Burnout and Liability: The Perks of Being a Modern CISO
The «2024 Voice of the CISO» report by Proofpoint paints a vivid picture of the tumultuous landscape that CISOs have navigated recently After all, dealing with a global pandemic, the chaos of remote work, and record levels of employee turnover was just a walk in the park. Now, with hybrid working becoming the norm and cloud technology expanding the attack surface to unprecedented levels, CISOs can finally relax, right? Wrong.
Cyber threats are more targeted, sophisticated, and frequent than ever. Employees are more mobile, often taking sensitive data with them as they hop from job to job. And let’s not forget the generative AI tools that, while promising, have also made it easier for cybercriminals to launch devastating attacks with just a few dollars.
Sure, CISOs are enjoying closer ties with key stakeholders, board members, and regulators. But this newfound proximity only brings higher stakes, more pressure, and heightened expectations. And with flat or reduced budgets, CISOs are expected to do much more with considerably less. In this environment, shortcuts are sometimes necessary, but they can lead to human error—because, of course, everything always goes perfectly when you’re under-resourced and overworked.
To better understand how CISOs are navigating yet another high-pressure year, Proofpoint surveyed 1,600 CISOs worldwide. They asked about their roles, outlooks for the next two years, and how they see their responsibilities evolving. The report explores the delicate balance between concern and confidence as various factors combine to ramp up the pressure on CISOs. It delves into the persistent risks posed by human error, the challenges of burnout and personal liability, and the evolving relationship between CISOs and the boardroom.
Unpacking in more detail in PDF (at the end of post) or below (plaintext)
Benefits
📌Comprehensive Data: The report surveys 1,600 CISOs from organizations with 1,000 or more employees across 16 countries, providing a broad and diverse dataset.
📌Current Trends and Challenges: It highlights key issues such as the persistent vulnerability of human error, the impact of generative AI, and the economic pressures on cybersecurity budgets.
📌Strategic Insights: The report offers actionable insights and recommendations, such as the importance of AI-powered technologies, improving employee cybersecurity awareness, and the need for robust incident response plans.
📌Board-CISO Relations: It underscores the improving relationship between CISOs and board members, which is crucial for aligning cybersecurity strategies with business objectives.
Limitations
📌Overemphasis on AI: The report places significant emphasis on AI as both a threat and a solution. While AI’s role in cybersecurity is undeniable, the focus might overshadow other critical areas that also need attention.
📌Potential Bias in Self-Reported Data: The data is self-reported by CISOs, which can introduce bias. CISOs might overstate their preparedness or the effectiveness of their strategies to present a more favorable view of their performance.
📌Focus on Large Organizations: The survey targets organizations with 1,000 or more employees, which may not accurately reflect the challenges and realities faced by smaller organizations. This focus can limit the applicability of the findings to a broader range of businesses.
📌Economic and Regional Variations: While the report covers multiple countries, the economic and regulatory environments vary significantly across regions. The findings might not be universally applicable, and regional nuances could be underrepresented.
📌Human-Centric Security: Although the report emphasizes human-centric security, it might not fully address the complexities of implementing such strategies effectively. The reliance on user education and awareness can be seen as placing too much responsibility on employees rather than improving systemic defenses
Methodology
Survey Scope
📌The survey was conducted by the research firm Censuswide between January 20 — February 2, 2024.
📌It surveyed 1,600 Chief Information Security Officers (CISOs) from organizations with 1,000 or more employees across different industries in 16 countries.
📌100 CISOs were interviewed in each of the following markets: U.S., Canada, U.K., France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, Saudi Arabia, Australia, Japan, Singapore, South Korea, and Brazil.
