Key points:
- A survey of CISOs reveals growing unease around the potential of cyberattacks becoming a reality
- Employee turnover, email fraud, and ransomware worries top the list of CISO concerns
- See related article: 3 simple steps to achieve cyber maturity
Most chief information security officers (CISOs) have returned to the elevated concerns they experienced early in the pandemic, according to the Voice of the CISO report, an annual report from cybersecurity and compliance company Proofpoint, Inc.
Sixty-eight percent of surveyed CISOs feel at risk of a material cyberattack, compared to 48 percent the year before, when they may have felt a brief sense of calm after adapting to the chaos of the pandemic, according to the report, which explores key challenges, expectations and priorities of (CISOs).
This year’s data is a shift back to 2021, when 64 percent of CISOs believed a material attack was imminent. Likewise, sentiments about preparedness levels have reversed: 61 percent feel unprepared to cope with a targeted cyberattack, showing a marked increase over last year’s 50 percent and a close return to 2021’s 66 percent.
While organizations have largely overcome the disruptions of the last two years, the effects of the Great Resignation and employee turnover continue to linger, exacerbated by the recent wave of mass layoffs—82 percent of CISOs say that employees leaving the organization played a role in a data loss event. Even though 63 percent of security leaders had to deal with the loss of sensitive information in the past 12 months, 60 percent believe they have adequate data protection in place.
The 2023 Voice of the CISO report examines global third-party survey responses from more than 1,600 CISOs at mid-to-large size organizations across different industries. Throughout the course of Q1 2023, 100 CISOs were interviewed in each market across 16 countries: the U.S., Canada, the UK, France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, KSA, Australia, Japan, Singapore, South Korea, and Brazil.
The report discusses global trends and regional differences around three central themes: the threats and risks CISOs face daily; the impact of employees on organizations’ cyber preparedness; and the defenses CISOs are building, especially as the economic downturn puts pressure on security budgets. The survey also measures the changes in alignment between security leaders and their boards of directors, exploring how their relationship impacts security priorities.
Key global findings include:
- CISOs have returned to the elevated concerns and feelings of unpreparedness they experienced early in the pandemic: Sixty-eight percent feel at risk of experiencing a material cyber attack in the next 12 months, compared to 48 percent last year and 64 percent in 2021. Further, 61 percent believe their organization is unprepared to cope with a targeted cyber attack, compared to 50 percent last year and 66 percent in 2021.
- The loss of sensitive data is exacerbated by employee turnover: Sixty-three percent of security leaders reported having to deal with a material loss of sensitive data in the past 12 months and of those, 82 percent agreed that employees leaving the organization contributed to the loss. Despite those losses, 60 percent of CISOs believe they have adequate controls to protect their data.
- Email fraud tops the list of the most significant threats: While the top threats perceived by CISOs are almost the same as last year, email fraud (business email compromise) moved from the fourth spot to the top, followed closely by insider threats, cloud account compromise and DDoS attacks.
- Most organizations are likely to pay a ransom if impacted by ransomware: Sixty-two percent of CISOs believe their organization would pay to restore systems and prevent data release if attacked by ransomware in the next 12 months. And they are increasingly relying on insurance to shift the risk—61 percent said they would place a cyber insurance claim to recover losses incurred in various types of attacks.
- Supply chain risk is a recurring priority: Sixty-four percent of CISOs say they have adequate controls in place to mitigate supply chain risk, a slight increase from last year’s 59 percent. While these protections may feel adequate for now, going forward, CISOs may feel more strapped for resources—58 percent say the shaky economy has negatively impacted their cybersecurity budget.
- People risk remains a prominent concern: There is a slight uptick in the number of CISOs who view human error as their organization’s biggest cyber vulnerability—60 percent in this year’s survey vs. 56 percent in 2022 and 58 percent in 2021. Also consistent with previous years, 61 percent of CISOs believe that employees understand their role in protecting the organization, compared to 60 percent in 2022 and 58 percent in 2021; this lack of significant progress indicates a struggle to build a strong security culture.
- CISOs and boards are more in tune: Sixty-two percent of CISOs agree their board members see eye-to-eye with them on cybersecurity issues. The board-CISO relationship has improved: up from 51 percent last year and 59 percent in 2021.
- Mounting CISO pressures are making the job increasingly unsustainable: Sixty-one percent of CISOs feel they face unreasonable job expectations, a significant increase from last year’s 49 percent. While the return to their new reality may be one reason behind this view, CISOs’ job-related angst is a likely contributor as well—62 percent are concerned about personal liability and 60 percent say they have experienced burnout in the past 12 months.
“Many CISOs no longer feel the sense of calm they may have briefly experienced, when they were upbeat after conquering the chaos wreaked by the pandemic. Back to ‘business as usual’, they are less assured in their organization’s abilities to defend against cyber risk,” said Lucia Milică Stacy, global resident CISO at Proofpoint. “Our 2023 Voice of the CISO report reveals that amidst the rising difficulties of protecting their people and defending data, CISOs are being tested at a personal level with higher expectations, burnout, and uncertainty about personal liability. The improving relationship between security leaders and board members gives us hope, however, and this partnership will enable organizations to overcome the new challenges they face this year and beyond.”
“Security leaders must remain steadfast in protecting their people and data, a task made increasingly difficult as insiders prove themselves as a significant contributor to sensitive data loss,” said Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint. “If recent devastating attacks are any indication, CISOs have an even tougher road ahead, especially given the precarious security budgets and new job pressures. Now that they have returned to elevated levels of concern, CISOs must ensure they focus on the right priorities to move their organizations toward cyber resilience.”
This press release originally appeared online.
Related:
Encryption attacks are on the rise–it’s time to secure your digital traffic
How to position your data defense strategies
- Too many students feel neutral or negative about their institutions - December 6, 2023
- Students say their biggest obstacle is being unprepared for courses - November 30, 2023
- New report reveals persistent gender disparities in college, career readiness - November 28, 2023