Proofpoint’s annual Voice of the CISO report has revealed that 75% of CISOs in the UAE believe employees leaving the organisation contributed to a data loss incident, a challenge exacerbated by staff turnover. We take a look at the results of the survey in more detail and grasp an understanding of how CISOs can focus on the right priorities to move their teams towards cyber-resilience.
Proofpoint, a leading cybersecurity and compliance company, has released its annual Voice of the CISO report, which explores key challenges, expectations and priorities of chief information security officers (CISOs). The findings reveal that most CISOs have returned to the elevated concerns they experienced early in the pandemic. A large proportion (75%) of CISOs in the UAE surveyed feel at risk of a material cyberattack, compared to 44% the year before, when they may have felt a brief sense of calm after adapting to the chaos of the pandemic. This year’s data is a shift back to 2021, when 68% of CISOs in the UAE believed a material attack was imminent. Likewise, sentiments about preparedness levels have reversed: 57% feel unprepared to cope with a targeted cyberattack, showing a moderate increase over last year’s 47% and a decrease from 2021’s 72%.
While organisations have largely overcome the disruptions of the last two years, the effects of The Great Resignation and employee turnover continue to linger, exacerbated by the recent wave of mass layoffs — 75% of CISOs in the UAE say that employees leaving the organisation played a role in a data loss event. Even though 47% of security leaders had to deal with the loss of sensitive information in the past 12 months, only 61% believe they have adequate data protection in place.
The 2023 Voice of the CISO report examines global third-party survey responses from more than 1,600 CISOs at mid-to-large size organisations across different industries. Throughout the course of Q1 2023, 100 CISOs were interviewed in each market across 16 countries: UAE, KSA, the US, Canada, the UK, France, Germany, Italy, Spain, Sweden, the Netherlands, Australia, Japan, Singapore, South Korea and Brazil.
The report discusses global trends and regional differences around three central themes: the threats and risks CISOs face daily; the impact of employees on organisations’ cyber-preparedness; and the defences CISOs are building, especially as the economic downturn puts pressure on security budgets. The survey also measures the changes in alignment between security leaders and their boards of directors, exploring how their relationship impacts security priorities.
“Years of sustained remote and hybrid working has resulted in an increased risk around insider threat incidents, with our research revealing that three-quarters of CISOs in the UAE agree that people leaving the organisation contribute to data loss,” said Emile Abou Saleh, Regional Director, Middle East and Africa at Proofpoint. “The rising challenges of protecting people and data, high expectations, burnout and uncertainty about personal liability are testing CISOs in the UAE. The way forward is to implement layered defences, including a dedicated insider threat management solution and strong security awareness training, so organisations are well protected against threats that focus on people as the main perimeter.”
Proofpoint’s Voice of the CISO report for 2023 includes the following findings about the UAE:
• CISOs in the UAE have returned to the elevated concerns they experienced early in the pandemic, while also feeling more unprepared than last year: 75% of CISOs in the UAE feel at risk of experiencing a material cyberattack in the next 12 months, compared to 44% last year and 68% in 2021. Further, 57% believe their organisation is unprepared to cope with a targeted cyberattack, compared to 47% last year and 72% in 2021.
• The loss of sensitive data is exacerbated by employee turnover: 47% of security leaders in the UAE reported having to deal with a material loss of sensitive data in the past 12 months, and of those, 75% agreed that employees leaving the organisation contributed to the loss. Despite those losses, 61% of CISOs in the UAE believe they have adequate controls to protect their data.
• Email fraud tops the list of the most significant threats: The top threats perceived by CISOs in the UAE are almost the same as last year. Both years email fraud (Business Email Compromise) and cloud account compromise led the way, but this year they were followed by malware and smishing/vishing, whereas last year malware was joined by insider threats as the other top concerns.
• Most organisations are likely to pay a ransom if impacted by ransomware: 59% of CISOs in the UAE believe their organisation would pay to restore systems and prevent data release if attacked by ransomware in the next 12 months. And they are relying on insurance to shift the risk — 56% said they would place a cyber insurance claim to recover losses incurred in various types of attacks.
• Supply chain risk is a recurring priority: 56% of CISOs in the UAE say they have adequate controls in place to mitigate supply chain risk, a modest increase from last year’s 49%. While these protections may feel adequate for now, going forward, CISOs may feel more strapped for resources — 65% say their budgets have been impacted.
• People risk grows as a concern: There is an increase in the number of CISOs in the UAE who view human error as their organisation’s biggest cyber vulnerability —59% in this year’s survey vs. 50% in 2022 and 70% in 2021. At the same time, 56% of CISOs believe that employees understand their role in protecting the organisation, compared to 51% in 2022 and 69% in 2021; this illustrates a struggle to build a strong security culture.
• CISOs and boards are much more in tune: 63% of CISOs in the UAE agree their board members see eye-to-eye with them on cybersecurity issues. This is a substantial increase from the 47% of CISOs who shared this view last year and the same as the 63% who felt this way in 2021.
• Mounting CISO pressures are making the job increasingly unsustainable: 59% of CISOs in the UAE feel they face unreasonable job expectations, a significant increase from last year’s 38%. While the return to their new reality may be one reason behind this view, CISOs’ job-related angst is a likely contributor as well — 60% are concerned about personal liability and 59% say they have experienced burnout in the past 12 months.
“Security leaders must remain steadfast in protecting their people and data, a task made increasingly difficult as insiders prove themselves as a significant contributor to sensitive data loss,” said Ryan Kalember, Executive Vice President of Cybersecurity Strategy for Proofpoint. “If recent devastating attacks are any indication, CISOs have an even tougher road ahead, especially given the precarious security budgets and new job pressures. Now that they have returned to elevated levels of concern, CISOs must ensure they focus on the right priorities to move their organisations towards cyber-resilience.”