More than half of CISOs have dealt with the loss of sensitive data in the past 12 months
Proofpoint has released its annual Voice of the CISO report, which explores key challenges, expectations, and priorities of chief information security officers.
The report reveals that CISOs in Singapore rank third globally in terms of concern for an imminent material cyber attack, with 80% of those surveyed feeling at risk, higher than the global average of 68%. CISOs in Singapore have experienced steadily increasing concerns about cyber attacks since the start of the pandemic, with 44% agreeing their organisation was at risk in 2021 and 64% agreeing in 2022.
The rapid increase could be attributed to greater reliance on online collaboration tools due to the prevalence of hybrid work arrangements, which inadvertently also gave cybercriminals access to a larger target pool. Likewise, concerns about preparedness levels have increased: 55% feel unprepared to cope with a targeted cyber attack, a marked increase over last year's 39%.
While organisations have largely overcome the disruptions of the last two years, the effects of the Great Resignation and employee turnover continue to linger, exacerbated by the recent wave of mass layoffs—87% of CISOs in Singapore who experienced a data loss event say that employees leaving the organisation played a role. Even though 55% of security leaders in Singapore had to deal with the loss of sensitive information in the past 12 months, 68% believe they have adequate data protection in place.
The 2023 Voice of the CISO report examines global third-party survey responses from more than 1,600 CISOs at mid-to-large size organisations across 11 different industries. Throughout the course of Q1 2023, 100 CISOs were interviewed in each market across 16 countries: Singapore, Australia, Japan, South Korea, the U.S., Canada, the UK, France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, KSA, and Brazil.
The report discusses global trends and regional differences around three central themes: the threats and risks CISOs face daily; the impact of employees on organisations' cyber preparedness; and the defences CISOs are building, especially as the economic downturn puts pressure on security budgets. The survey also measures the changes in alignment between security leaders and their boards of directors, exploring how their relationship impacts security priorities.
"Our 2023 Voice of the CISO report reveals that amidst the rising difficulties of protecting their people and defending data, CISOs are being tested at a personal level with higher expectations, burnout, and uncertainty about personal liability," says Yvette Lejins, Resident CISO, Asia Pacific and Japan at Proofpoint.
"The improving relationship between security leaders and board members gives us hope, however, and this partnership will enable organisations to overcome the new challenges they face this year and beyond."
Key Singapore findings from Proofpoint's 2023 Voice of the CISO report include:
CISOs have experienced steadily increasing levels of concern since the start of the pandemic, while also feeling much more unprepared than last year: 80% of CISOs feel at risk of experiencing a material cyber attack in the next 12 months, compared to 64% last year and 44% in 2021. Further, 55% believe their organisation is unprepared to cope with a targeted cyber attack, compared to 39% last year and 53% in 2021.
The loss of sensitive data is exacerbated by employee turnover: 55% of security leaders reported having to deal with a material loss of sensitive data in the past 12 months, and of those, 87% agreed that employees leaving the organisation contributed to the loss. Despite those losses, 68% of CISOs believe they have adequate controls to protect their data.
Insider threats and cloud account compromise top the list of the most significant threats: the top threats perceived by CISOs have shifted, with insider threats and cloud account compromise now leading the way, followed by email fraud (business account compromise). Last year, DDoS attacks were the top concern, followed by cloud account compromise and smishing/vishing.
Most organisations are likely to pay a ransom if impacted by ransomware: 72% of CISOs believe their organisation would pay to restore systems and prevent data release if attacked by ransomware in the next 12 months. And they are relying on insurance to shift the risk — 60% said they would place a cyber insurance claim to recover losses incurred in various types of attacks.
Supply chain risk is an increasing priority: 69% of CISOs say they have adequate controls in place to mitigate supply chain risk, a significant increase from last year's 50%. While these protections may feel adequate for now, going forward, CISOs may feel more strapped for resources — 58% say the shaky economy has negatively impacted their cybersecurity budget.
People risk grows as a prominent concern: there has been a consistent rise in the number of CISOs who view human error as their organisation's biggest cyber vulnerability—59% in this year's survey vs. 53% in 2022 and 37% in 2021. At the same time, 62% of CISOs believe that employees understand their role in protecting the organisation, compared to 59% in 2022 and 42% in 2021; this illustrates a struggle to build a strong security culture.
CISOs and boards are much more in tune: 60% of CISOs agree their board members see eye-to-eye with them on cybersecurity issues. This is a substantial increase from the 44% of CISOs who shared this view last year and the 46% who felt this way in 2021.
Mounting CISO pressures are making the job increasingly unsustainable: 67% of CISOs feel they face unreasonable job expectations, a significant increase from last year's 35%. While the return to their new reality may be one reason behind this view, CISOs' job-related angst is a likely contributor as well—56% are concerned about personal liability and 70% say they have experienced burnout in the past 12 months.
"Security leaders must remain steadfast in protecting their people and data, a task made increasingly difficult as insiders prove themselves as a significant contributor to sensitive data loss," says Ryan Kalember, Executive Vice President of Cybersecurity Strategy for Proofpoint.
"If recent devastating attacks are any indication, CISOs have an even tougher road ahead, especially given the precarious security budgets and new job pressures.
"Therefore, CISOs must ensure they focus on the right priorities to move their organisations toward cyber resilience."