CISOs worried about material attacks, boardroom backing

CISOs are also less concerned about ransomware attacks, but many says their organizations are still not properly prepared for them.

binary cyberattack cybersecurity hacked protected
Thinkstock

The threat of substantial material attacks and getting board support for their efforts are top-of-mind issues among the world's CISOs, according to a new report released by Proofpoint Tuesday. While nearly half of the 1,400 CISOs surveyed for the annual Voice of the CISO report (48%) say their organization is at risk of suffering a material cyberattack in the next 12 months. That's substantially lower than 2021, when nearly two-thirds of the CISOs (64%) expressed similar sentiments.

"That drop was a bit surprising," Proofpoint Global Resident CISO Lucia Milica, who supervised the survey, tells CSO Online. When the pandemic hit, CISOs were scrambling to put temporary controls in place to deal with the explosion of remote workers and enable a business to operate securely, she explains. "Over the last two years, CISOs have had time to bring in more permanent controls to support hybrid work. That's put more CISOs at ease in terms of feeling that they can protect their organizations."

Only 28% of CISOs see ransomware as one of the biggest threats

Those sentiments were evident when the CISOs were asked about targeted attacks since the move to hybrid work. More than half (51%) say such attacks have increased as hybrid work has increased. However, that's dropped from 2021, when 58% of CISOs attributed increases in such attacks to hybrid work.

The researchers from Censuswide, which surveyed the CISOs for the Proofpoint report, also found that anxiety over a future cyberattack varied by country. Countries where the CISOs were most worried about a material cyberattack were France (80%), Canada (72%), and Australia (68%), while those least worried included the Netherlands (28%) and Saudi Arabia (27%).

Chief among the threats facing their organizations, according to the CISOs, are insider threats (31%), DDoS attacks (30%), email fraud (30%), and cloud account compromise (30%). Only 28% of the CISOs identified ransomware as one of the biggest threats facing their organizations, a slight increase over 2021.

"I think there's a level of comfort that a lot of security leaders have around having the right security controls in place to address ransomware," Milica says, "while with something like insider threats, there are more nuances around a program to deal with that."

Excessive expectations for CISOs

However, that level of comfort may be misplaced, according to the report. Many organizations appear unprepared for ransom demands of any size or scale, it notes, with 42% of CISOs admitting their outfits do not have a ransom policy in place. Four out of ten do not have a blueprint to address a ransomware incident.

The report also found that nearly half of the CISOs (49%) say that their superiors and colleagues have excessive expectations about the CISO's role in their organizations, although that's a significant drop from 2021, when 57% felt burdened by excessive expectations.

Another telling discovery in the report about the CISO's role in their organizations is how they feel about the support they're getting from the boardroom. About half (51%) of the CISOs say they see eye-to-eye with their boards concerning cybersecurity matters. That's a big drop from 2021 when 59% said they and their boards were on the same page on cybersecurity.

"That's surprising because I felt last year there was substantial press focusing on blockbuster breaches that elevated engagement with the C-suite, yet the eye-to-eye number went down," Milica says. "I was hoping for an increase."

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.