Are CISOs Optimistic? or Confused?
Given the announcement every day of a new breach, that CISO’s confidence is growing is a bit strange. I think it is more how the media is viewing the numbers.
70 percent of surveyed CISOs feel at risk of a material cyber attack over the next 12 months. That is up from 68 percent last year and 48 percent in 2022. That doesn’t sound like confidence to me.
However, only 43 percent feel unprepared to cope with a targeted attack – still, that is almost half. So, it is basically a toss up as to whether a company will be able to handle an attack or not.
However, and here is where the optimism comes in. 43 percent is better than last year’s 61 percent or 2022’s 50 percent. Notice that drawing a trend line on those three numbers would be hard.
What do CISOs think the biggest risk exposure is? 74 percent said human error.
80 percent say negligent employees is a key risk factor over the next two years.
What do CISOs think the biggest tool risks are? In order, they are:
- ChatGPT and other generative AIs (44 percent)
- Slack/Teams/Zoom and other collaboration tools (39 percent)
- Office 365 (38 percent)
Given those folks being voted as optimistic by the media (note that the numbers don’t seem to support that), what is the reality that these CISOs said they dealt with in the last year?
46 percent said that they had to deal with a material loss of sensitive data in the last year. They said that employees leaving was the biggest contributor to that.
Somehow, possibly in a drug-induced euphoria, 81 percent believe they have adequate controls in place to protect their data. That seems to completely conflict with the previous paragraph.
Half said that have introduced data loss prevention technology and half also said that they have invested in employee education. The other half – they are hoping that the first half is wrong, I guess.
One good piece of news is that more than three quarters think they are on the same page as their board. This is up from just half two years ago.
Almost two thirds said that the current economic climate has hampered their ability to make the cybersecurity investments that they think are critical.
This survey only included CISOs from larger companies – more than a thousand employees. I think the story is much bleaker for small companies.
If you need help strategizing about this and implementing better controls – rather than the half of large companies that are using hope as their key strategy, please contact us.
Credit: Helpnet Security