The CISO in 2021: Coping with the not-so-calm after the storm

The CISO in 2021: Coping with the not-so-calm after the storm

Keith Bird, Senior Vice President, EMEA, Proofpoint, sheds light on understanding who in an organisation is now most vulnerable to attack, the types of attack they are likely to face – and how everyone, from the CISO to the HR team, has a part to play in keeping those attacks at bay.

In the aftermath of the global pandemic, CISOs in the UAE and around the world are faced with supporting remote environments in the long term, in addition to hybrid environments, all the while deterring ever-more sophisticated cybercriminals emboldened by a year of disruption and uncertainty.

The result is a broad and varied threat landscape, with numerous attack methods focused on users in relatively new working conditions across a much larger attack surface. It’s little wonder that CISOs around the world are feeling the pressure.

In the UAE, over two-thirds feel at risk of suffering a material cyberattack within the next 12 months. Furthermore, 71% of CISOs in the UAE are more concerned about the repercussions of a cyberattack in 2021 than they were in 2020, the highest percentage across the 14 global countries surveyed by Proofpoint.

Even more concerning is that, despite knowing the risk, most CISOs feel unprepared. Over two-thirds of CISOs in the UAE do not think their organisation could cope with a cyberattack.

As we move on from the pandemic, we need to understand who in our organisations is now most vulnerable to attack, the types of attack they are likely to face – and how everyone, from the CISO to the HR team, has a part to play in keeping those attacks at bay.

Facing threats, old and new

Modern organisations face an array of potential threats and cybercriminals continue to embrace them all, old and new. Of the attacks causing concern for CISOs in the UAE right now are insider threats (29%), phishing (28%), Business Email Compromise (25%), supply chain attacks and ransomware (22% each). There is no one-size-fits-all defence against such a varied threat landscape. While some tools and technical controls may protect against more than one style of attack, that is just one facet of effective cyber defence.

A modern cyber strategy must have security awareness training at its heart. And, for maximum impact, this training needs to be tailored and adaptive – not just to certain threats but also to the users who are on the front line. A lack of understanding about your most vulnerable users and the types of attacks they are likely to face makes it very difficult to prioritise a cyber defence strategy.

And with hybrid working, flexible hours and multiple access points now the norm, gaining that understanding is increasingly difficult.

Solving the people problem

Naturally, the challenges facing the modern CISO are not focused on one front. Those on the receiving end of cyberattacks are of just as much concern as those behind them.

More than two thirds believe that users are the most significant risk facing their organisation. And just like the threats from the outside, there are several causing concern from within. Unauthorised devices, tools and applications, as well as falling victim to phishing emails are just some of the issues keeping CISOs up at night.

With many users now out of sight, working remotely, at least some of the time, these concerns are more pressing than they may once have been. Two out of three CISOs believe that remote working increases the risk facing their organisation. 76% of CISOs in UAE revealed they had seen an increase in targeted attacks since enabling remote working, the highest among the surveyed countries.

Working from home calls for slight alterations to security best practice. The use of personal networks and devices may require increased protocols and protections. As we reimagine office environments, empowering our people to take greater ownership of the way they work, we have an opportunity to do the same for cyber defence. To build strategies that acknowledge the vital role people play in keeping organisations safe.  

Building a defence for a brighter future

Despite the scale of recent challenges, many CISOs in UAE have a bright outlook for the years ahead.

Over three quarters believe they will be better equipped to resist and recover from cyberattacks by 2022/23. And almost all intend to enhance their cyber defences to make this possible. Most predict improvements in addressing supplier risk, supporting remote working, as well as enabling business innovation. Whatever the physical or virtual characteristics of the workplace, people will always be at its centre. And, wherever they are, they are likely to remain squarely in the crosshairs of cybercriminals – with over 90% of cyberattacks requiring human interaction to succeed.

So, whatever the threats facing CISOs, people form the vital last line of defence. Building this defence means creating a vigilant and knowledgeable workforce, whether in the office, at home or anywhere else.

The more each user understands about the threats they face, the methods behind them and how their behaviour can mean the difference between success and failure, the better able they are to protect your organisation from harm.

Ultimately, the CISOs job is not an easy one. No doubt, the years ahead will bring many challenges. But, knowing the central part they place in the vast majority of cyberattacks today, user awareness should no longer be one of them.  

Browse our latest issue

Intelligent CIO Middle East

View Magazine Archive