CISOs’ confidence in post-pandemic security landscape fades

Most CISOs have returned to the elevated concerns they experienced early in the pandemic, according to Proofpoint.

Elevated concerns among CISOs

Globally, 68% of surveyed CISOs feel at risk of a material cyber attack, compared to 48% the year before, when they may have felt a brief sense of calm after successfully navigating the chaos of the pandemic.

This year’s data represents a shift back to 2021, when nearly two thirds of CISOs believed a material attack was imminent. It’s notable that UK CISOs feel most at risk globally (84%) in 2023, compared to 60% last year and 81% in 2021.

While organizations have largely overcome the disruptions of the last two years, the effects of the Great Resignation and employee turnover continue to linger, exacerbated by the recent wave of mass layoffs—It’s interesting to see that 73% of CISOs believe they have adequate data protection in place yet 74% of UK security leaders had to deal with the loss of sensitive information in the past 12 months.

There is a trend to these data loss events also, as 84% of UK CISOs say that employees leaving the organization played a role in a data spill.

Economic downturn puts pressure on security budgets

The report discusses global trends and regional differences around three central themes: the threats and risks CISOs face daily; the impact of employees on organizations’ cyber preparedness; and the defences CISOs are building, especially as the economic downturn puts pressure on security budgets.

The survey also measures the changes in alignment between security leaders and their boards of directors, exploring how their relationship impacts security priorities.

“CISOs are no longer basking in the sense of calm that many experienced when they realised they’d made it through the pandemic unscathed. Now they’ve refocussed on cyber threats, they are less assured in their organization’s abilities to successfully defend against the current attacks,” commented Andrew Rose, Resident CISO, EMEA at Proofpoint.

“Our 2023 Voice of the CISO report reveals that amidst the rising difficulties of protecting their people and defending data, CISOs are being tested at a personal level with challenges around higher expectations, burnout, and uncertainty about personal liability. The improving relationship between security leaders and board members also gives us hope, and this partnership will enable organizations to face the new challenges with focus and certainty,” added Rose.

“Ransomware also continues to be a real problem, and despite encouragement to avoid payment, we still see significant levels of capitulation, with an alarming 75% of UK CISOs believing their organization would pay a ransom. This figure in itself is sufficient incentive to the criminals to keep doing what they are doing. CISOs need to find better ways to protect and prevent business disruption from these types of attacks, and create resilience such that the best way to respond to an attack is not to immediately reach for the cheque book,” concluded Rose.

General trends among the global CISO community

UK CISOs have returned to the elevated concerns they experienced early in the pandemic and feel more unprepared than last year: 84% of UK CISOs feel at risk of experiencing a material cyber attack in the next 12 months, compared to 60% last year and 81% in 2021. Further, 76% believe their organization is unprepared to cope with a targeted cyber attack, compared to 65% last year and 68% in 2021.

The loss of sensitive data is exacerbated by employee turnover: 74% of UK security leaders reported having to deal with a material loss of sensitive data in the past 12 months, and of those, 84% agreed that employees leaving the organization contributed to the loss. Despite those losses, 73% of UK CISOs believe they have adequate controls to protect their data.

Email fraud tops the list of the most significant threats: The top threats perceived by UK CISOs have shifted, with email fraud (business email compromise) now leading the way, followed by cloud account compromise, insider threats and smishing/vishing. Last year, DDoS attacks were the top concern, followed by malware and email fraud.

Most organizations are likely to pay a ransom if impacted by ransomware: 75% of UK CISOs believe their organization would pay to restore systems and prevent data release if attacked by ransomware in the next 12 months. And they are relying on insurance to shift the risk—79% said they would place a cyber insurance claim to recover losses incurred in various types of attacks.

Supply chain risk is a recurring priority: 79% of UK CISOs say they have adequate controls in place to mitigate supply chain risk, a slight increase from last year’s 73%. While these protections may feel adequate for now, going forward, CISOs may feel more strapped for resources—73% say the shaky economy has negatively impacted their cybersecurity budget.

People risk is an increasing concern: There is an increase in the number of UK CISOs who view human error as their organization’s biggest cyber vulnerability—78% in this year’s survey vs. 65% in 2022 and 62% in 2021. At the same time, CISOs are growing more confident their employees understand their role in protecting the organization, with 75% holding such a view this year, compared to 68% in 2022 and 61% in 2021; this illustrates a struggle to build a strong security culture.

CISOs and boards are more in tune: 74% of UK CISOs agree their board members see eye-to-eye with them on cybersecurity issues. This is an increase from the 65% of CISOs who shared this view last year and in 2021.

Mounting CISO pressures are making the job increasingly unsustainable: 74% of UK CISOs feel they face unreasonable job expectations, a significant increase from last year’s 60%. While the return to their new reality may be one reason behind this view, CISOs’ job-related angst is a likely contributor as well—79% are concerned about personal liability and 74% say they have experienced burnout in the past 12 months.

“Security leaders must remain steadfast in protecting their people and data, a task made increasingly difficult as insiders prove themselves as a significant contributor to sensitive data loss,” said Ryan Kalember, EVP of cybersecurity strategy for Proofpoint. “If recent devastating attacks are any indication, CISOs have an even tougher road ahead, especially given the precarious security budgets and new job pressures. Now that they have returned to elevated levels of concern, CISOs must ensure they focus on the right priorities to move their organizations toward cyber resilience.”