June 11, 2025

Cracks in the wall: Enterprise cybersecurity reset (Part 1)

In this two-part series on cybersecurity, Avataar’s Nishant Rao, Shobhit Gupta, and Gulshan Dhanani explore what’s broken, what’s shifting, and what’s next in enterprise cybersecurity.

‍

Cybersecurity has quietly become one of the most consequential functions in the modern enterprise. As digital infrastructure expands and threats multiply, the promise of “being secure” has never been more urgent – or more elusive.

The past few years have made one thing clear: the old cybersecurity playbook is failing. Despite the billions spent on tools, headcount, and compliance, enterprises continue to be breached, paralyzed, and outpaced. CISOs are firefighting more than they’re forward-planning. Engineers are overwhelmed. Boards are worried. AI now is both the target and the adversary (and hopefully an antidote too – as we’ll see).

This isn’t necessarily a technology problem but a systems failure. And a reset is underway.

In this two-part series, we’ll explore what’s broken, what’s shifting, and what’s next in enterprise cybersecurity. We’re bullish about this reset and believe a new era of companies will usher in a fundamentally different approach to enterprise security (more on that in Part 2).

This first part is about what’s breaking. Or more accurately, what has already broken. Let’s dive into the cracks.

How did we get here?

Enterprise IT infrastructure has constantly evolved – from on-prem servers to cloud, from firewall-guarded office laptops to remote-first and mobile-first devices, from software built-in house to SaaS, from databases sized in gigabytes (GBs) to petabytes (PBs).

But for decades, cybersecurity was seen as a cost center – an operational obligation driven by regulation rather than proactive risk management. Standards like ISO, SOC 2, and HIPAA pushed security into enterprises through compliance audits, not board priorities.

This led to several core issues:

IT owners found it easier to buy point solutions as their infrastructure evolved – our conversations with select enterprise CISOs reveal an average of 50-70 tools per enterprise (20% YoY increase over the past two years). Each tool came with its own agent, criticality index, telemetry, and dashboard.
App owners treated security as tech debt to be bolted on later, not a business-critical design principle. This created friction between engineering velocity and risk posture. Fifty percent 5of IT professionals say security is an afterthought in the application delivery chain, and 67% of application developers have shipped code with known vulnerabilities (Surveys from Splunk, Cisco, SecureCode etc).
Cost consciousness pushed security buyers to focus only on “crown jewels” (databases, core infra, customer records). But little attention was paid to the edges: SaaS apps, third parties, and development environments. Guess what happened – nearly 30% of cyber attacks today are via third-party applications.

Cyber attacks are costlier than ever

According to PurpleSec, a global cybersecurity services provider, the average cost of a single ransomware attack was north of $5M in 2024, up ~3x in the last 5 years. And attacks are varied – see below a sample of some of the most widely reported breaches:

We haven’t even gotten to the threats AI could create – we will talk about those in the next part. But it’s not insignificant – according to PwC, 52% CISOs expect GenAI to lead to catastrophic cyber-attacks in the next 12 months.

Cybersecurity is a boardroom topic now

The financial, operational, and reputational impact is massive. Boards that once saw cybersecurity as IT’s problem now view it as a direct threat to business continuity, reputation, and growth.

Regulators have already become very aggressive in curbing these breaches with:

US SEC requires reporting of “material” cyber incidents within 4 business days (Jun 2023) & reporting cyber risk mitigation strategy in 10Ks.
EU’s NIS2 directive in late 2024 has further shortened that timeline requiring incident reporting within 24 hours & hefty penalties of 2% (of global turnover) for failing to meet these disclosure requirements.
Introduction of new acts like – DORA (for financial institutions in the EU) enforced from Jan 2025, and EU AI Act adopted in May 2024 are also pushing for clearly identified cyber risk management programs

Boards are responding to this positively –

Splunk’s 2023 survey of 350 security leaders (CISOs) found that 78% of organizations now have a dedicated board-level cybersecurity committee.
Gartner predicts that at least 50% of C-level executives will have performance requirements related to cybersecurity risk built into their employment contracts by 2026.
Gartner also predicts that 30% of large organizations will have publicly shared ESG goals focused on cybersecurity by 2026, up from less than 2% in 2021.

CISOs have the limelight – but aren’t fully equipped

Blind spots abound: There's no unified asset inventory and even cross-tool visibility is limited. Our own conversations with Fortune 1000 CISOs have revealed asset visibility ranging between 60-75%.
Risk communication is technical, not business-oriented: Boards expect $$ risk burnt down against $ invested in cybersecurity, not vague indicators like patch completion %.
Alert fatigue is rampant: Hundreds of daily signals, little context, and too few analysts to make sense of them. One wouldn’t know if a “red” on one tool is more critical than “critical” on second tool and “catastrophic” on a third tool.
Snapshot-first v/s real-time posture: Even the most forward CISOs who engaged consultants for cyber audits are limited by dipstick / point-in-time analyses with “risk ratings” that are not fully actionable.
Finally, burnout is real: The average CISO tenure of 18 mo is shorter than other C-suite execs (48 mo). Moreover, nearly two-thirds of CISOs plan to exit their roles within two years. This gap only intensifies down the pyramid – BCG estimates a shortage of 2.8 million cybersecurity professionals globally (2024 Cybersecurity Workforce Report - BCG).

Thus, the current enterprise security technology landscape – reactive and point-in-time as it is – was never built for the world we operate in today. It can’t keep up with cloud-native infrastructure, hyper-connected APIs, AI-driven attackers, and a boardroom that now wants real-time answers, not static reports.

A reset is well overdue.

In Part 2 of this series, we’ll dive into where security leaders are placing their bets – and where founders are building: