By Lucia Milică, Global Resident CISO, Proofpoint, Inc.
To say 2020 is the year of security challenges would be a huge understatement. The past year has forced Chief Information Security Officers (CISOs) to rethink pretty much everything we’ve done, from security strategy to the feasibility of working from home. In the past year I had numerous conversations with other CISOs about navigating this new working model, and the same questions kept coming up: Are companies more or less secure today? How do we manage the balancing act of supporting remote work while maintaining business continuity? How do we deal with hybrid work and leadership needs?
Given the trends in my discussions, our Proofpoint team went to CISOs to see what patterns had emerged. By doing 2021 voice of the CISO report, Proofpoint collects insights from 1,400 CISOs around the world. Respondents were from Australia, Canada, France, Germany, Italy, Japan, the Netherlands, Saudi Arabia, Singapore, Spain, Sweden, the United Arab Emirates, the United Kingdom and the United States. Some of what we’ve learned is intuitive; concern other findings.
66% of CISOs believe their organization is not prepared for a major attack
According to the report, nearly two-thirds of CISO respondents feel vulnerable to a “physical cyber attack” in the next 12 months. Of these, one in five perceives such a risk to be “very high”. Perhaps most worrying is that 66 percent of respondents believe that their company is poorly or poorly prepared for a major attack. 81 percent of CISOs in the Netherlands were most alarmed, closely followed by their colleagues in Sweden and Germany (79 percent).
The concerns are twofold. For one thing, CISOs we’ve heard of were concerned that in the early days of the pandemic, the rush to secure the home environment often led to a hasty deployment of patchwork solutions. In other words, while companies have been praised for moving to the home work model “overnight”, there have often been trade-offs between quality and speed. This technical guilt explains why 69 percent of CISOs at larger organizations admit that the new remote reality is hampering their ability to keep organizations safe. From a country perspective, 76 percent of the UAE and 69 percent of CISOs in Saudi Arabia are leaders in the countries most affected by homeworking.
These headaches are compounded by the frequency with which employees put themselves at risk. The truth is that the most successful attacks cannot happen without a person. More than 90 percent of corporate security breaches require human interaction to launch an attack, and when you combine a nighttime rush with a home-based model (and its relative lack of network visibility) with the confidence that employees are doing the right thing from home, CISO fear is understandable.
Top Concerns: Email Fraud (BEC) and Cloud Account Compromise
What types of attacks do CISOs lose sleep from? Of the top perceived cybersecurity threats for the next year, the CISO’s concerns were remarkably balanced. Email fraud (compromised business email) and cloud account compromise were 34 and ransomware and phishing attacks – 27 and 26 percent, respectively. In the United States, the top concern is cloud account compromise (39%), followed by supply chain attacks (38%), insider threats, and cyber / physical attacks (both 37%).
The report also tells us that the place a CISO physically works can affect their stress levels. For example, the percentage of CISOs who agree that their company is exposed to a major cyberattack is highest in the UK (81 percent of CISOs agree) and Germany (79 percent). Canada (50 percent) and Singapore (44 percent) do better.
The pressure on CISOs is also related to location. Germany clearly expects a lot from its security leaders: 73% of its CISOs agree that expectations of the CISO / CSO role are exaggerated, followed by the US with 70% and the United Arab Emirates with 67%. The role of the CISO seems to be less stressful in Singapore (37%), Australia (44%) and the Netherlands (45%). Geolocation does play a role, but it’s not the only factor. In medium-sized companies (500-1,000 employees), slightly more than half of the CISOs state that they work under expectations that are too high. For companies with more than 5,000 employees, this number rises to 66 percent.
But perhaps the most interesting discovery in the voice of CISO 2021 is that while most CISOs are relatively concerned about their current vulnerabilities and the near future, they generally feel valued and well-funded. In most cases, organizations understand the importance of security in terms of network availability and reputational risk. The majority of global CISOs expect budgets to increase by at least 11 percent over the next two years, and 65 percent believe that by 2022/23 they will be better able to withstand and recover from cyberattacks.
It is clear that CISOs around the world face a variety of challenges and pressures as they transition from the pandemic to a new hybrid environment, regardless of which nation they call their home.
The views and opinions expressed herein are those of the author and do not necessarily reflect those of Nasdaq, Inc.