Two-Thirds of CISOs Admit They're Not Ready to Face a Cyberattack

By John P. Mello Jr.

May 12, 2021 4:00 AM PT

Two out of three global CISOs feel unprepared to cope with a cyberattack, according to an annual survey released Wednesday by a cybersecurity and compliance company.

The 2021 edition of Proofpoint’s Voice of the CISO report — based on a survey of more than 1,400 CISOs in 14 countries — found 66 percent of the executives acknowledged their organizations were unprepared to handle a targeted cyberattack this year.

In addition, more than half the CISOs (53 percent) admitted they are more concerned about the repercussions from a cyberattack this year than they were in 2020.

“Cyberattacks are coming fast and furious and getting more so by the minute,” declared Saryu Nayyar, CEO of Gurucul, a threat intelligence company in El Segundo, Calif.

“It feels like we are headed to the point where no company is truly safe, and nothing will be able to stop cybercriminals,” she told TechNewsWorld. “So no, no one is adequately prepared to cope with future cyberattacks — not even CISOs.”

The survey also found that nearly three out of five CISOs (58 percent) consider human error their biggest cyber vulnerability.

Misaligned Mitigation

“It’s not that CISOs aren’t trying their best to prepare. It’s that cyberattacks are a very tough thing to prevent in the first place; and most CISOs aren’t focusing their resources against the right threats,” maintained Roger Grimes, a data-driven defense evangelist at KnowBe4, a security awareness training provider in
Clearwater, Fla.

As an example, Grimes explained that the vast majority of successful malicious breaches are from social engineering and phishing. Many surveys put phishing as responsible for 70 to 90 percent of all successful cyberattacks.

“Yet,” he told TechNewsWorld, “most organizations dedicate less than five percent of their IT security budget to it.”

“It’s this fundamental misalignment of mitigations versus the root cause of exploits that is causing cybersecurity to be so ineffectual,” he said.

“Most CISOs see threats as bubbles in a glass of champagne and aren’t told that one or two of these bubbles are far bigger than all the other bubbles added up all together,” he observed.

“This leads to a bunch of threats being treated more equally than they should be, and unfortunately, with the biggest threats left weakly mitigated,” he added.

Top of Mind Threats

The survey also found that 64 percent of the CISOs feel at risk of suffering a material cyberattack in the next 12 months.

Attacks that the CISOs say they expect to face in the coming months include:

  • Business email compromises (34 percent)
  • Account compromises (33 percent)
  • Insider threats (31 percent)
  • Supply chain compromise (29 percent)
  • Ransomware (27 percent)

“Insider threats are often overlooked in favor of tools to protect from external threats,” noted Morey Haber, CTO and CISO at BeyondTrust, maker of privileged account management and vulnerability management solutions in Carlsbad, Calif.

“However, we can’t underestimate the insider threat risk,” he told TechNewsWorld.

“When we think of insider threats, we often imagine disgruntled employees seeking revenge on their former employers’ business,” he explained. “In reality, a vast majority of these threats are most often caused by honest mistakes such as clicking on malicious links or opening phishing emails.”

“Either way, insider threats can be very difficult to detect, and pose a threat that businesses struggle to address,” he added.

Credential Compromise

Piyush Pandey, CEO of Appsian Security, an ERP data security and compliance company in Dallas, agreed that threats targeting users should be a top concern of CISOs, especially threats aimed at compromising credentials.

“Right now, a user’s identity is typically identified by the credentials they login with,” he told TechNewsWorld. “Given phishing and brute force attacks are so prevalent, organizations must ensure access to sensitive business data is dynamic and context-aware to ensure privileges are effectively aligned with the level of risk in their access.”

Insider threats are not limited to people, either.

“The volume of threats coming from cloud infrastructure — such as Microsoft 365 and Google Workspace — means that the attackers are using trusted systems — and potentially even the systems that the organization is using themselves — to attack them,” observed Jack Miller, former CISO and current head of global professional services at Menlo Security, a cloud security provider in Mountain View, Calif.

“We can’t assume that ‘my’ OneDrive installation is safe,” he told TechNewsWorld. “We have to assume that everything is malicious, including our own systems. Phishing and credential theft can make it easy for attackers to plant their threats internally to an organization.”

Remote Working Challenges

Although ransomware as a threat seems to have been played down by the CISOs in the survey, it remains dangerous, especially in a world with more remote workers than ever.

“Threat actors have been busy exploiting a wider attack surface because the workforce is now remote,” explained Bryan Embrey, director of product marketing at Zentry Security, a zero trust remote access company in Milipitas, Calif.

“Workers are using unsecure Wi-Fi, personal devices, and accessing applications and resources across the hybrid IT landscape,” he told TechNewsWorld. “All of these offer possibilities for malware exploitation.”

“And 2020 didn’t help CISOs,” he said. “Given the workforce’s rapid shift to remote work, CISOs added licenses to their existing VPNs as quickly as they could to keep their organizations running and productive. VPNs, however, are often cumbersome and complex, and provide wider access than is needed.”

Indeed, more than half the CISOs surveyed agreed that remote working made their organization more vulnerable to targeted cyberattacks, with three in five revealing they had seen an increase in targeted attacks in the last 12 months.

“Last year, cybersecurity teams around the world were challenged to enhance their security posture in this new and changing landscape, literally overnight,” Lucia Milica, global resident CISO at Proofpoint, said in a statement.

“This required a balancing act between supporting remote work and avoiding business interruption, while securing those environments. With the future of work becoming increasingly flexible, this challenge now extends into next year and beyond,” she explained.

“In addition to securing many more points of attack and educating users on long-term remote and hybrid work, CISOs must instill confidence among customers, internal stakeholders, and the market that such setups are workable indefinitely,” Milica added.

John P. Mello Jr. has been an ECT News Network reporter
since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the
Boston Phoenix, Megapixel.Net and Government
Security News
. Email John.