CISOs Find 'Business as Usual' Shows the Harsh Realities of Cyber-Risk

With the chaos of the pandemic now in the rearview mirror, we are finally back to "business as usual." The return to normal operations may imply that chief information security officers (CISOs) can now breathe easier, but the opposite is true. CISOs are feeling less prepared to cope with cyberattacks and more at risk than last year, indicating a reversal from the early days of the pandemic, new research shows.

The "2023 Voice of the CISO" report, Proofpoint's global survey of 1,600 CISOs, found that 68% of respondents feel at risk of experiencing a material cyberattack in the next 12 months. This is a sharp decrease from last year's 48% and a shift back to 2021 levels, when 64% felt at risk. The report also found that 61% of surveyed security leaders believe their organization is unprepared to cope with a targeted cyberattack, compared with 50% in 2022 and 66% in 2021.

Reasons for CISOs' Elevated Concerns

The tumultuous cybersecurity events of 2022 may be one reason behind the CISOs' return to an elevated concern. Last year saw increasingly devastating ransomware attacks that shuttered organizations and crippled entire nations. At the same time, geopolitical tensions continued to mount with incidents such as Russia's attacks on US airports and Chinese nation-state actors' targeting telecoms. The shaky economy did not help matters, and 58% of surveyed CISOs shared that the downturn has affected their security budgets negatively. All these events put security leaders on edge, perhaps lowering their confidence in their security posture.

Another explanation for CISOs' elevated concern may be the anomaly of the pandemic. Having conquered the unprecedented challenges caused by the overnight move to remote operations, security leaders felt a sense of calm. Although attack volumes did not abate, CISOs had a brief period of reprieve as they felt their organizations were less at risk. Yet the ability to secure their remote environments may have given CISOs a false sense of confidence. With the return to normal operations, the post-pandemic security metrics likely looked less reassuring, and the optimism wore off.

Growing Pressures Make the CISO's Job Unsustainable

Whatever the reason behind CISOs' recalibration of perceptions, their diminished confidence is exacerbated by new concerns about personal liability raised by last year's blockbuster Uber case, which resulted in probation for the company's former chief security officer. The US federal court ruling has deep implications that may set a dangerous precedent, and 62% of CISOs surveyed by Proofpoint agreed that they are concerned about personal liability.

The survey also revealed that 60% of CISOs have experienced burnout in the past 12 months, while 61% feel their job expectations are unreasonable, which is a big jump from the previous year's 49%. When we add these mounting pressures to ongoing struggles such as the cybersecurity talent shortage and new issues such as the recent wave of layoffs, it is not surprising that the CISO's role is becoming unsustainable.

This is a time when CISOs need champions on their board of directors more than ever. The Proofpoint report gives a glimmer of hope in this regard, showing a thawing CISO-board relationship — 62% of CISOs say they see eye-to-eye with their board on cybersecurity issues. This trend has been on an upward trajectory in the past three years.

Protecting Data a Top Priority — and a Big Challenge

The Voice of the CISO report shows that data protection remains a top-of-mind priority for CISOs. The ripple effect of the Great Resignation and employee turnover exacerbate the problem of data loss — 63% of surveyed security leaders reported dealing with a material loss of sensitive data in the past 12 months, and 82% said that employees leaving the organization contributed to this loss. Layoffs, like the massive ones we've seen in the technology sector, could especially be an issue because employees may feel wronged and justified in taking corporate data with them on the way out.

Despite the widespread loss of data, 60% of CISOs believe they have adequate controls in place to protect it. This optimism is surprising, especially given CISOs' lack of confidence in their security postures. And we expect that the problem will get worse as the economic uncertainty lingers and more sectors beyond technology — from manufacturing to consulting — pursue mass layoffs.

Supply Chain All But Secure

Another area where security leaders are far too optimistic is supply chain security. Nearly two-thirds of CISOs surveyed by Proofpoint said they have appropriate controls for mitigating supply chain risk. However, protecting today's complex and interconnected supply chain is extremely difficult — and a problem the industry has not been able to solve.

Most organizations simply do not have a grasp on third-party risk while relying heavily on a range of partners and suppliers. Threat actors know this well, which is why we have entered a new era of weaponization of trust. As one example, research found an astounding 633% increase in the number of supply chain attacks using malicious components in the past year. That is one of the many reasons supply chain security has become a matter of national security — and part of a new national cyber strategy in the United States.

The good news is that addressing supplier risk is one of the top priorities in the next 12 months among surveyed CISOs. These findings indicate that security leaders realize supply chain security is critical. The question is whether they can continue to devote adequate resources to this area if security budgets hang in the balance.

Security Risk Is Business Risk

Added regulatory scrutiny, escalating supply chain attacks, data protection — all these challenges impact investor, consumer, and employee confidence in the enterprise. As trust becomes more important for organizational success, it is important for both CISOs and boards to look at security risk as business risk and understand the implications of systemic risk within their organization. Although solving complex cybersecurity problems requires an industrywide effort, it all starts at the organizational level — and CISOs must lead the conversation.