• Incredible demands of the past year encourage CISOs to make their voices heard, loud and clear.
• The apparent disconnect between CISOs and the rest of the C-suite is that many feel they are unable to perform to the best of their ability.
• Two-thirds of CISOs believe that cyber-crime will be even more profitable over the next two years.
• Two-thirds of CISOs believe they are at risk of suffering a material cyberattack within the next 12 months.
• Two in three CISOs believe they will be better able to resist and recover from cyberattacks by 2022/23.

Cybercriminals ramped up the pressure on chief information security officer (CISOs) during 2020 by a constant stream of threats, old and new, but it has elevated the importance of the CISOs and encouraged them to make their voices heard, loud and clear.

 “Adding to the demanding and often thankless workload of the CISO is a perceived lack of support from the boardroom despite continuing to feel the pressure of excessive expectations,” Lucia Milica, global resident CISO at Proofpoint, said.

Despite the unprecedented disruption of the past year, there are many positives to take forward.

To gauge the mood of the industry during this pivotal time, Proofpoint surveyed 1,400 CISOs from around the world and invited them to share their first-hand experiences during the past 12 months and offer their insights for the next two years.

Less than two-thirds of global CISOs agree that they see eye-to-eye with the board on cybersecurity matters and this figure aligns with company headcount, highlighting the difficulties faced by CISOs at smaller organisations.

Budgets to increase

“As a CISO, you need to address and explain risks to the board as well as to the tech people to be effective. You need to understand the technical side as well as the strategic side of the organisation. You are like one of a handful of spiders in a big web that feels the vibrations or influences them at the edges,” Roeland Reijers, CISO at University of Amsterdam, said.

According to the survey, 59 per cent of global CISOs agree that their reporting line can hamper their job effectiveness and this view is most prominent in the world of technology, where three in four CISOs agree with the sentiment.

“The results of this apparent disconnect between CISOs and the rest of the C-suite is that many feel they are unable to perform to the best of their ability. Nearly half of global CISOs do not believe that their organisation positions them to succeed. Even more alarming, 24 per cent strongly agree that this is the case,” Milica said.

While the challenges of their role are felt worldwide, she said that CISOs still find fulfilment in many ways, although perhaps not in the areas that many outside cybersecurity teams would expect.

The majority of CISOs expect to see cybersecurity budgets increase by at least 11 per cent over the next two years while almost a third (32 per cent) are expecting budgets to decrease between now and 2023.

“Larger budgets are not the only reason behind the collective optimism of the world’s CISOs. There is a common view, held by 64 per cent of respondents, which public awareness of cybersecurity risks will increase in the future. There is also a belief that cybersecurity regulations will become more specific and less outcome-based. This bright outlook for the immediate future appears warranted. Tighter, more manageable regulation, increased user awareness, and bolstered technical controls should all increase organisational security,” Milica said.

2020 was a bumper year for cybercriminals and they are more emboldened than ever in their efforts to harm organisations around the world.

Two-thirds (63 per cent) of CISOs believe that cyber-crime will be even more profitable over the next two years, and those that fall victim may suffer even greater consequences while 61 per cent of CISOs believe that organisational penalties for being breached will increase in 2022 and 2023.

The pandemic placed an enormous strain on the global economy, and cybercriminals took advantage of this disruption to accelerate their nefarious activities.

The conclusion of 2020 dealt a final blow with the SolarWinds hack, which highlighted supply chain and ecosystem vulnerabilities. With thousands of organisations impacted, what has been dubbed “the most sophisticated attack the world has ever seen” has reignited the “assume compromise” philosophy among CISOs.

Material cyberattack expected

“We were inundated with cyberattacks, both new and familiar, from pandemic-themed phishing scams to the unwavering march of ransomware. All of this occurred while transitioning to working from home on a grand scale, literally overnight,” Milica said.

Moreover, she said that cybersecurity teams around the world were challenged to enhance their security posture in this new and changing landscape, literally overnight.

“This required a balancing act between supporting remote work and avoiding business interruption while securing those environments. With the future of work becoming increasingly flexible, this challenge now extends into next year and beyond,” she said.

Almost two-thirds of surveyed CISOs believe they are at risk of suffering a material cyberattack within the next 12 months.

Of these, one in five believes this risk to be very high.

What should concern all business leaders, Milica said is the finding that 66 per cent of CISOs globally do not believe that their organisation is prepared to cope with an attack.

“While technical controls may offer broad protection against common threats, user security training must be targeted to avoid information overload. However, this isn’t possible when CISOs are unsure exactly where the next attack is coming from,” she said.

Over half of CISOs are more concerned about the repercussions of a cyberattack in 2021 than they were in 2020 – with one in four strongly in agreement, she added.

Despite widespread acknowledgement of the struggle to stay secure last year, the survey showed that most CISOs are hopeful in their outlook for the years ahead.

People-centric approach needed

“Assuming appropriate strengthening and strategising, two in three (65 per cent) CISOs worldwide believe they will be better able to resist and recover from cyberattacks by 2022/23. However, the outlook is somewhat bleaker for the organisations that fail to adapt to the new normal,” the report said.

Ryan Kalember, executive vice-president of cybersecurity strategy for Proofpoint, said that CISOs hold a business-critical function, now more than ever.

“The findings emphasise that CISOs need the tools to mitigate risk and develop a strategy that takes a people-centric approach to cybersecurity protection and emphasizes awareness training to address ever-changing conditions, like those experienced by organisations throughout the pandemic,” he said.

Key findings from the UAE:

• 68% of CISOs feel at risk of suffering a material cyberattack in the next 12 months. The types of attacks they expect to face, insider threats (29 per cent), phishing (28 per cent) and Business Email Compromise (25 per cent) topped the list.
• 72% feel their organisation is unprepared to cope with a targeted cyberattack in 2021.
• 71% are more concerned about the repercussions of a cyberattack in 2021 than they were in 2020, the highest percentage across the 14 surveyed global countries.
• 70% of CISOs still consider human error to be their organisation’s biggest cyber vulnerability.
• 66% agree that remote working has made their organisation more vulnerable to targeted cyberattacks, with 76% revealing they had seen an increase in targeted attacks in the last 12 months, the highest among the surveyed countries.
•  70% believe that cybercrime will become even more profitable for attackers, while 64 per cent believe that it will become riskier for cybercriminals.
• 77% believe they will be able to better resist and recover from cyberattacks by 2023.
• Top three priorities across the board for UAE CISOs over the next two years are: addressing supplier risk (29%), supporting remote working (28%), as well as enabling business innovation (28%).
• CISOs in UAE (76%) and Saudi Arabia (69%) have seen the biggest increase in targeted attacks since switching to widespread remote working.
• More than two-thirds CISOs agree that penalties for breaches will likely grow.