June 16, 2022
Lucia Milică VP, Global Resident CISO, Proofpoint
While
CISOs may feel more confident in their security posture emerging from
the pandemic, new research suggests that doesn't mean organizations are
better prepared for large-scale attacks.
Cybercrime reached heightened levels of intensity and sophistication in the past year. We saw greater complexity in ransomware, supply chain, and critical infrastructure attacks. Despite the threat escalation, CISOs feel more confident in their security posture. But does that feeling of confidence actually translate into organizations being better prepared for large-scale attacks? New research suggests that is not the case.
The "2022 Voice of the CISO" report, Proofpoint's global survey of 1,400 CISOs, found that only 48% are concerned about their organization suffering a material cyberattack in the next 12 months, a sharp drop from the previous year's 64%. This shift reveals CISOs feel more in control, even as new events such as the Great Resignation and geopolitical tensions in Europe are elevating their stress levels.
But the increased confidence of CISOs shows a disconnect with their actual preparedness — despite their greater trust in themselves, 50% acknowledge their organization is not prepared to cope with a targeted attack. This misalignment shows that CISOs have simply reached a state of relative tranquility after the disruption of the pandemic. The psychological effects of the chaos are finally wearing off.
Having met the pressure to react quickly and shore up resources to support remote work in 2020, CISOs accepted the realities of our new world of elevated cyber threats. But once the pandemic demands eased up, new, pressing issues developed — and CISOs accepted their new normal of always operating at high alert.
As CISOs moved to adapt to the new realities of their job, insider threats became their biggest concern, rising from the third spot in 2020 to the top in 2021. The increased awareness about insider threats likely played a big part in this change, especially in the life sciences sector, where vaccine research received prominent media attention. Pfizer is one example. The company filed a highly publicized lawsuit against an employee who allegedly stole trade secrets pertaining to the company's vaccines and medications.
Geopolitical tension also contributed to concerns about insider threat. Last year, for instance, the FBI warned technology companies that employees with ties to China and Russia may spy on them. And let's not forget that negligent insiders pose almost as big a threat — CISOs ranked negligent, malicious, and compromised insiders as nearly equal risks in terms of breach exposure.
Data protection is at the heart of the challenge, especially given the impact of the Great Resignation and hybrid work. Some 56% of surveyed CISOs still view human error as the biggest threat to their organization, with compromised insiders as the most likely vector. The ongoing transition, as employees continue to leave or return to the workplace, exacerbates the insider threat, making data protection an even more urgent priority.
Ransomware is another threat that received media attention last year, forcing C-suites finally to take notice of these high-profile attacks. In the past, CISOs often had to plan special strategies to gain an audience with the board. Corporate directors and top officers viewed CISOs as simply technologists, relegating cybersecurity to a mere IT problem. Today, CISOs are finally getting a seat at the table. This is an encouraging change.
With their role now elevated, CISOs are also subject to a higher level of job expectations. Only 49% feel the expectations of their role are excessive, compared with 57% in the previous year's study. This may be another indicator of the post-pandemic calm, leaving CISOs feeling less pressured yet more in control.
Unfortunately, the rise in prominence of the CISO's role does not mean that security leaders feel more supported by their organizations. There was only a slight decrease in the number of CISOs who see eye-to-eye with their boards (52% in 2021 vs. 54% in 2020).
This strain in their relationship will continue to impact the effectiveness of CISOs in making cybersecurity a strategic part of their organization's business objectives — and the survey data show the implications of this struggle. For instance, 42% of surveyed organizations still do not have a ransomware policy in place. Although this threat has been on CISOs' radar for a long time, it took the nonstop media coverage in the past year for boards and executives to finally pay attention. They are just now viewing their CISOs as risk or business strategists.
As organizations acclimate to the new ways of operating in a post-pandemic world, CISOs are ready to leave uncertainty in their rearview mirror. But is this the calm before the next storm?
With geopolitical tensions mounting in Europe and other areas of the globe, targeted attacks, insider threats, and critical infrastructure risks keep rising. While CISOs are much more confident in their cybersecurity posture, bolstering defenses remains a critical imperative.
Organizations have emerged from the pandemic as transformed workplaces, and strengthening the human perimeter is especially critical in this evolved, hybrid environment. Now that CISOs have a voice, they are in a stronger position to make the case for better organizational preparedness. Considering that people remain the biggest risk factor, making the argument for closing the gaps in the human perimeter must remain at the top of every CISO's agenda.