Industry Representation:
📌IT, technology, and telecoms (42%)
📌Manufacturing and production (14%)
📌Financial services (12%)
📌Retail (8%)
📌Business and professional services (6%)
📌Public sector (5%)
📌Healthcare (3%)
📌Education (3%)
📌Media, leisure, and entertainment (3%)
📌Transport (2%)
📌Energy, oil/gas, and utilities (2%)
Company Size:
📌1,000 — 2,500 employees (48%)
📌2,501 — 5,000 employees (33%)
📌5,001 or more employees (19%)
Research Standards:
📌Censuswide, the research firm conducting the survey, complies with the MRS Code of Conduct and ESOMAR principles, ensuring adherence to industry standards and ethical practices.
Heightened Concerns But Growing Confidence
Increased Risk Perception:
📌Material Cyber Attack Risk: Over two-thirds (70%) of CISOs feel at risk of a material cyber attack in the next 12 months, a slight increase from 68% last year and significantly higher than 48% in 2022.
📌High Likelihood: 31% of CISOs rate the risk of a significant attack as «very likely, » up from 25% in 2023.
Geographical Concerns:
📌Most Concerned Regions: CISOs in South Korea (91%), Canada (90%), and the US (87%) are the most concerned about experiencing a material cyber attack.
📌Optimistic Regions: Brazil’s CISOs are the most optimistic, with only 45% fearing an attack.
Industry-Specific Concerns:
📌High-Risk Industries: Education (86%), transport (77%), and retail, healthcare, and public sector (all 74%) lead in cyber attack concerns.
Awareness vs. Preparedness:
📌Awareness: While 70% of CISOs feel at risk, only 43% believe their organization is unprepared to cope with a targeted cyber attack in 2024, an improvement from 61% in 2023 and 50% in 2022.
📌Preparedness Gap: The gap between awareness and preparedness remains a concern, highlighting a disconnect between recognizing risks and being ready to address them.
Top Threats:
📌Ransomware: 41% of CISOs see ransomware as the leading threat in the next 12 months.
📌Other Threats: Malware (38%), email fraud (36%), cloud account compromise (34%), insider threats (30%), and DDoS attacks (30%) are also significant concerns.
Regional Threat Focus:
📌Ransomware: Top concern in Japan (64%), UK (51%), Sweden (49%), and the Netherlands (49%).
📌Email Fraud: Major concern in Saudi Arabia (50%), Australia (46%), Germany (46%), Canada (42%), the Netherlands (42%), and Japan (42%).
Human Error: The Persistent Vulnerability
Human Error as the Biggest Vulnerability:
📌74% of CISOs consider human error to be their organization’s biggest cyber vulnerability, up from 60% in 2023 and 56% in 2022.
📌However, only 63% of board members agree that human error is the biggest vulnerability, suggesting CISOs need to better communicate this risk to the board.
Employee Negligence as a Key Concern:
📌80% of CISOs see human risk, including employee negligence, as a key cybersecurity concern over the next two years, up from 63% in 2023.
📌This sentiment was most strongly felt in France (91%), Canada (90%), Spain (86%), South Korea (85%), and Singapore (84%).
Employee Awareness vs. Capability:
📌86% of CISOs believe their employees understand their role in defending the organization, with 45% strongly agreeing.
📌However, CISOs still feel that employees pose an enormous risk, implying that while employees understand their responsibilities, they lack the necessary skills, knowledge, and tools to effectively defend against threats.
Adoption of AI-Powered Capabilities:
📌87% of CISOs are looking to deploy AI-powered capabilities to protect against human error and block advanced human-centric cyber threats.
📌Industries leading the adoption include retail (81%), IT, technology, and telecoms (89%), and education (88%).
Regional and Industry Variations:
📌CISOs in Saudi Arabia (84%), Canada (83%), and France (82%) are most concerned about human error being their organization’s biggest cyber vulnerability.
📌Industries with the highest concern about human error include education (89%), media, leisure, and entertainment (85%), and the public sector (78%).
Data Protection and Insider Threats
Reduction in Data Loss:
📌Fewer than half (46%) of global CISOs reported a material loss of sensitive information in the past 12 months, down from 63% last year.
