Proofpoint’s Voice of the CISO 2021 report reveals two-thirds of global CISOs feel unprepared to cope with cyber attack
58% of survey respondents consider human error their organisation's biggest cyber vulnerability as hybrid workforce presents new challenges for cyber security teams.
Proofpoint, Inc. (NASDAQ: PFPT), a leading cyber security and compliance company, has released its inaugural 2021 Voice of the CISO report, which explores key challenges facing chief information security officers (CISOs) after an unprecedented 12 months.
Sixty-six percent of CISOs feel their organisation is unprepared to handle a cyber attack and 58% consider human error to be their biggest cyber vulnerability, proving the work-from-home model necessitated by the pandemic has tested CISOs like never before.
“I believe one reason for the 'unpreparedness' is the sheer diversity of attack paths. Organisations’ employees have an increased dependency on multiple digital platforms, third-parties and remote communication to drive business value and collaboration, and cyber criminals continue to adapt to capitalise on this, finding new and innovative attack mechanisms,” says Andrew Rose, Resident CISO, EMEA at Proofpoint. “This makes it much more difficult for CISOs to anticipate where the next threat may be coming from, yet they recognise that any successful attack could be catastrophic.
“Another associated influencer is simply the lack of preparation time.The CISO role is now so broad, covering so many aspects of a modern, digital organisation, that the CISO’s attention can be spread very thin, and they can feel the pressure of excessive expectations,” continues Rose.
The survey explores three key areas: the threat risk and types of cyber attacks CISOs combat daily, the levels of employee and organisational preparedness to face them, and the impact of supporting a hybrid workforce as businesses prepare to re-open their corporate offices. It also covers the challenges CISOs face in their roles, position among the C-suite, and business expectations of their teams.
Proofpoint’s Voice of the CISO 2021 report highlights general trends as well as regional differences among the global CISO community. Key global findings include:
- CISOs are on high alert across a range of threats: Faced with a relentless attack landscape, 64% of surveyed CISOs feel at risk of suffering a material cyber attack in the next 12 months. When asked about the types of attacks they expect to face, there was no clear answer, with diverse threats such as business e-mail compromise (34%), cloud account compromise (O365 or G-suite accounts being compromised, 33%), and insider threats (31%) topping the list. Despite dominating recent headlines, supply chain attacks came in fifth with 29% and ransomware seventh with 27%.
- Organisational cyber preparedness is still a major concern: More than a year on into a pandemic that forever changed the threat landscape, 66% of CISOs feel their organisation is unprepared to cope with a targeted cyber attack in 2021. Cyber risk is also on the rise: 53% of CISOs are more concerned about the repercussions of a cyber attack in 2021 than they were in 2020.
- User awareness doesn’t always lead to behavioural change: While more than half of survey respondents believe employees understand their role in protecting their organisation from cyber threats, 58% of global CISOs still consider human error to be their organisation's biggest cyber vulnerability. Global CISOs listed purposefully leaking data (criminal insider attack) and clicking malicious links or downloading compromised files as the most likely ways employees put their business at risk.
- Long-term hybrid work environments present a new challenge for CISOs: 58% of CISOs agree that remote working has made their organisation more vulnerable to targeted cyber attacks, with three in five revealing they had seen an increase in targeted attacks in the last 12 months.
- High risk, high reward likely to be a common cyber theme over the next two years: 63% of CISOs believe cyber crime will become even more profitable for attackers, while 60% believe that it will become riskier for cyber criminals.
- CISOs will adapt their cyber security strategy to stay ahead: Overall, the majority of global CISOs expect their cyber security budget to increase by 11% or more over the next two years, and two in three (65%) believe they will be able to better resist and recover from cyber attacks by 2023. Top three priorities across the board for global CISOs over the next two years are: enhancing core security controls (35%), supporting remote working (33%), as well as security awareness (32%) and security automation (32%).
- 2020 elevated the CISO role, as well as the expectations from the business: 57% of global CISOs agree that expectations on their function are excessive. The perceived lack of support from the boardroom persists, with only 25% of global CISOs strongly agreeing that their board sees eye-to-eye with them on issues of cyber security.
“2020 was undoubtedly a very profitable year for cyber criminals and they are more emboldened than ever in their quest to harm organisations around the world. Cyber criminals are upskilling, collaborating and becoming increasingly sophisticated in executing their attacks leading to the development of new techniques to compromise the security of organisations, even with advanced protection tools in place,” said Andrew Rose, Resident CISO, EMEA at Proofpoint.
“The attack surface in organisations also grows as their dependency upon technology, cloud and third-parties increases; however, it’s people who are the main attack surface as attackers primarily target employees via phishing e-mails. Despite this, most CISOs are hopeful in their outlook for the years ahead.”
This year’s Voice of the CISO report examines global third-party survey responses from more than 1 400 CISOs at mid to large organisations across different industries globally.
To download the 2021 Voice of the CISO report, please visit: https://www.proofpoint.com/uk/resources/white-papers/voice-of-the-ciso-report. For more information on Proofpoint’s unique approach to people-centric cyber security and compliance, please visit: https://www.proofpoint.com/uk/why-proofpoint.