- CISOs perceive less risk of a material cyberattack and feel more confident in their ability to deal with cyberthreats, according to a survey commissioned by Proofpoint and conducted by Censuswide.
- The chaos and rapid technology changes CISOs confronted during the first waves of the pandemic have given way to a greater sense that they’ve regained control of their IT environments and systems.
- Despite this collective confidence boost, half of the 1,400 global CISOs surveyed said their organization remains unprepared to handle a cyberattack.
Less than half of the CISOs surveyed anticipate a substantial cyberattack this year, marking a big shift from the 64% that held that concern last year, according to Proofpoint.
CISOs generally feel more level-footed and in command of their IT infrastructure now that they’ve had the opportunity to reflect and make permanent changes after two years of heightened uncertainty, said Lucia Milică, global resident CISO at Proofpoint.
“Our job as security leaders is to continuously manage cyber risk, respond and adapt,” she said. “To some extent, we have just adapted to a higher threshold of cyberattacks than we have maybe been accustomed to prior to the pandemic.”
While major and persistent ransomware attacks elevated C-suite awareness of risk, the perceived lack of support from corporate boards increased during the last year. Fewer CISOs are aligning with the board on cybersecurity matters, according to Proofpoint.
Boards understand the need to adequately address cybersecurity and identify it as a business risk, but relatively few boards grasp the inherent complexities in modern digital systems, Milică said.
The rise of systemic risk, following widespread enterprise digitization efforts, highlights the need for boards to prioritize resources and better reflect the critical role cybersecurity plays throughout a company’s operations, she said.
Indeed, Milică said she supports the Securities and Exchange Commission (SEC)’s proposed rules for cybersecurity disclosure because it would require more expertise at the board level, in addition to regular filings on management, governance and strategy.
Such a mandate would lead to better strategies and more budget allocated to cybersecurity, similar to what the Sarbanes-Oxley Act of 2002 did for financial record keeping and reporting, she said.
More awareness and a robust response from government and law enforcement officials could also explain why fewer CISOs feel the pressure of excessive expectations. Less than half of the CISOs surveyed by Proofpoint said expectations on their role remain excessive. That’s down from 57% in 2021.
Perceptions aside, CISOs still confront a troubling skills gap, challenges surrounding talent acquisition and retention, alert fatigue and burnout — all of which can negatively impact mental health, Milică said.
“We're already struggling with having enough resources. We definitely do not want to completely exhaust the ones we do have,” she said.