Geographical Variations:
📌South Korea (77%), Canada (61%), France (58%), and Germany (57%) reported higher rates of sensitive data loss compared to the global average.
Industry-Specific Data Loss:
📌Education (68%), financial services (54%), and media, leisure, and entertainment (54%) sectors were most affected by sensitive data loss.
Causes of Data Loss:
📌Negligent insiders or careless employees were blamed for 42% of data loss incidents.
📌Other significant causes included external attacks (40%) and malicious or criminal insiders (36%).
📌Additional factors included system misconfiguration (27%) and lost or stolen devices (28%).
Employee Turnover and Data Loss:
📌73% of CISOs said that employees leaving their organization played a role in data loss events.
📌Although concern around data loss due to job switchers has decreased from 82% last year, it remains a significant issue.
Impact of Data Loss:
📌The consequences of data loss included financial loss (43%), post-attack recovery costs (41%), and loss of critical data (40%).
Mitigation Strategies:
📌To combat data loss, CISOs are focusing on educating employees about security best practices (53%) and using cloud security solutions (52%).
📌Other measures include deploying data loss prevention (DLP) technology (51%), endpoint security (49%), email security (48%), and isolation technology (42%).
Future Priorities:
📌87% of CISOs agree that information protection and data governance are top priorities, a significant increase from previous years.
📌The adoption of DLP technology has surged, with 51% of CISOs now using it, up from 35% last year.
📌81% of CISOs believe their data is adequately protected, up from 60% in 2023.
The Cyber Realities for a CISO in 2024
Generative AI:
📌Security Risks: 54% of CISOs believe generative AI poses a security risk to their organization.
📌Double-Edged Sword: While AI can aid cybercriminals by making attacks easier to scale and execute, it also provides defenders with real-time insights into threats, which traditional methods cannot match.
📌Top Concerns: ChatGPT and other generative AI models are seen as significant risks, followed by collaboration tools like Slack and Teams (39%) and Microsoft 365 (38%).
Economic Impact:
📌Economic Conditions: 59% of CISOs agree that current economic conditions have negatively impacted their organization’s ability to resource cybersecurity budgets.
📌Regional Impact: CISOs in South Korea (79%), Canada (72%), France (68%), and Germany (68%) feel the economic impact most acutely.
📌Budget Constraints: Nearly half (48%) of CISOs have been asked to cut staff, delay backfills, or reduce spending.
Priorities and Strategies:
📌Top Priorities: Improving information protection and enabling business innovation remain top priorities for 58% of CISOs.
📌Employee Cybersecurity Awareness: Improving employee cybersecurity awareness has become the second-highest priority, indicating a shift towards human-centric security strategies.
Board Relations:
📌Alignment with Board: 84% of CISOs now see eye to eye with their board members on cybersecurity issues, up from 62% in 2023.
📌Board-Level Expertise: 84% of CISOs believe cybersecurity expertise should be required at the board level, reflecting a significant increase from previous years.
Challenges and Pressures:
📌Unrealistic Expectations: 66% of CISOs believe there are excessive expectations on their role, a continued increase from previous years.
📌Burnout: More than half (53%) of CISOs have experienced or witnessed burnout in the past 12 months, although there is a slight improvement with 31% reporting no burnout, up from 15% last year.
📌Personal Liability: 66% of CISOs are concerned about personal, financial, and legal liability, with 72% unwilling to join an organization without directors and officers (D& O) insurance or similar coverage.
Strengthening Board-CISO Relations
Improved Alignment:
📌Increased Agreement: 84% of CISOs now report seeing eye to eye with their board members on cybersecurity issues, a significant increase from 62% in 2023 and 51% in 2022.
📌Industry Variations: The highest levels of agreement are seen in healthcare (91%), transport (88%), and energy, oil/gas, and utilities (81%).
Board-Level Expertise:
📌Cybersecurity Expertise: 84% of CISOs believe that cybersecurity expertise should be required at the board level, up from 62% in 2023.
