A global study of 1,400 CISOs shows how they have dealt with COVID-19 and their plans for 2022 and 2023. […]
The effects of the pandemic have put humanity and the global economy to a great test. At the same time, business is flourishing in the shadow world: cybercrime is on the rise. Many companies around the world are concerned that they remain vulnerable to cyber attacks, despite the measures taken so far. These are the results of a worldwide survey of around 1,400 CISOs by Proofpoint, which was published in the “Voice of the CISO 2021 Report”. It also describes how security officials responded during the pandemic and their plans for the next two years.
About two-thirds (64 percent) of CISOs suspect that their company will be affected by a major cyber attack within the next twelve months. Of these, one in five considers this risk to be high. However, there are large regional differences:
- CISOs in the UK (81 percent) and Germany (79 percent) are most concerned about experiencing an attack.
- CISOs in Singapore (44 percent), Canada and Spain (50 percent each) are least concerned.
The CISOs of the retail sector are particularly exposed: eight out of ten (83 percent) rate the risk of a cyber attack on their company as likely – the highest value among all surveyed industries.
Remarkably, 66 percent of CISOs assume that their organization is not prepared to fend off a cyber attack. The Dutch (81 percent) feel the least prepared, followed by Germany and Sweden (79 percent). Quickly rolled out remote environments, excessive home work, the impact of the global pandemic and the rise of cybercrime are the main reasons for this concern.
This idea is best reflected in the conviction of the majority of CISOs that while they have done their best to strengthen the cyber resilience of their organizations, their confidence in these measures and their general peace of mind have decreased compared to 2020. More than half of CISOs are now more concerned about the consequences of a cyber attack than they were last year. A quarter of them (25 percent) strongly agree with this statement. CISOs see the biggest cyber threats in compromised business emails (34 percent) and compromised cloud accounts (33 percent), followed by insider threats (31 percent) and distributed denial of service (DDoS) attacks (30 percent).
A majority of CISOs (58 percent) say that human error is their company’s biggest vulnerability. As a result, automation and machine learning gain more weight in the security architecture.
But human error is not the only source of security problems. Nearly two-thirds of CISOs have less confidence in their organization’s ability to detect a cyberattack or data breach. As a result, they feel both unprepared and ill-equipped to deal with the modern threat landscape.
Many CISOs feel that they lack the support of the Board. Less than two-thirds of CISOs surveyed worldwide said they agreed with their board’s approach to cybersecurity. 57 Percent of them said that the expectations placed on their role are excessive.
59 Percent of global CISOs say that their reporting line hinders the effectiveness of their work. This view is most prevalent in the technology sector, where three-quarters of CISOs held this view. In the public sector, the problem is less pressing; here, only 38 percent perceive reporting as a burden.
The apparent distance between you and the executive floor makes many CISOs feel they can’t do their job in the best way possible. Almost half do not believe that their company will enable them to succeed. What is even more amazing: 24 percent of CISOs fully agree with this statement.
CISOs ‘ ability to strike the right balance between agility and security will be even more important in the future. Now that more companies know what remote work entails in terms of cost savings and flexibility, it is likely that more companies will adopt hybrid working models. But CISOs will have to convince their boards that the pragmatism of last year is not enough in the long run or that it entails risks. The reasons are obvious: a full 69 percent of CISOs from large companies (5,000 + employees) reported that their workplace was targeted more often after the introduction of remote work. Among the most affected industries are IT, technology and telecommunications (69 percent). The reason for this is obvious. More dependence on networks and the availability and integrity of IT means greater vulnerability to cyberattacks.
This explains why 63 percent of CISOs believe that cybercrime will be even more lucrative in the next two years and that those who become victims could face even greater consequences. Approximately the same percentage of CISOs suspect that fines for security breaches will increase in 2022 and 2023.
Although many CISOs say they struggled to maintain organizational security over the past year, most CISOs are hopeful that things will improve in the coming years. Yet they continue to feel the pressure of unrealistic expectations. More support from the boardroom and oversight of cybersecurity at board level would help reduce this pressure.
Two out of three (65 percent) CISOs worldwide believe that by 2022/2023 they will be better able to combat and recover from cyber attacks if they are equipped with the appropriate resources and strategies. This optimism is more pronounced in some industries than in others:
- About three-quarters (74 percent) of retail CISOs are confident that they will be in a better security position by 2023.
- CISOs in transportation and media (56 percent) are less confident.
- CISOs in France are the most pessimistic; only 25 percent of them are optimistic about their organization’s medium-term security situation.
- CISOs in the United Arab Emirates (77 percent), Germany (76 percent) and the United States (73 percent) either strongly or reasonably agree that companies will be better able to fight back and recover within two years.
Sixty-four percent of CISOs surveyed predict that public awareness of cybersecurity risks will increase.
* Marc Wilczek is the author of numerous articles on the topics of digital transformation, cloud computing, big data and security. He is currently Managing Director of the IT security provider Link11. In addition to management stations in the Deutsche Telekom Group and CompuGroup Medical, he previously headed the Asia business of IT security expert Sophos as Managing Director.