CISO Challenges as Hybrid Working Leads Top Concerns
By Lucia Milică, Global Resident CISO, Proofpoint, Inc.
To say 2020 was the year of security challenges would be a vast understatement. This past year has forced chief information security officers (CISOs) to rethink just about everything we were doing, from security strategy to the viability of working from home. I’ve had numerous conversations over the past year with other CISOs about navigating this new work model, and the same questions kept popping up: Are organizations more or are they less secure today? How do we pull off the balancing act of supporting remote work while maintaining business continuity? How are we navigating hybrid work and executive needs?
Given the trends in my discussions, our Proofpoint team went out to CISOs to see what patterns emerged. In the 2021 Voice of the CISO Report, Proofpoint captures insights from 1,400 CISOs from around the world. Survey respondents hailed from Australia, Canada, France, Germany, Italy, Japan, Netherlands, Saudi Arabia, Singapore, Spain, Sweden, UAE, United Kingdom, and the United States. Some of what we learned is intuitive; other insights are concerning.
66% of CISOs Believe Their Organization is Not Prepared for a Major Attack
According to the report, almost two-thirds of CISO respondents feel vulnerable to a “material cyberattack” in the next 12 months. Of those, one in five feels such risk to be “very high.” Perhaps most concerning is 66 percent of respondents feel their companies are unprepared or underprepared to weather a major attack. Eighty one percent of CISOs in the Netherlands were most alarmed, followed closely by their counterparts in Sweden and Germany (tied at 79 percent).
The concerns are twofold. For one thing, CISOs we heard from were concerned that in the first days of the pandemic, the rush to secure home environments often resulted in a hasty deployment of patchwork solutions. In other words, while companies were lauded for transitioning “overnight” to a working from home model, there were often tradeoffs of quality for speed. This technical debt helps explain why 69 percent of CISOs from larger companies admit the new remote reality hampers their ability to keep organizations safe. From a country standpoint, 76 percent of UAE and 69 percent of Saudi Arabia CISOs lead the way in nations most impacted by working from home.
Compounding these headaches is the frequency with which employees put themselves at risk. The truth is most successful attacks cannot happen without a person. More than 90 percent of company breaches require human interaction to launch an attack, and when you combine an overnight rush to a work-from-home model (and its relative lack of network visibility) with relying on employees to do the right thing from home, CISO anxiety is understandable.
Biggest Concerns: Email Fraud (BEC) and Cloud Account Compromise
What types of attacks are CISOs losing sleep over? Of the perceived biggest cybersecurity threats for next year, CISO concern was remarkably balanced. Email fraud (business email compromise) and cloud account compromise were the top concerns at 34 and 33 percent, respectively. Ransomware and phishing attacks – at 27 and 26 percent. In the United States, the greatest concerns are cloud account compromise (39%), followed by supply chain attacks (38%), and insider threats and cyber/physical attacks (both 37%).
The report also tells us that where a CISO physically works can inform their stress. For instance, the percentage of CISOs in agreement that their company is at risk of a major cyberattack is highest in the United Kingdom (81 percent of CISOs in agreement) and Germany (79 percent). Canada (50 percent) and Singapore (44 percent) fare better.
The amount of pressure exerted on CISOs is also linked to location. Germany clearly expects much from its security leaders, with 73% of its CISOs agreeing that expectations on the CISO/CSO role are excessive, followed by the U.S. with 70% and UAE with 67%. The CISO role seems to be a less stressful one in Singapore (37%), Australia (44%), and the Netherlands (45%). While geolocation plays a role, it’s not the only factor. In mid-sized organizations (500-1,000 people) just over half of CISOs report laboring under excessive expectations. That number jumps to 66 percent for companies with over 5,000 employees.
But perhaps the most interesting discovery in the 2021 Voice of the CISO is that while most CISOs are relatively anxious about their current vulnerabilities and the near future, they generally feel valued and well-funded. For the most part, organizations clearly understand the importance of security in terms of network uptime and reputational risk. The majority of global CISOs expect budgets to increase by at least 11 percent in the next two years, and 65 percent believe they will be better able to resist and recover from cyberattacks by 2022/23.
It’s clear CISOs across the globe are facing a variety of challenges and pressures as we transition from the pandemic into a new hybrid environment, no matter which nation they call home.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.