The threat of substantial material attacks and getting board support for their efforts are top-of-mind issues among the world's CISOs, according to a new report released by Proofpoint.
While nearly half of the 1,400 CISOs surveyed for the annual Voice of the CISO report (48 per cent) say their organisation is at risk of suffering a material cyber attack in the next 12 months. That's substantially lower than 2021, when nearly two-thirds of the CISOs (64 per cent) expressed similar sentiments.
"That drop was a bit surprising," Proofpoint global resident CISO Lucia Milica, who supervised the survey, told CSO Online. When the pandemic hit, CISOs were scrambling to put temporary controls in place to deal with the explosion of remote workers and enable a business to operate securely, she explained.
"Over the last two years, CISOs have had time to bring in more permanent controls to support hybrid work," she added. "That's put more CISOs at ease in terms of feeling that they can protect their organisations."
Only 28 per cent of CISOs see ransomware as one of the biggest threats
Those sentiments were evident when the CISOs were asked about targeted attacks since the move to hybrid work. More than half (51 per cent) say such attacks have increased as hybrid work has increased. However, that's dropped from 2021, when 58 per cent of CISOs attributed increases in such attacks to hybrid work.
The researchers from Censuswide, which surveyed the CISOs for the Proofpoint report, also found that anxiety over a future cyberattack varied by country. Countries where the CISOs were most worried about a material cyberattack were France (80 per cent), Canada (72 per cent), and Australia (68 per cent), while those least worried included the Netherlands (28 per cent) and Saudi Arabia (27 per cent).
Chief among the threats facing their organisations, according to the CISOs, are insider threats (31 per cent), DDoS attacks (30 per cent), email fraud (30 per cent), and cloud account compromise (30 per cent). Only 28 per cent of the CISOs identified ransomware as one of the biggest threats facing their organisations, a slight increase over 2021.
"I think there's a level of comfort that a lot of security leaders have around having the right security controls in place to address ransomware," Milica said, "while with something like insider threats, there are more nuances around a program to deal with that."
Excessive expectations for CISOs
However, that level of comfort may be misplaced, according to the report. Many organisations appear unprepared for ransom demands of any size or scale, it notes, with 42 per cent of CISOs admitting their outfits do not have a ransom policy in place. Four out of ten do not have a blueprint to address a ransomware incident.
The report also found that nearly half of the CISOs (49 per cent) say that their superiors and colleagues have excessive expectations about the CISO's role in their organisations, although that's a significant drop from 2021, when 57 per cent felt burdened by excessive expectations.
Another telling discovery in the report about the CISO's role in their organisations is how they feel about the support they're getting from the boardroom. About half (51 per cent) of the CISOs say they see eye-to-eye with their boards concerning cyber security matters. That's a big drop from 2021 when 59 per cent said they and their boards were on the same page on cyber security.
"That's surprising because I felt last year there was substantial press focusing on blockbuster breaches that elevated engagement with the C-suite, yet the eye-to-eye number went down," Milica said. "I was hoping for an increase."