Proofpoint's CISO 2024 Report: Top Challenges Include Human Error & Risk


In Proofpoint’s 2024 Voice of the CISO report, the cybersecurity company found that CISOs are dealing with people-centric threats more than ever. Plus, cybersecurity budgets often don’t change, and AI can help and hurt CISOs’ efforts.

Regarding the specific threat risks, 41% of the CISOs mostly fear ransomware attacks, followed by malware (38%), email fraud (36%), cloud account compromise (34%), insider threat (30%) and distributed denial of service (30%) attacks.

Biggest threat risks as perceived by CISOs for the next 12 months. Image: Proofpoint

For this report, the research firm Censuswide surveyed 1,600 CISOs from organizations of 1,000 employees or more across different industries in 16 countries.

CISOs’ main people-centric security problems

According to the survey, more CISOs than ever believe human error is the biggest vulnerability for their organizations; 74% of the CISOs feel this way, up from 60% in 2023.

Chart showing percentage of CISOs by country who consider human error as their organization’s biggest vulnerability.
Percentage of CISOs by country who consider human error as their organization’s biggest vulnerability. Image: Proofpoint

In addition, 80% of CISOs see human risk as a key cybersecurity concern over the next two years, up from 63% in 2023. This is where AI comes into play, as 87% of CISOs are looking to deploy AI-powered technologies to fight human vulnerability and block human-centric cyber threats.

Concerning threats also include malicious insiders (36%) and compromised insiders (33%).

DOWNLOAD: Security Awareness and Training Policy from TechRepublic Premium

Data loss events and threat mitigation

Negligent or careless employees are seen as the biggest cause of data loss events for CISOs (42%) over external attacks (40%). According to the Proofpoint report, 73% of CISOs added their data loss events were caused by employees leaving their organization.

Chart showing cause of data loss events, as reported by CISOs who dealt with a material loss of sensitive information in the past 12 months.
Cause of data loss events, as reported by CISOs who dealt with a material loss of sensitive information in the past 12 months. Image: Proofpoint

The consequences of these data loss events are mostly financial loss (43%), post-attack recovery costs (41%) and loss of critical data (40%).

SEE: CISOs in Australia Urged to Take a Closer Look at Data Breach Risks

To fight the data loss problem, many CISOs educate their employees about computer security best practices (53%), use cloud security solutions (52%), deploy data loss prevention technology (51%), endpoint security (49%), email security (48%) or isolation technology (42%).

This adoption of DLP has surged from 35% to 51% in a year, with the result being 81% of CISOs believing their data is well protected.

An increasing number of cybersecurity threats

Proofpoint stated the attack surface of organizations has never been larger for various reasons, including hybrid work has become a standard, while reliance on cloud technology has grown. Also, employees have become increasingly mobile, often taking data with them when changing jobs.

Seventy percent of CISOs feel their organization will probably face a material cyberattack over the next 12 months, with 31% thinking it is very likely. The CISOs from the U.S., Canada and South Korea are the most concerned about experiencing such an attack.

Chart showing percentage of CISOs who feel their organization is at risk of a material cyberattack in the next 12 months.
Percentage of CISOs who feel their organization is at risk of a material cyberattack in the next 12 months. Image: Proofpoint

Artificial intelligence helps CISOs but also cybercriminals

As noted earlier, most CISOs surveyed are looking to deploy AI-powered technologies to help them protect their organization, even if they are still at an early stage. Proofpoint wrote, “Even in these early stages, we can already connect the dots between external threats, sensitive content and anomalous behaviors or activity. That’s something that has not been possible at the same speed and scale with human moderation or traditional analysis.”

SEE: Google Cloud’s Nick Godfrey Talks Security, Budget and AI for CISOs

Yet AI also benefits cybercriminals, rendering their attacks easier to scale, and techniques that were only deployed by nation-state threat actors or well-funded cybercriminal groups are now available for lower-skilled attackers. More than half of the CISOs (54%) think AI poses some form of security risk to their organization.

Pressure about cybersecurity budgets

The economy has had an impact on organizations, according to 59% of the surveyed CISOs. Plus, CISOs are pressured to do more or at least the same for less, with security budgets remaining flat at best. Forty-eight percent of the CISOs have been requested to cut staff, delay backfills or reduce spending.

CISOs’ top priority according to their budget is now improving information protection and enabling greater business innovation (58%) slightly ahead of improving employee cybersecurity awareness (54%).

Chart showing top priorities for organizations’ IT teams over the next two years.
Top priorities for organizations’ IT teams over the next two years. Image: Proofpoint

CISOs’ concerns include burnout and insurance

In addition to the budget-related stress, 66% of CISOs feel expectations on them are unrealistic. This number is continuously increasing (61% for 2023), as they also feel their concerns are unanswered. This all results in low job satisfaction, with 53% of the CISOs experiencing or witnessing burnout in the past year.

Sixty-six percent of CISOs are also concerned with personal, financial and legal liability in their role, fearing a lack of protection in their job. And, 72% of CISOs would not join an organization that would not offer them directors and officers insurance or similar protection in the event of a successful cyberattack.

A bright spot: CISOs’ relationships with board members

Eighty-four percent of CISOs reported they have eye-to-eye contacts with their board members, while only 51% reported such contact in 2022 and 62% in 2023. Those contacts have led to a greater understanding from the board members.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.



Source link