According to a new survey of 1,600 chief information security officers from around the world by cybersecurity company Proofpoint, 68% of respondents feel their organization is at risk of being attacked in the next 12 months, with 25% of them rating that risk as very likely. The year before, only 48% believed a cyberattack would hit them within the next year.
Geographically speaking, the most concerned CISOs are located in the U.K. (84%), Germany (83%) and Singapore (80%), with the U.S. being at 73%. Regarding the business verticals, CISOs in retail (77%), manufacturing (76%) and finance (71%) feel the most concerned about cyberattacks.
Top cybersecurity threats ranked by CISOs
CISOs consider business email compromise as the biggest threat to their organizations (33%) for the next 12 months (Figure A). This kind of fraud generated adjusted losses of about $2.4 billion in 2021, according to the FBI’s Internet Crime Complaint Center.
Insider threat, which was considered the biggest risk for CISOs last year, comes in just after the BEC threat (30%). These insider threats could be negligent, accidental or criminal.
Cloud-account compromise and distributed denial-of-service attacks are major concerns for 29% of the CISOs.
Supply chain attacks appear at the same rate of 27% as ransomware attacks and smishing and vishing attacks. Supply chain attacks have become larger and more complex, and protecting these opaque networks has become more difficult than ever. Yet, 64% of the CISOs believe they are sufficiently armed to mitigate the supply chain risk.
SEE: Use this security analysis hiring kit from TechRepublic Premium to find someone who can help monitor your business’s security posture.
When it comes to the ransomware threat, CISOs are increasingly open to paying ransoms to cybercriminals (62%) to restore systems or prevent the release of data. This statistic is not surprising because the World Economic Forum reported in 2022 that 71% of organizations have cyber insurance, and 61% of CISOs said they would place a claim on cyber insurance policies to recover losses incurred.
Yet, most CISOs (62%) think their organization is able to detect and remove a ransomware threat actor using stolen or compromised credentials before any material damage occurs. According to Proofpoint, that confidence is likely misplaced, as endpoint detection and response technologies do not alert customers about the use of compromised credentials.
When it comes to cyber vulnerabilities, 60% of the CISOs surveyed consider human errors as the biggest risk, which is consistent with studies from the two preceding years.
Sixty-one percent of the CISOs believe their employees understand their role in protecting their organization against cyberthreats, with 25% strongly agreeing. Those numbers did not evolve for the two last years, suggesting “little progress in building a culture of security awareness” according to Proofpoint.
Awareness vs. preparedness
Proofpoint noted a concerning disconnect between the awareness of potential cyberattacks hitting companies and their preparedness, as 61% of the CISOs agree that their organization is unprepared to deal with a targeted cyberattack.
A board member Proofpoint survey done last year indicated that just 47% of them believed they were unprepared for targeted cyberattacks. Proofpoint believes that CISOs have “a better read of security posture and understanding of the threat landscape,” with the board-level optimism being likely based on an incomplete picture of the current situation.
CISOs’ highest priorities for the next two years
Largely unchanged from last year, CISOs’ priorities for the next two years focus on innovation such as DevSecOps or product development (39%), consolidation (37%) and outsourcing security controls to security operations centers, managed service security providers, etc. (35%) (Figure B).
The global economic downturn affects these CISO priorities. Many organizations are reducing cybersecurity budgets while leaving their CISOs with the same objectives. More than half of the CISOs (58%) mentioned that recent economic events have negatively affected their cybersecurity budget, with public sector and IT being the most impacted.
CISOs’ positive relationships with their boards
With the increasing influence of the CISO role, there are more frequent interactions at the board level. Sixty-two percent of CISOs agree that their board sees eye to eye with them on cybersecurity issues.
Regarding data loss, CISOs believe their boards’ greatest concerns are reputational damage (36%), impact on business valuation (36%) and loss of current customers (36%), while the reality of real world impacts are operational downtime and data recovery (38%), financial loss (33%) and regulatory sanctions (33%). Many of these concerns are interlinked though, as operational downtime can lead to reputational damage, loss of customers and business devaluation.
Sixty-two percent of the CISOs believe cybersecurity expertise should be a board-level requirement. This view is interesting when thinking that the U.S. Securities and Exchange Commission proposed requiring publicly traded companies to disclose whether a board member has cybersecurity expertise.
Stressful work with a high rate of burnout
Remote and hybrid work put in place suddenly in companies has brought more pressure, and 61% of the CISOs agree they now face excessive expectations. That number grew from 49% in 2022 and 57% in 2021.
This pressure is even more present, as cybersecurity budgets are reduced due to the global economic turndown for many companies.
The question of personal liability is also a concern for 62% of the CISOs. Sixty-one percent of those say they would not join an organization that would not offer directors and officers insurance or similar to protect them.
No wonder, in these conditions, 60% of the surveyed CISOs say they have experienced burnout in the past 12 months.
CISO and board communication to drive cybersecurity
The last several years have been especially difficult, followed by a long period of transition before coming back to a new normal. For many organizations, this new normal has to be handled with reduced cybersecurity budgets due to the global economic downturn.
On the bright side, CISOs have more visibility with their boards, and communication between those groups has become more fluid. No doubt this increase in the relationship between CISOs and their board members will benefit cybersecurity.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.