Global CISOs Feel Unprepared to Cope with a Cyberattack: Proofpoint


58% of survey respondents worldwide consider human error their organisation’s biggest cyber vulnerability as hybrid workforce presents new challenges for cybersecurity teams

Proofpoint, Inc. has released its inaugural 2021 Voice of the CISO report which explores key challenges facing chief information security officers (CISOs) after an unprecedented twelve months. Sixty-six percent of CISOs worldwide feel their organisation is unprepared to handle a cyberattack and 58% consider human error to be their biggest cyber vulnerability, proving that the work-from-home model necessitated by the pandemic has tested CISOs like never before.

This year’s Voice of the CISO report examines global third-party survey responses from more than 1,400 CISOs at mid to large size organisations across different industries. Throughout the course of Q1 2021, one hundred CISOs were interviewed in each market across 14 countries: Australia, the U.S., Canada, the UK, France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, KSA, Japan, and Singapore.

The survey explores three key areas: the threat risk and types of cyber-attacks CISOs combat daily, the levels of employee and organisational preparedness to face them, and the impact of supporting a hybrid workforce as businesses prepare to re-open their corporate offices. It also covers the challenges CISOs face in their roles, position amongst the C-suite, and business expectations of their teams.

“Last year, cybersecurity teams around the world were challenged to enhance their security posture in this new and changing landscape, literally overnight. This required a balancing act between supporting remote work and avoiding business interruption, while securing those environments,” commented Lucia Milica, global resident CISO at Proofpoint. “With the future of work becoming increasingly flexible, this challenge now extends into next year and beyond. In addition to securing many more points of attack and educating users on long-term remote and hybrid work, CISOs must instill confidence among customers, internal stakeholders, and the market that such setups are workable indefinitely.”

Proofpoint’s Voice of the CISO 2021 report highlights general global trends as well as regional differences amongst the global CISO community. Key findings in Australia include:

  • CISOs are on high alert across a range of threats: faced with a relentless attack landscape, 72% of Australian CISOs feel at risk of suffering a material cyberattack in the next 12 months, above the global average of 64%. When asked about the types of attacks Australian CISOs expect to face, DDOS attacks (44%), Cyber/physical attacks (41%) and Business Email Compromise (40%) topped the list. Cloud Account Compromise (O365 or G suite accounts being compromised, 39%), and insider threats (36%) were next. Despite dominating recent headlines, ransomware came in sixth with 35% and supply chain attacks came in seventh with 32%.
  • Organisational cyber preparedness is still a major concern: more than a year on into a pandemic that forever changed the threat landscape, 56% of Australian CISOs feel their organisation is unprepared to cope with a targeted cyberattack in 2021. Cyber risk is also on the rise: 50% of CISOs in Australia are more concerned about the repercussions of a cyberattack in 2021 than they were in 2020.
  • User awareness doesn’t always lead to behavioral change: while more than half of global survey respondents believe employees understand their role in protecting their organisation from cyber threats, only 41% of Australian CISOs said the same. In addition, 58% of global CISOs still consider human error to be their organisation’s biggest cyber vulnerability, compared to 45% of Australian CISOs. Australian CISOs listed falling victim to phishing emails, mishandling sensitive information, and clicking malicious links or downloading compromised files as the most likely ways employees put their business at risk.
  • Long term hybrid work environments present a new challenge for CISOs: 47% of Australian CISOs agree that remote working has made their organisation more vulnerable to targeted cyberattacks, with 45% revealing they had seen an increase in targeted attacks in the last 12 months.
  • High risk, high reward likely to be a common cyber theme over the next two years: 63% of global CISOs and 51% of Australian CISOs believe that cybercrime will become even more profitable for attackers. 60% of global CISOs believe that it will become riskier for cybercriminals compared to 40% of Australian CISOs.

CISOs will adapt their cybersecurity strategy to stay ahead: Overall, the majority of global CISOs expect their cybersecurity budget to increase by 11% or more over the next two years, and 61% of Australian CISOs believe they will be able to better resist and recover from cyberattacks by 2023. Top priorities across the board for Australian CISOs over the next two years are: consolidating security solutions and controls (46%), enhancing core security controls (38%), supporting remote working (38%), as well as enabling business innovation (37%).

  • 2020 elevated the CISO role, as well as the expectations from the business: 44% of Australian CISOs agree that expectations on their function are excessive. The perceived lack of support from the boardroom persists with only 25% of global CISOs strongly agreeing that their board see eye-to-eye with them on issues of cybersecurity. In Australia, this figure was even lower at just 12% of CISOs.

“The ‘good enough’ approach of the past 12 months will simply not work in the long term: with businesses unlikely to ever return to pre-pandemic working practices, the mandate to strengthen cyber security defenses has never been more pressing,” said Ryan Kalember, Executive Vice President of cybersecurity strategy for Proofpoint. “CISOs hold a business-critical function, now more than ever. The findings from our report emphasise that CISOs need the tools to mitigate risk and develop a strategy that takes a people-centric approach to cybersecurity protection and emphasises awareness training to address ever-changing conditions, like those experienced by organisations throughout the pandemic.”