We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
Despite the massive global investment in cybersecurity in 2021 (totaling nearly $72.5 billion) the year still proved to be one of the most challenging periods for CISOs as high-profile cyberattacks increased significantly. According to the Allianz Risk Barometer, 2022 won’t be different, with cyberattacks becoming the number one global business risk for the second time in the survey’s history.
To understand the mindset of cybersecurity professionals, Proofpoint recently released its Voice of the CISO report for 2022, which surveyed 1,400 CISOs worldwide Proofpoint says it created the Voice of the CISO annual report to provide insights that would prepare C-suite executives and technical decision-makers for cybersecurity-related incidents.
The report assesses third-party responses from CISOs at medium to large-sized companies across different industries globally. The 14 countries included in this survey (Canada, France, Italy, U.S., U.K., Spain, Australia, Netherlands, Japan, KSA, Sweden, Germany, UAE and Singapore) provide Proofpoint with both a multinational and a regional perspective. Results from the survey revealed, among other findings, that nearly two-thirds of global CISOs are unprepared to cope with a cyberattack.
In its 2021 survey, 64% of global respondents felt their organizations were at risk of suffering a material cyberattack in the next 12 months. However, the 2022 survey revealed a significant decrease in that statistic, as only 45% agreed with that possibility. Surviving two years of unmatched disruptions in the cybersecurity space has undoubtedly made CISOs feel more confident in their cybersecurity posture.
The need for more cybersecurity awareness training
While more CISOs now have increased trust in their cybersecurity architecture, some challenges persist. The pandemic has ushered in new ways of working, with a Gartner report showing hybrid work and the great resignation as major ways of work has changed. However, many CISOs agree that protecting the data resulting from these two changes is a new top challenge.
Fifty-one percent of the respondents in Proofpoint’s survey revealed an increase in attacks in the last 12 months and pointed to compromised insider attacks as the probable cause. The survey showed that 67% of respondents considered negligent insiders and compromised insiders to be the major causes of data loss in their organizations.
Although the respondents admitted employees are becoming increasingly aware of cybersecurity issues, 60% believe these employees still don’t understand their role in protecting their organizations from cyberthreats.
Given that employees sometimes give attackers access to sensitive data unintentionally, 56% of global CISOs confessed to human error being their organization’s biggest vulnerability. Jackie Wiles, content marketing director at Gartner, proposed in an article that one way to remedy this is to train more cybersecurity savvy employees. Only half of these CISOs agree with Wiles, as the survey revealed only 50% of the respondents have facilitated the increase in cybersecurity training in their respective organizations in the last year.
Apart from investing in cybersecurity training for employees, 50% of the respondents said investing in information protection is a top organizational priority for the next two years.
Ransomware headlines are driving CISOs’ cyber preparations
Increasing familiarity with post-pandemic work environments has also caused some security leaders to feel more prepared for a cyberattack, with only 50% of global CISOs feeling unprepared for a cyberattack — but this is down from 66% in 2021. Surprisingly, most CISOs couldn’t agree on which were the most significant cyberthreats attacking their organizations.
Topping the list at 31% were all forms of insider threats, followed closely by distributed denial-of-service (DDoS) attacks, business email compromise and cloud account compromise at 30% each. Surprisingly, ransomware, at 28%, was the threat the respondents acknowledged least. This is particularly odd, especially since Statista reported global ransomware attacks peaked at 68.5% in 2021 and even a Proofpoint report showed 78% of global businesses were hit with ransomware in 2021.
What the responses revealed, however, is that these highly publicized ransomware headlines were driving real cyberattack prevention actions among the C-suite. While more than 60% of the respondents were channeling their company’s resources into preventing ransomware, 58% have purchased cyber insurance and 42% say they have done nothing at all.
Pressure on the C-suite continues
Forty-nine percent of security leaders who participated in Proofpoint’s survey said excessive role expectations from organizational boards have put them under intense pressure — so much so that only 21% of the respondents have managed to get their organization’s board to be on the same wavelength with them in matters of cybersecurity.
However, this appears to show less pressure compared to last year when 57% expressed doing so. When asked to identify three top board concerns, most CISOs identified significant downtime, disruption to operations and impact on business valuation.
“With rising geopolitical tensions and increasing people-focused attacks,” said Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, “The same gaps of user awareness, preparation and prevention must be plugged before the cybersecurity seas grow rough once more.”