📌Regional Differences: CISOs in Saudi Arabia (95%), Brazil (92%), Germany (90%), and UAE (90%) report the highest levels of agreement with their boards.
Board Concerns:
📌Top Concerns: CISOs believe that their boards are most concerned about disruption to operations (44%), loss in revenue (44%), and reputational damage (43%) in the event of a material cyber attack.
📌Country-Specific Concerns: Concerns vary by country, with some regions prioritizing different aspects of the impact of cyber attacks.
Factors Behind Improved Relations:
📌Post-Pandemic Influence: Many CISOs have maintained their place at the table post-pandemic, influencing wider business strategy.
📌Communication: CISOs have taken steps to speak the language of the boardroom, translating security concerns into potential business impacts.
Enduring Integration:
📌Long-Term Change: The integration of CISOs into the boardroom is seen as an enduring enhancement to business strategy, necessary for success in the modern digital era.
The Story Continues… Unrelenting Pressure on CISOs
Increased Expectations:
📌Unrealistic Demands: 66% of CISOs believe there are excessive expectations on their role, a continued increase from 61% in 2023 and 49% in 2022.
📌Global Variations: The highest levels of perceived excessive expectations are in Saudi Arabia (88%), UAE (87%), and South Korea (75%).
Burnout:
📌High Incidence: More than half (53%) of CISOs have experienced or witnessed burnout in the past 12 months.
📌Improvement: There is some progress, with 31% of CISOs reporting no burnout, up from 15% last year.
📌Regional Differences: CISOs in South Korea (72%), Sweden (63%), and Australia (62%) are most likely to have experienced or witnessed burnout.
Personal Liability Concerns:
📌Legal and Financial Risks: 66% of CISOs are concerned about personal, financial, and legal liability, up from 62% in 2023.
📌Insurance Coverage: 72% of CISOs would not join an organization without directors and officers (D& O) insurance or similar coverage against financial liability in the event of a successful cyberattack.
📌Industry Concerns: CISOs in manufacturing and production (75%), financial services (74%), and retail (68%) feel most strongly about the need for such insurance.
Impact of High-Profile Cases:
📌Influence of Legal Cases: High-profile legal cases, such as the SEC charges against a SolarWinds CISO, have heightened concerns about personal liability.
Ongoing Challenges:
📌Resource Constraints: CISOs continue to face challenges with flat or reduced budgets, making it difficult to meet the growing demands and expectations placed on them.
Conclusion
Increased Concern but Improved Preparedness:
📌More CISOs are concerned about a material cyber attack in the near future.
📌Fewer CISOs feel unprepared, indicating greater confidence in their defensive measures.
Closer Relationships with Stakeholders:
📌CISOs report closer relationships with key stakeholders and the boardroom.
📌This change highlights the growing recognition of the CISO role at the highest organizational levels and the importance of cybersecurity.
Ongoing Challenges:
📌Employee Turnover: Continues to be a critical concern, with job leavers posing a sustained risk of data loss across all sectors.
📌Adoption of DLP Technology: Many CISOs have adopted Data Loss Prevention (DLP) technology and invested in employee education to mitigate this risk.
Evolving Threat Landscape:
📌Familiar Threats: Ransomware and Business Email Compromise (BEC) attacks remain significant concerns.
📌Emerging Technologies: AI poses new challenges but also offers potential solutions.
Human-Centric Security:
📌People and their behaviors continue to pose the greatest ongoing risk to organizations.
📌Many CISOs are investing more in human-centric security approaches, leveraging AI to help mitigate human error.
CISO Role Challenges:
📌Personal Liability: Growing concern around personal liability.
📌Excessive Expectations: Increasing numbers of CISOs report excessive expectations, burnout, and challenging budgets.
📌Addressing these issues is crucial to ensure CISOs are equipped for their roles now and in the future.
Unpacking in more detail in PDF