Chief Information Security Officers are feeling less confident than ever about cyber-risk and data security this year, according to a survey conducted by Ponemon Institute in late 2017.
As today’s climate of high-profile data breaches continues, 67% of respondents believe their companies are more likely to fall victim to a cyberattack or data breach in 2018. And, 60% are more concerned about a data breach from a third party, such as a partner or vendor.
Surprisingly, the top security threat on CISOs’ minds isn’t technology, hackers or even malware but the human factor, with 70% of CISOs calling “lack of competent in-house staff” their number one concern and 65% stating “inadequate inhouse expertise” as the top reason they are likely to have a data breach.
Respondents also believe it’s highly likely they’ll experience credential theft due to a careless employee falling for a phishing scam – a 65% chance – even more likely than a malware attack, a data breach or a cyberattack.
Other key factors singled out as likely reasons for data breaches include the inability to protect sensitive and confidential data from unauthorized access (59%); inability to keep up with the sophistication of the attackers (56%); and failure to control third parties’ use of sensitive data (51%.)
Disruptive technologies are also a concern, with IoT devices considered the most challenging to secure (60% of respondents), followed by mobile (54%) and cloud (50%.)
Despite the risks, less than half believe their IT security budgets will go up.
Not surprisingly, all this stress is taking a toll. 69% of respondents anticipate their roles will be even more stressful in 2018 and 45% fear job loss in the event of a data breach.
On the positive side, more than a third do see a path to a stronger cybersecurity posture, and half say their Boards are becoming more involved in IT security, providing more internal support. Top areas CISOs identified that could drive improvement included cyber-intelligence, staffing and leadership – underscoring once again the importance of humans to information security – as well as technology improvements.
Dov Goldman, VP, Innovation & Alliances of Opus, said, “Once again, we find that people – not just third parties – are the weak link in information security. Smart companies can’t prevent all data breaches, but implementing solid risk management programs supported by good governance, training, proven frameworks and robust technology will go a long way to reducing risk and alleviating CISO stress.”
Mr. Goldman recommended several best practices, including evaluating the security and privacy practices of all vendors and third parties; creating an inventory of all third parties; and improving security posture using ongoing monitoring.
Dr. Larry Ponemon commented, “It’s not an easy time to be a CISO – there’s a lot of pain obvious in these survey results. Data breaches and cyber-attacks continue to plague organizations and the responsibility of protecting sensitive data stops with the CISO. It’s critical that companies support CISOs and reduce risk by implementing standard processes, including policy review and documentation, senior leadership and board member oversight, as well as other safeguards to reduce their vulnerability.”