CISOs reflect on the unexpected outcomes of another turbulent year

Each year, Proofpoint conducts a survey of CISOs from across the globe to understand their perspectives and concerns. Our 2022 Voice of the CISO Report captured surprising input from more than 1,400 security leaders.

Last year’s report highlighted an overabundance of worried leaders, concerned about the escalating threat landscape and unsure of what risks to prioritise next. CISOs felt overwhelmed and under siege – it was a tough gig!

Given that the rest of 2021 and the start of 2022 hardly dialled back the threats, instead facing record-breaking increases in ransomware and business email compromise, we expected a similar take in this year’s survey, with even more worry lines etched on the brows of security teams globally. It was surprising, then, that the CISO community felt more relaxed and comfortable in 2022, raising questions about why and what that means for the role.

The good news

Security teams have had it rough for a few years – the changes driven by COVID were just the icing on the cake of threat, risk and peril. CISOs had been adapting to an ever-growing set of responsibilities covering operational resilience, application and product development, business continuity, compliance, privacy, risk management and, increasingly, physical security. They were spread thin as attacks increased and the potential for multi-million dollar business impacts skyrocketed. It was not a role for the faint of heart, and that was before COVID delivered the hammer blow of cost-cutting, enforced business agility and remote working with immediate, immovable deadlines.

It is interesting to consider then that CISOs seem to feel they have successfully navigated through this turbulent time and are emerging on the other side mostly intact. They would be right to take confidence from their sheer survival over the past few years. It is a validation of their control selection, management skills and strategic vision. In the UK, CISOs detected fewer attacks than at the start of Covid, and less than two-thirds (60 percent) of UK CISOs felt at risk of a material security breach, down from 81 percent in 2021.

Amazingly, even stress levels were down, with just 60 percent of UK CISOs stating that their role carried “excessive expectations”, down from 66 percent the previous year. More than half being stressed is still not great, but perhaps there is a reason to celebrate this positive trend.

The not-so-good news

There were some threat and damage statistics that levelled or dipped, and it is interesting to consider these as well.

There was continued recognition that humans were the primary attack surface for their enterprise – likely reinforced by the findings of Verizon’s Data Breach Investigations Report and the World Economic Forum’s Global Risks Report – but only 68 percent of UK CISOs felt their staff were sufficiently trained and aware, leaving a sizeable gap to address.

Interestingly, one of the biggest disappointments was in the relationship between the CISO and their board, with this being most notable in larger firms with more than 5,000 employees. The perception of a positive relationship dropped from 71 percent to just 51 percent globally, while 50 percent of global CISOs felt that their firm had not set them up to succeed.

Why the sense of calm?

We must consider what happened in 2021 to depress these statistics. It appears the tough cybersecurity decisions throughout last year were not always aligned with CISOs’ recommendations or risk appetite. We all know stories of corners being cut and issues side-lined for the sake of business efficacy. This has reminded CISOs that, after a period of focus, support and empowerment, the board has other issues to manage as well, and security is just one piece of the puzzle.

As good corporate citizens, security leadership successfully managed risks and saw real benefits from taking a path that, perhaps in isolation, they would not have selected themselves. Even without proper credit, they can rightly be pleased that their tactics worked.

Looking forward

In the future, there is the recognition that staff are still the primary attack surface for the organisation and the likely source of most breaches, yet there is a significant shortfall between desired position and reality. This is one of just a few items in the CISOs’ clear view as they still lack consensus on the major threats they face, with only a 4 percent difference between the most and least-concerning threats.

The new survey found that the top strategic priorities for CISOs globally are promoting information protection (39 percent), increasing cybersecurity awareness (38 percent) and consolidating and outsourcing security solutions and controls (36 percent). While the first two categories are always high on the CISO’s agenda, the latter is almost certainly driven by events since 2020. With employees working from everywhere, cloud adoption now filling workplace gaps and some short-term tactical controls still in place, IT set-ups are increasingly complex.

Overall, CISOs appear to have embraced 2022 as the “calm after the storm”. However, we must remain aware that the storm never really abated – we just became accustomed to it, like the frog sitting calmly in the pan of gradually heating water. As geopolitical tensions rise and people-focused attacks escalate, the same gaps in user awareness, preparation and prevention are ready to boil the water again.

By Andrew Rose, Resident CISO, EMEA, Proofpoint