% female CISOs in FTSE 100 companies. As an industry we can and must do better.

Looking further into 2021, I will be researching the topic of European data sovereignty and GAIA-X with my colleagues Paul Miller and Tracy Woo, releasing further research on Zero Trust adoption in Europe, and continuing my coverage of European services-focused research.

For Forrester clients, you can access my reports “Forrester Infographic: European Security Budgets In 2021,” “EU Cybersecurity Regulations Scanner, 2021,” and “UK CISO Security Career Paths” here.