70% of CISOs worry their org is at risk of a material cyber attack

Chief information security officers around the globe "are nervously looking over the horizon," according to a survey of 1,600 CISOs that found more than two thirds (70 percent) worry their organization is at risk of a material cyber attack over the next 12 months. 

This is compared to 68 percent the year prior, and 48 percent in 2022. Additionally, nearly a third (31 percent) believe a significant attack is "very likely," compared to 25 percent in 2023.

For its annual Voice of the CISO report, Proofpoint polled CISOs from organizations with at least 1,000 employees across 16 countries: The US, Canada, UK, France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, Saudi Arabia, Australia, Japan, Singapore, South Korea, and Brazil. Research firm Censuswide conducted the survey between January 20 and February 2, and interviewed 100 CISOs in each country, we're told. 

Of those surveyed, we'd assume that CISOs in South Korea (91 percent), Canada (90 percent) and the US (87 percent) get the least sleep each night, as these are the three top percentages of chief infosec officers who are concerned about experiencing a material cyber attack. 

Very closely tied to these worries: 43 percent report that their org is unprepared for an attack, which is at least an improvement on 61 percent last year.

Their reasons for sleeplessness were many. Forty-one percent of those surveyed rated ransomware as the top threat over the next 12 months, followed by malware (38 percent), email fraud (36 percent), cloud account compromise (34 percent), insider threats (30 percent) and distributed denial of service attacks (30 percent).

In the case of a ransomware infection, 62 percent of CISOs revealed they would likely pay to restore systems and/or prevent attackers from leaking stolen data. This remains the same as last year's survey – and comes amid ongoing indicators that paying extortionists doesn't prevent sensitive information from being released.

As your humble vulture scoured this 2024 survey, she couldn't help but wonder: Why would anyone want this job?

And it appears that many CISOs feel this way, too – despite a short section on "encouraging trends" that Proofpoint has observed since it first started producing this annual report in 2021.

These include: "An increase in cyber security representation at the board level," along with "closer alignment between CISOs and board members" and a "growing acceptance of the need for human-centric security strategies."

Yay for encouraging trends.

• Canada's London Drugs confirms ransomware attack after LockBit demands $25M
• Confused by the SEC's IT security breach reporting rules? Read this
• SolarWinds slams SEC lawsuit against it as 'unprecedented' victim blaming
• AWS CISO tells The Reg: In the AI gold rush, folks are forgetting application security

However, also since 2021 a growing number of CISOs have lamented that there are "excessive expectations" put on them and chief security officers. This year, 66 percent of those surveyed cited unrealistic expectations, compared to 61 percent last year, 49 percent in 2022 and 21 percent in 2021. 

More than half (53 percent) told the survey they have either personally experienced, or at least witnessed, burnout over the past 12 months. 

Some of this can be attributed to high-profile legal battles involving CISOs and holding them accountable for companies' data breaches.

This included last year's SEC charges against SolarWinds and its CISO Tim Brown – essentially accusing him of not doing his job ahead of the 2020 supply chain attack.

"With incidents like these top of mind, 66 percent of global CISOs are concerned about personal, financial and legal liability in their role," the report says, noting that figure is only slightly higher (62 percent) than last year. ®