CISOs face mounting pressures, expectations post-pandemic
Proofpoint's 2023 Voice of the CISO report shows deep concern among executives about impending data loss and exposure from negligent -- and malicious -- employees.
Listen to this article. This audio was generated by AI.
According to a new survey, some CISOs feel the growing pressures and expectations around data protection in the post-pandemic threat landscape are becoming insurmountable.
Proofpoint's 2023 Voice of the CISO report revealed growing doubt among CISOs in their ability to successfully protect their organizations from data exposure and theft. According to the survey, which featured 1,600 respondents from around the world, 61% of CISOs felt their organizations are unprepared to cope with a targeted attack, up from 50% in 2022.
Similarly, 68% of CISOs said they feel their organization is at risk of a material cyber attack in the next 12 months, compared with 48% last year and 64% in 2021.
"It was almost a false sense of confidence that cybersecurity had as we came out of the pandemic to now back into a feeling of elevated concern," said Lucia Milică Stacy, resident global CISO at Proofpoint.
Additionally, 61%, of respondents felt they face "excessive expectations" as CISOs, an increase from 49% in 2022 and 57% in 2021. With new demands of securing remote employees and hybrid work environments and many organizations tightening cybersecurity budgets in the economic downturn, Proofpoint's report found many CISOs were dealing with the expanded duties and concerns but had fewer resources to address them.
Data protection challenges
The widespread adoption of hybrid style work has stretched the boundaries of corporate data. As a result, threat actors have more access to potential victims, and security teams now have more ground to cover as they work to protect information.
Lucia Milică StacyResident global CISO, Proofpoint
"As we've seen the shift to everything SaaS, people have become that new layer and threat actors are leveraging our behaviors, our emotions, correlating how we connect from the plethora of devices to every different cloud," Stacy said.
The pandemic also set off widespread employment losses and occupational shuffling, known as the Great Resignation. While people exited their jobs, many carried with them data belonging to their previous workplaces.
Though some organizations do require written guarantees that former employees will delete accessible company data, concerns of CISOs reveal that some recent data exposure incidents are out of their control: 82% of CISOs believed that employees leaving their organizations contributed to data-loss events.
"The finding suggests that CISOs increasingly believe that more employees are exposing data on purpose," the report said. "The continuing impact of the Great Resignation -- and more recently, mass layoffs -- undoubtedly loom large in this assertion."
To make matters worse, Proofpoint's study suggests CISO believe that insider-driven data exposures in the future will be intentional and malicious. The survey found 43% of CISOs said malicious insiders were more likely to cause a data breach or exposure within the next 12 months. In addition, 34% of CISOs who experienced a significant data loss event in the prior 12 months said negligent insiders were to blame, while 33% attributed their events to malicious or criminal insiders.
According to Stacy, the Great Resignation as well as cybersecurity's new role in geopolitical conflicts, have contributed to these intentional exposures. "They're handing data over to a nation-state or carelessly taking data because of this constant movement plus the geopolitical tension," she said.
CISO support
Despite the FBI's instructions against paying threat actors, 62% of CISOs in Proofpoint's survey expect that their organizations are likely to pay a ransom to prevent the release of data or remediate systems.
Stacy, who was "surprised that the number was as high as it was," said that although the consensus among security leaders is to not pay cybercriminals, they are not the only decision-makers in the equation; CISO's qualms about paying may be overridden by business concerns of other managing assemblies.
Another theme in the survey results was support. A belief shared by 62% of the respondents was that board members should have cybersecurity expertise.
While CISOs and board members need to have meaningful dialogue concerning cybersecurity strategies, the knowledge gap hinders companies from efficiently building and implementing policies. Despite the disconnect declared by respondents, the survey did suggest that communication between CISOs and board members has improved. While 59% of respondents said they see eye to eye with their board on cybersecurity issues in 2021, 62% of CISOs reported they did in 2022.
"They've made progress into trying to translate that cyber risk into a language that the board members understand," Stacy said.
Policymakers are also working against the conflict. In 2022, the Securities and Exchange Commission proposed regulations to require cybersecurity expertise on boards and its cybersecurity risk oversight committee for publicly traded companies.
"I think if that is indeed part of the final version, that is going to start closing the gap into that communication piece," Stacy said.
Alexis Zacharakos is a student studying journalism and criminal justice at Northeastern University in Boston.