More than two years into the COVID-19 pandemic, organizations have adapted to their new normal. But for CISOs, 2021 was another challenging year as many disruptive, large-scale attacks kept organizations on high alert. And just as the chaos of the pandemic dissipated, new events—including the Great Resignation and geopolitical tensions in Europe—added to CISOs' already significant stress levels.
How are security leaders coping with the escalating supply chain and critical infrastructure threats, the compounding talent shortage, and increased scrutiny of their boards? To understand their mindset, we surveyed 1,400 CISOs from around the world and collected their insights for our second annual Voice of the CISO report. While some of the findings were unexpected, overall, I’m encouraged to learn that CISOs feel more confident about their organizations’ security posture.
Here's what surprised me. Despite the continued threat escalation and the ratcheting pressure to respond effectively with even fewer resources, only 48% of CISOs feel their organization is at risk of experiencing a material attack in the next 12 months. This is a significant drop from last year’s 64%.
Based on my conversations with CISOs, I believe this reduction in their concern shows that security leaders, too, have adapted to a new normal. They’ve accepted that they now work in a different world and that functioning at higher levels and greatest capacity is their current reality. After spending 2020 reacting to the pandemic and shoring up defenses, security leaders have reached a new level of calm even as the intensity of the threats hasn’t abated.
Insider threats moved from last year’s third spot to the top as the biggest perceived cyber risk to impact organizations over the next year. Whether that human behavior is accidental, negligent, or criminal, CISOs assess them as equal in terms of which one more likely would cause a data breach or exposure within their organization. This is further compounded by human error, which 56% of global CISOs consider their organization's biggest cyber vulnerability.
As high-profile ransomware attacks have dominated the news, cyber risk awareness among the C-Suite has grown and pushed ransomware to the top of the agenda for organizations. Fifty-eight percent of global CISOs have purchased cyber insurance and 3 in 5 are focusing on prevention over detection and response strategies. Despite the increased risk, however, a concerning 42% of CISOs admit they have no ransom payment policy in place.
The changing role of the CISO
The good news is that CISOs are finally getting a seat at the table. Before the pandemic, this was a nearly impossible feat, but now boards understand CISOs are much more than technologists. With the importance of their job now elevated, security leaders are adjusting to heightened expectations. Only half of this year’s surveyed CISOs felt that the new demands of their role were excessive, a seven-point decrease from 2021.
Our survey found that enhancing information protection and cybersecurity awareness remains at the top of the CISO agenda. As their strategic role grows, CISOs know what they need to improve—and are well-positioned to play a bigger part in managing their organization's risks. The report shows that CISOs have embraced a new era of higher threats and equally higher responsibilities—and they remain passionate about their work.
Visit https://www.proofpoint.com/au/resources/white-papers/voice-of-the-ciso-report to read the complete findings from the 2022 Voice of the CISO Report.