The unprecedented disruption and chaos of the COVID-19 pandemic has faded over the past year, and security leaders around the world are growing more confident about their cybersecurity posture. But in much of the Asia-Pacific (APAC) region, CISOs remain very concerned about preparedness.
Proofpoint surveyed over 1,400 CISOs globally for our 2022 Voice of the CISO report. We found that APAC security leaders’ feelings differ greatly from their peers in other regions. Globally, 48% of surveyed CISOs are concerned about their organisation suffering a material cyberattack in the next 12 months. Australian and Singaporean CISOs were among the most worried—68% and 64%, respectively, expressed that concern. In Japan, on the other hand, that number is only 38%.
A variety of factors, ranging from the regulatory environment to cultural differences, likely impact this rift in sentiment. But regardless of what side of the spectrum CISOs are on, organisational preparedness remains a key concern for all. Given ongoing challenges such as geopolitical tension and a skilled worker shortage, getting a handle on security posture and controls remains a priority for APAC organisations.
Top challenges: The Great Resignation, insider threats
The Great Resignation, with its perpetual employee transition, has created extreme pressure for security teams to protect company data. Often, employees feel personal ownership over the data they create, and when they leave their company, they take that data with them to gain a competitive advantage in their new roles. While sensitive data leakage is always a risk for companies, the combination of The Great Resignation and hybrid workplaces makes data protection an incredibly difficult problem.
In Australia, 68% of surveyed CISOs say the increase in the employee transition makes data protection a greater challenge. Fifty-five percent of their peers in Japan and 48% in Singapore agree. That means people are an even bigger vulnerability for organisations than in the past. With perceived risks, insider threat rose to the top last year. Globally, 31% of CISOs ranked insiders as the biggest threat to their organisation, but the number is even higher in Japan (39%) and Australia (36%).
Insider threat doesn’t come only from malicious employees stealing data. Negligence plays a role as well, particularly in the hybrid environment, where the lack of physical boundaries between work and home has left many employees complacent. Adding to the insider risk is the fact that malicious actors have shifted their tactics to target employees rather than technology. Attackers do not hack in, they log in. Not surprisingly, 66% of Australian CISOs and 50% of Japanese CISOs report seeing an increase in targeted attacks.
Elevated cybersecurity maturity impacts Australian CISOs’ views
Australian CISOs stood out in our report for several reasons. Not only are they much more worried about a material cyberattack (68% vs. 48% globally), but they also think their organisation is less prepared to cope with a targeted attack (77% vs. 66% globally). On the surface, this appears worrisome, but this is likely a reflection of the cyber maturity of Australian CISOs combined with Australia being in pandemic lockdown for a considerable period.
Consider the current regulatory landscape in Australia. Mandatory data breach notifications under Australian privacy laws have shed light on cyberattack prevalence for several years. The recent amendments to the security of critical infrastructure laws—including the classification of more sectors as critical—have kept cybersecurity top of mind. CISOs in financial services are more acutely aware of the legal consequences of cyber risk.
This heightened awareness drives increased accountability for Australian CISOs and is likely the reason they are less confident in their cybersecurity posture. They simply have a more realistic understanding of the true threat environment and feel more pressure to be accountable.
The increased awareness and accountability drive the conversations all the way to the leaders of corporate governance, where boards are now placing higher emphasis on managing cyber risk. Australia is also the country with the second-highest number of organisations that have purchased cyber insurance (72% compared to 58% global average, 54% in Japan and 52% in Singapore).
Ransomware prevention is another area that reveals Australia’s higher maturity—75% of Australian CISOs say their organisation prioritizes prevention over response (compared to 59% globally, 56% in Japan and 48% in Singapore) and 70% have a ransom policy in place (vs. 58% globally, 66% in Japan, and 44% in Singapore).
Boards take notice but disconnect remains
The good news is that APAC boards and executives now understand the importance of cybersecurity. We’re seeing a lot more conversations about cyber risk at the board level. But CISOs struggle to figure out how to talk to their boards and translate cyber risk into a language that their board understands, and their influence remains limited for some.
This disconnect leads to many CISOs not strongly agreeing that their boards see eye to eye with them on cybersecurity issues. In our survey, 75% of CISOs in Australia shared this view, along with 77% in Japan and 84% in Singapore. Additionally, the increased level of responsibilities simply exhausted many CISOs. They have been working longer hours to uplift their organisational cyber posture and are doing this with much smaller teams due to the global shortage of cybersecurity employees.
Where do we go from here, considering that cyber risks aren’t going away? We can’t control the threats, but we can improve our organisations’ cyber maturity. This means following the example of how our Australian colleagues have come to understand the real risks, the controls we already have in place, and how to improve on them.
Risks will always evolve, and it is important for CISOs to know that they have a handle on their risk posture. Cyber resilience has become a critical component of success for today’s organisations. Building cyber resilience starts with bolstering your most important defense perimeter—your people.
For the latest CISO news and resources, check out the Proofpoint CISO Hub.