Australian CISOs Feel Least Prepared and More at Risk of Cyber Attacks Compared to Global Counterparts
76% of Australian CISOs surveyed consider human error their organisation's biggest cyber vulnerability, as a hybrid workforce presents new challenges for cybersecurity teams
Sydney, Australia, 17 May, 2022 – Proofpoint, Inc., a leading cybersecurity and compliance company, today released its annual Voice of the CISO report, which explores key challenges facing chief information security officers (CISOs) in Australia and around the globe. While CISOs around the world spent 2021 coming to terms with new ways of working, Australian CISOs fell behind global counterparts when it came to feeling in control of their environment: 77% of Australian CISOs say their organisation is unprepared to detect, deter and recover from a cyber attack – the highest in 14 countries surveyed and up 21% from 2021.
“As high-profile attacks disrupted supply chains, made headlines, and prompted new cybersecurity legislation, 2021 proved to be another challenging time for CISOs around the world,” commented Lucia Milică, vice president and global resident CISO at Proofpoint. “As the impact of the pandemic on security teams gradually fades, our 2022 report uncovers a pressing issue. As workers leave their jobs or opt out of returning to the workforce, security teams are now managing a host of information protection vulnerabilities and insider threats.”
Australian CISOs not only feel more unprepared, but 68% also feel their organisation is at risk of suffering a material cyber attack in the next 12 months compared to 48% of CISOs globally. In addition, 76% of Australian CISOs consider human error to be their biggest cyber vulnerability, with established work-from-anywhere setups and The Great Resignation presenting new challenges around information protection.
This year’s Voice of the CISO report examines global third-party survey responses from more than 1,400 CISOs at mid-to-large size organisations across different industries. Throughout the course of Q1 2022, one hundred CISOs were interviewed in each market across 14 countries: Australia, the U.S., Canada, the UK, France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, KSA, Japan, and Singapore.
The survey explores three key areas: the threat risk and types of cyber attacks CISOs combat daily, the levels of employee and organisational preparedness facing them, and the impact of supporting a hybrid workforce as businesses prepare to re-open their corporate offices. It also uncovers the challenges CISOs experience in their roles, their position among the C-suite, and business expectations of their teams.
“After spending two years bolstering their defences to support hybrid working, CISOs have had to prioritise their efforts to address cyber threats targeting today’s distributed, cloud-reliant workforce. The Australian federal government’s landmark $9.9 billion investment in cybersecurity preparedness demonstrates just how critical it has become for governments and organisations to step up their defences in a rapidly evolving climate. Yet our research shows Australian CISOs feel the least prepared globally to deal with the consequences of a cyber attack. Not only that, Australian CISOs are feeling the pressure of their role much more than other countries, with 63% of Australian CISOs agreeing the expectations on their role are excessive – a significant increase from 44% in 2021,” said Yvette Lejins, resident chief information security officer (CISO), APJ at Proofpoint.
Proofpoint’s Voice of the CISO 2022 report highlights general trends as well as regional differences among the global CISO community. Key Australian findings include:
Organisational cyber preparedness is a major concern for Australian CISOs: a staggering 77%–more than three-quarters–of Australia CISOs believed they were unprepared for a targeted attack this year. This is up from 56% last year.
Australian CISOs are less confident about their cybersecurity posture than their counterparts: while global CISOs appear more in control of their environment, Australian CISOs are less confident than their counterparts with 68% feeling at risk of suffering a material cyber attack in the next 12 months. The global average was 48%.
Australian CISOs feel under increased pressure, as board buy-in remains precarious as cyber risk worries business leaders: 63% of Australian CISOs feel that expectations on their role are excessive, up from 44% last year. However, the perceived lack of alignment with the boardroom has increased with only 25% of Australian CISOs strongly agreeing that their board sees eye-to-eye with them on issues of cybersecurity. When considering cyber risk, Australian CISOs listed significant downtime, disruption to operations and impact on business valuation as top board concerns.
There is a lack of consensus among CISOs as to the most significant threats targeting their organisation: this year, insider threats–whether negligent, accidental, or criminal–topped the list for Australian CISOs at 36%, but were closely followed by Business Email Compromise, and supply chain attacks, both at 31%. Despite dominating recent headlines, ransomware came in at 22%.
Employee security awareness is on the rise, but users are still not adequately skilled for the role of cyber defence: while 75% of Australian survey respondents believe employees understand their role in protecting their organisation from cyber threats, 76% of CISOs still consider human error to be their organisation's biggest cyber vulnerability. In the last year, 64% of Australian CISOs surveyed have increased the frequency of cybersecurity training for employees.
Long term hybrid work and The Great Resignation make protecting data a top new challenge for CISOs: with employees now forming the defensive perimeter wherever they work, 2 in 3 Australian CISOs (66%) agree that they have seen an increase in targeted attacks in the last 12 months, compared to 51% of CISOs globally. And 68% say that increases in employee transitions means that protecting data has become a greater challenge. When asked how employees were most likely to cause a data breach, CISOs named malicious insiders as the most likely vector, where employees intentionally steal company information.
- Ransomware headlines have largely increased cyber risk awareness among the C-Suite and driven strategy shifts: recent high-profile attacks have pushed ransomware to the top of the agenda for organisations, with 72% of Australian CISOs revealing they had purchased cyber insurance (against a global average of 58%) and 75% are focusing on prevention over detection and response strategies. Despite the rising stakes, however, a concerning 30% of Australian CISOs admit they have no ransom payment policy in place.
“Our research also highlights a perceived lack of alignment between CISOs and the board, with only a quarter of Australian CISOs strongly agreeing that their board sees eye to eye with them on issues of cybersecurity. We must start seeing greater internal alignment across boardrooms on critical threats like ransomware to create effective cybersecurity practices that put people front and centre. With rising geopolitical tensions, ongoing conflict in Ukraine and increasing people-focused attacks, the same gaps of user awareness, preparation and prevention must be plugged to weather an increasingly volatile threat landscape,” Lejins concluded.
To download the 2022 Voice of the CISO report, please visit:
Visit Proofpoint’s new CISO Hub at www.proofpoint.com/us/ciso-hub, a home for CISO-level content, including insights, research, trends, technical resources, tools, and upcoming events. Each month features a timely topic uniquely relevant to the CISO role.
# # #
About Proofpoint, Inc.
Proofpoint, Inc. is a leading cybersecurity and compliance company that protects organisations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organisations of all sizes, including 75 percent of the Fortune 100, rely on Proofpoint for people-centric security and compliance solutions that mitigate their most critical risks across email, the cloud, social media, and the web. More information is available at www.proofpoint.com.
# # #
Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.
PROOFPOINT MEDIA CONTACT: