As threats to networks and systems have changed, so have CISOs’ priorities. API security has grown more important with everything as a service and in the cloud. Today’s CISOs must ensure they have a plan for protecting APIs. To learn what’s most crucial when protecting APIs, we surveyed CISOs and other security specialists. Below find the insights we derived from the responses. 

Results of the survey

According to Gartner research, APIs need improved security and management. This is now a top concern for CISOs. There are many aspects of API security that can be improved, but chances are you won’t succeed without a plan. This leaves us with the question: what’s most important for a CISO in API security these days?

We asked enterprise CISOs to share their opinion on the topic. We limited responses to four major categories: “Attack surface,” “Engineers and staff experts,” “API security program,” and “Trusted vendors and products.”

To explore how the opinion depends on the job category, we also surveyed security specialists and other IT professionals. To see how the response changes over industry vertical, we invited employees working in IT and telecommunications, finance and banking, and others to vote.

During analysis, we also looked at the size and age of the business. The survey was conducted in August 2022 and got 161 votes, with 42 belonging to CISOs, 67 to cybersecurity specialists, and the rest to CEOs, DevOps and other IT specialists.

Digram of survey results
Digram of survey results

API security program 

The leading opinion was that an API security program makes the difference. The vote varies from 49% to 44% with the highest belonging to CISOs and the lowest to finance professionals and security specialists. It’s no surprise that this option comes out tops, as the program defines the strategy for keeping API risks in check. It also encompasses all the other areas of concern: minimizing attack surface, hiring proficient engineers, and using relevant services. 

Attack surface

Next comes attack surface, with 34% of votes in the CISOs category with the lowest vote (19%) belonging to security professionals. This vote is also not a surprise. The rapid increase in API use in recent years has led to immense growth in the attack surface, and it is crucial to keep it under control. So it’s essential to know all possible attack vectors and minimize their impact. The challenge gets more complex if you have legacy APIs that you cannot drop.

Engineers and staff experts

This response comes third in all but one category of respondents: security specialists who gave it a second priority with 28% of the votes. In contrast, this option only got 12% of votes from CISOs.

Security engineers see much value in employees like themselves and believe that good professionals can significantly improve API security. Of course, there’s a point to it! You need to hire proficient staff who will plan how to secure your APIs. They also can recommend tools and strategies to protect APIs.

Trusted vendors and products

This option got 5% to 7% of votes in different groups and came last. Of course, a CISO needs to know what API security vendors and products are available. This can help you manage your API security efforts and ensure that your company’s data remains safe. However, API-focused security products and vendors are relatively new to the market, which may explain why the category occupies the last place in the survey. 

What can we learn from the results?

All the surveyed groups including CISOs think having an API security program is the most important point. We may see companies avidly introducing such programs shortly. Minimizing the attack surface and hiring qualified domain professionals comes hand in hand with such programs.

Attack surface is slightly ahead of professionals in most categories, but the difference in votes is very small, and the situation may change over time. Adopting API security products, as it turns out, has a meager priority, especially in the finance and banking sector. However, this will change in the coming years, as the adoption of such tools increases. 

Vote_Respondent's role in business
Infographic: Vote/Respondent’s role in business

There’s also a correlation between the company’s size and the take on the most important thing in API security. Respondents from companies with 100,000 – 500,000 employees gave no votes to security engineers.

This means they rely more on planning and software than on people. The picture changes when the company size goes lower than 100,000. API security program and Engineers & experts have approximately the same amount of votes, which suggests that in this company size, a lot depends on individual engineers.

In the companies sized from 100 to 1000, Engineers got the same amount of votes as “Attack surface. In companies smaller than 100 employees, the distribution resembles the one of all votes.

Vote_Company size
Infographic: Vote/Company size

We also explored the votes’ dependency on the business domain (IT/finance) and the age of the business, but the results showed little to no dependency on those parameters.


The overall vote balance reveals some differences in opinion between CISOs and security engineers. Also, in big companies, engineers may be undervalued.

If you’re looking to develop your API security program, we have some tips for you:

  • Ensure that you have the right people in place.
  • Check if there are services that can help your API security staff with work that can be automated.

And if you are wondering which API security product to pick, you can book a call with one of our API Security experts:

Book a Call