A new survey conducted by cybersecurity firm Proofpoint has found that many Chief Information Security Officers (CISOs) are struggling to keep pace with the growing demands and expectations placed on them in light of the pandemic. The 2023 Voice of the CISO report surveyed 1,600 CISOs worldwide and found that 61% of them felt their organisations were unprepared to deal with a targeted attack, up from 50% in 2022. Similarly, 68% of CISOs said they felt their organisation is at risk of a significant cyber attack in the next year, compared with 48% last year and 64% in 2021.
The report highlights the fact that cybersecurity teams are facing increasing demands from various sources, including the shift towards a hybrid work environment and a tightening of cybersecurity budgets following the economic downturn. This has led to CISOs feeling as if their organisations have “excessive expectations” of them, with 61% reporting this was the case in the survey, compared with 49% in 2022 and 57% in 2021. Many CISOs are facing increased duties and concerns but with fewer resources to address them.
The widespread adoption of hybrid work has expanded the boundaries of corporate data, giving threat actors more access to potential victims, and adding pressure on security teams to protect that information. The pandemic also set off widespread employment losses and occupational shuffling, known as the Great Resignation, resulting in many individuals leaving jobs with company as well as personal data. While some organisations do require written guarantees that former employees will delete accessible company data, concerns of CISOs reveal that some recent data exposure incidents are out of their control. It was found that 82% of CISOs believed that employees leaving their organisations contributed to data-loss events.
The survey found that insider-driven data exposures in the future will be intentional and malicious. In addition, 34% of CISOs who experienced a significant data loss event in the past year said negligent insiders were to blame, while 33% attributed events to malicious or criminal insiders. Lucia Milică Stacy, resident global CISO at Proofpoint, cites the Great Resignation, as well as cybersecurity’s new role in geopolitical conflicts, as contributing factors. She believes that people are either “handing data over to a nation-state or carelessly taking data because of this constant movement plus the geopolitical tension.”
Despite the FBI’s instruction against paying threat actors, 62% of CISOs in Proofpoint’s survey expect their organisations to pay a ransom to prevent data release or remediate systems. Although the consensus among security leaders is to not pay cybercriminals, they are not the only decision-makers in the equation, and CISO’s qualms about paying may be overridden by business concerns of other managing assemblies.
One of the themes in the survey results is support. The report found that 62% of respondents believed board members should have cybersecurity expertise. While CISOs and board members need to have meaningful dialogue concerning cybersecurity strategies, the knowledge gap hinders companies from efficiently building and implementing policies. Despite the disconnect declared by respondents, the survey did suggest that communication between CISOs and board members had improved, with 62% of CISOs reporting that they see eye to eye with their board on cybersecurity issues in 2022, compared to 59% in 2021.
Policymakers are also working to address this gap, with the Securities and Exchange Commission proposing regulations in 2022 that require cybersecurity expertise on boards and their cybersecurity risk oversight committee for publicly traded companies. Lucia Milică Stacy believes that if this regulation becomes part of the final version, it “is going to start closing the gap into that communication piece.”