2020 was a year filled with unexpected, intense and nearly constant disruption, and it has left organizations across the globe feeling vulnerable.
Most chief information security officers (CISOs) are bracing themselves for the prospect of responding to significant attacks this year. They don’t know which attacks they’ll face or who will be orchestrating them, but they’re confident they will come—and likely, soon. Nearly two-thirds of the more than 1,400 CISOs worldwide who we surveyed for the Proofpoint 2021 Voice of the CISO Report said they believe their organization is at risk of suffering a material cyberattack in the next 12 months.
A more significant finding, perhaps, is that 66% of CISOs don’t believe their organization is prepared to cope with an attack. According to our research, many CISOs feel their business isn’t ready to meet the challenge of an attack because they don’t know which type of threat is most likely to strike first. That said, CISOs in our survey identified three threats they’re particularly concerned about: Business Email Compromise (BEC), cloud account compromise and insider threats.
CISOs worry about human vulnerability and inadequate technical protections
Our research for the 2021 Voice of the CISO Report also found that most CISOs are confident that the employees in their organization understand the role they play in helping to protect the business against cyber threats. Yet, most CISOs also pointed to human error as their organization’s greatest cyber vulnerability. That suggests CISOs recognize that many end users are not adequately skilled or equipped to assist the business effectively with cyber defense—and could benefit from training.
One top concern many CISOs have about humans’ role in undermining cybersecurity is the potential for intentional foul play. Forty-two percent of CISOs surveyed said they believe the purposeful leaking of data or IP is the biggest threat employees pose to an organization. Negligent threats also rank high on the list, with 41% of CISOs reporting that they fear users will click on malicious links or download compromised files. And 40% of CISOs told us they worry about employees being deceived by phishing emails, using unauthorized apps and practicing poor password hygiene.
Many CISOs also see their organization’s current technical protections as inadequate. Less than two-thirds of respondents to the 2021 Voice of the CISO Report said they were confident their organization would be able to detect a cyberattack or data breach. For many CISOs, a major reason for that lack of confidence is the “patchwork” approach to implementing cybersecurity defenses that their organization has pursued in recent years. The rapid shift to remote work in 2020 only underscored the need for many businesses to look critically at the state of their technical protections and make strategic improvements.
However, CISOs and cybersecurity teams see downsides to strengthening defenses: 61% said they believe that increasing security to the level required to protect the organization in the modern threat landscape will negatively impact business performance and agility. Only 1% of CISOs strongly disagree that increased security impacts agility.
Many CISOs anticipate a budget boost for enhancing defenses
While many CISOs acknowledge that keeping their organization secure in 2020 was a struggle, most are hopeful in their outlook for the near term. Two in three (65%) of CISOs worldwide said they believe their organization will be better able to resist and recover from cyberattacks by 2022 or 2023.
According to our survey, CISOs look to help their business strengthen overall cybersecurity by focusing on four key areas:
- Enhancing security controls
- Supporting remote work
- Improving security automation
- Increasing security awareness
Also, it seems most CISOs are confident that they’ll have more resources to devote to improving their organization’s cyber defenses. The majority of respondents to our survey said they expect to see cybersecurity budgets increase by at least 11% over the next two years.
Most CISOs also expect public awareness of cybersecurity risks to increase in the future. Additionally, many anticipate that cybersecurity regulations will become more specific and less outcome-based. Tighter, more manageable regulation, increased user awareness and more robust technical controls should all help to increase organizational security — and hopefully, ease some of the pressure on CISOs and their cybersecurity teams in the years to come.
Read our full report for more insight
For additional findings from our recent survey of CISOs around the world, download your free copy of the 2021 Voice of the CISO Report from Proofpoint. In the report, you’ll see survey results for specific countries and industries. You’ll also learn about CISOs’ expectations for cybersecurity in an environment where long-term hybrid working is the norm. Plus, you’ll get insight into the challenges and expectations today’s CISOs face, as well as what these security leaders find most satisfying about their role.