Report reveals that two-thirds of CISOs feel unprepared to cope with a cyber attack
- Published: Monday, 17 May 2021 07:53
Proofpoint has released its inaugural 2021 Voice of the CISO report which explores key challenges facing chief information security officers (CISOs) after an unprecedented twelve months. 66 percent of CISOs globally feel their organization is unprepared to handle a cyber attack.
This year’s Voice of the CISO report examines global third-party survey responses from more than 1,400 CISOs at mid to large size organizations across different industries. Throughout the course of Q1 2021, one hundred CISOs were interviewed in each market across 14 countries: the US, Canada, UK, France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, KSA, Australia, Japan, and Singapore.
The survey explores three key areas: the threat risk and types of cyber attacks CISOs combat daily, the levels of employee and organizational preparedness to face them, and the impact of supporting a hybrid workforce as businesses prepare to re-open their corporate offices. It also covers the challenges CISOs face in their roles, position amongst the C-suite, and business expectations of their teams.
Key findings include:
CISOs are on high alert across a range of threats: faced with a relentless attack landscape, 64 percent of surveyed CISOs feel at risk of suffering a material cyber attack in the next 12 months. When asked about the types of attacks they expect to face, there was no clear answer, with diverse threats such as business email compromise (34 percent), cloud account compromise (O365 or G suite accounts being compromised, 33 percent), and insider threats (31 percent) topping the list. Despite dominating recent headlines, supply chain attacks came in fifth with 29 percent and ransomware seventh with 27 percent.
Organizational cyber preparedness is still a major concern: more than a year on into a pandemic that changed the threat landscape, 66 percent of CISOs feel that their organization is unprepared to cope with a targeted cyberattack in 2021. Cyber risk is also on the rise: 53 percent of CISOs are more concerned about the repercussions of a cyber attack in 2021 than they were in 2020.
User awareness doesn’t always lead to behavioral change: while more than half of survey respondents believe employees understand their role in protecting their organization from cyber threats, 58 percent of global CISOs still consider human error to be their organization's biggest cyber vulnerability. Global CISOs listed purposefully leaking data (criminal insider attack) and clicking malicious links or downloading compromised files as the most likely ways employees put their business at risk.
Long term hybrid work environments present a new challenge for CISOs: 58 percent of CISOs agree that remote working has made their organization more vulnerable to targeted cyber attacks, with three in five revealing they had seen an increase in targeted attacks in the last 12 months.
High risk, high reward likely to be a common cyber theme over the next two years: 63 percent of CISOs believe that cybercrime will become even more profitable for attackers, while 60 percent believe that it will become riskier for cybercriminals.
CISOs will adapt their cyber security strategy to stay ahead: overall, the majority of global CISOs expect their cyber security budget to increase by 11 percent or more over the next two years, and two in three (65 percent) believe they will be able to better resist and recover from cyber attacks by 2023. Top three priorities across the board for global CISOs over the next two years are: enhancing core security controls (35 percent), supporting remote working (33 percent), as well as security awareness (32 percent) and security automation (32 percent).
2020 elevated the CISO role, as well as the expectations from the business: 57 percent of global CISOs agree that expectations on their function are excessive. The perceived lack of support from the boardroom persists with only 25 percent of global CISOs strongly agreeing that their board see eye-to-eye with them on issues of cyber security.