A new report has revealed that chief information security officers (CISOs) are feeling more at risk and less prepared to cope with cyberattacks compared to last year. The 2023 Voice of the CISO survey conducted by Proofpoint, which included responses from 1,600 CISOs worldwide, found that 68% of respondents believe they are at risk of experiencing a significant cyberattack in the next 12 months. This marks a significant increase from last year’s 48% and a return to the levels seen in 2021, when 64% of CISOs felt at risk.
The report also highlighted that 61% of surveyed security leaders feel that their organizations are unprepared to handle targeted cyberattacks, a figure that has risen from 50% in 2022 and 66% in 2021. The reasons behind these elevated concerns can be attributed to several factors. The cybersecurity landscape in 2022 was marked by devastating ransomware attacks that affected organizations and even crippled entire nations. Additionally, geopolitical tensions escalated, with Russia conducting attacks on US airports and Chinese nation-state actors targeting telecoms. These events, coupled with the economic downturn, have put security leaders on edge and may have contributed to their declining confidence in their organization’s security posture.
However, another possible reason for the CISOs’ increased concerns is the anomaly of the pandemic. When the world was grappling with the challenges brought on by remote operations, security leaders experienced a brief period of calm. Though the volume of cyberattacks did not decrease, CISOs felt that their organizations were less at risk. However, with the return to normal operations, it is likely that the post-pandemic security metrics appeared less reassuring, causing CISOs’ optimism to wear off.
Moreover, the report shed light on the growing pressures faced by CISOs, rendering their job increasingly unsustainable. Last year’s high-profile Uber case, which resulted in probation for the company’s former chief security officer, raised concerns about personal liability among CISOs. The survey revealed that 62% of CISOs are worried about personal liability, exacerbated by the fact that 60% of them have experienced burnout in the past 12 months. Additionally, 61% of CISOs feel that their job expectations are unreasonable, marking a significant increase from the previous year’s 49%. This, combined with the ongoing cybersecurity talent shortage and recent waves of layoffs, creates additional strain on CISOs and makes their role more challenging.
To address these challenges, CISOs need support from their board of directors more than ever. The report shows a positive trend of improved CISO-board relationships, with 62% of CISOs reporting that they see eye-to-eye with their board on cybersecurity issues. This upward trajectory over the past three years is encouraging and can contribute to better decision-making and resource allocation in cybersecurity.
Data protection also emerged as a top priority for CISOs, with 63% reporting dealing with a material loss of sensitive data in the past year. Employee turnover, exacerbated by the Great Resignation phenomenon, has contributed to this data loss, with 82% of CISOs attributing it to employees leaving the organization. Furthermore, though 60% of CISOs believe they have adequate controls in place to protect data, their lack of confidence in their overall security posture raises concerns about the effectiveness of these controls, especially with increasing layoffs across various sectors.
Supply chain security is another area of concern, with nearly two-thirds of CISOs stating that they have appropriate controls in place to mitigate supply chain risk. However, protecting complex and interconnected supply chains presents significant challenges, and the industry has struggled to find effective solutions. The rise in supply chain attacks using malicious components further highlights the importance of addressing supply chain security as a matter of national security.
Ultimately, the challenges faced by CISOs have wider implications for the business as a whole. Regulatory scrutiny, supply chain attacks, and data breaches all impact investor, consumer, and employee confidence in an enterprise. Therefore, it is crucial for CISOs and boards to view security risk as business risk and understand the implications of systemic risk within their organization. While solving complex cybersecurity problems requires a collective effort from the industry, it is up to CISOs to lead the conversation and ensure that the necessary measures are taken to protect their organizations.