Proofpoint’s 2022 Voice of the CISO report reveals CISOs in KSA have growing confidence in their security posture
- 38% of survey respondents consider human error their organization’s biggest cyber vulnerability, as a hybrid workforce presents new challenges for cybersecurity teams
Riyadh, KSA – Proofpoint, Inc., a leading cybersecurity and compliance company, today released its annual Voice of the CISO report, which explores key challenges facing chief information security officers (CISOs). While the world’s CISOs spent 2021 coming to terms with new ways of working, many now feel much more in control of their environment: 27% of CISOs in Saudi Arabia feel that their organization is at risk of suffering a material cyber attack in the next 12 months, down from 58% last year.
But feeling prepared for a cyber attack is vastly different than being prepared. This growing confidence of CISOs is likely a result of successfully overcoming a seismic event (the pandemic) rather than any tangible change in risk levels of preparedness. Our report reveals that 28% of CISOs in KSA still feel their organization is unprepared to handle a cyberattack and 38% consider human error to be their biggest cyber vulnerability, with established work-from-anywhere setups and The Great Resignation presenting new challenges around information protection.
This year’s Voice of the CISO report examines global third-party survey responses from more than 1,400 CISOs at mid-to-large size organizations across different industries. Throughout the course of Q1 2022, one hundred CISOs were interviewed in each market across 14 countries: the U.S., Canada, the UK, France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, KSA, Australia, Japan, and Singapore.
The survey explores three key areas: the threat risk and types of cyber attacks CISOs combat daily, the levels of employee and organizational preparedness facing them, and the impact of supporting a hybrid workforce as businesses prepare to re-open their corporate offices. It also uncovers the challenges CISOs experience in their roles, their position among the C-suite, and business expectations of their teams.
“As high-profile attacks disrupted supply chains, made headlines, and prompted new cybersecurity legislation, 2021 proved to be another challenging time for CISOs around the world. But as CISOs adapt to new ways of working, it is encouraging to see that they now appear more confident about their security posture,” commented Andrew Rose, Resident CISO for EMEA at Proofpoint. “As the impact of the pandemic on security teams gradually fades, our 2022 report uncovers a pressing issue. As workers leave their jobs or opt out of returning to the workforce, security teams are now managing a host of information protection vulnerabilities and insider threats.”
Proofpoint’s Voice of the CISO 2022 report highlights general trends as well as regional differences among the global CISO community. Key findings from the KSA respondents include:
- CISOs in KSA are the most confident about their cyber security posture compared with their peers: while global CISOs appear more in control of their environment, CISOs in KSA are the most optimistic, with only one in four (27%) feeling at risk of suffering a material cyber attack in the next 12 months, compared with 58% last year. The global average was 48%.
- There is a lack of consensus among CISOs as to the most significant threats targeting their organization: this year, supply chain attacks topped the list for CISOs in KSA at 32% but were closely followed by smishing/vishing attacks (30%), ransomware (29%) and insider threats–whether negligent, accidental, or criminal–at 28%.
- Organizational cyber preparedness has greatly improved: increasing familiarity with the post-pandemic work environment has also left CISOs feeling better equipped to deal with cyber threats. While 66% of CISOs in KSA believed they were unprepared for a targeted attack in 2021, this is down to 28% this year.
- Employee security awareness is increasing, but users are still not adequately skilled for the role of cyber defense: while 43% of survey respondents in KSA believe employees understand their role in protecting their organization from cyber threats, 38% still consider human error to be their organization’s biggest cyber vulnerability. In the last year, only 29% of CISOs in KSA surveyed have increased the frequency of cyber security training for employees.
- Long term hybrid work makes protecting data a top new challenge for CISOs: with employees now forming the defensive perimeter wherever they work, 29% of KSA CISOs agree that they have seen an increase in targeted attacks in the last 12 months and that protecting data has become a greater challenge. When asked how employees were most likely to cause a data breach, KSA CISOs named compromised insider attacks as the most likely vector, where employees inadvertently expose their credentials, giving cybercriminals access to sensitive data.
- Ransomware headlines have largely increased cyber risk awareness among the C-Suite and driven strategy shifts: recent high-profile attacks have pushed ransomware to the top of the agenda for organizations, with 40% of CISOs in KSA revealing they had purchased cyber insurance and 32% focusing on prevention over detection and response strategies. Despite the rising stakes, however, a concerning 63% of KSA CISOs admit they have no ransom payment policy in place.
- While CISOs in KSA feel the least pressure compared with their peers, board buy-in remains precarious as cyber risk worries business leaders: Only 28% of CISOs feel that expectations on their role are excessive, down from 65% last year. However, the perceived lack of alignment with the boardroom has increased with only 10% of CISOs in KSA strongly agreeing that their board sees eye-to-eye with them on issues of cybersecurity. When considering cyber risk, CISOs listed disruption to operations, loss of revenue and loss of current customers as top board concerns.
“After two years of unprecedented disruption and new ways of working, CISOs in the UAE have had to prioritize their efforts to address cyber threats targeting today’s distributed, hybrid workforce. Their focus has gravitated towards preventing the most likely attacks such as business email compromise, cloud account compromise and insider threats,” said Emile Abou Saleh, Regional Director, Middle East & Africa at Proofpoint. “Overall, CISOs now feel more in control of their environment and may be falling into a false sense of security. With our research revealing human error as an organization’s biggest cyber vulnerability, security awareness education across the organization should be a priority for CISOs to mitigate cybersecurity threats.”