A study shows that almost half of global executives do not feel well prepared for a cyber attack. And this despite the fact that they also give cybersecurity a high priority. While German executives are the best at assessing cyber vulnerabilities, they need to work on their relationship with the CISO.
Proofpoint, Inc., one of the leading next-generation cybersecurity and compliance companies, and Cybersecurity at MIT Sloan (CAMS), an interdisciplinary research consortium, have published their study "Cybersecurity: The 2022 Board Perspective". The report captures what business leaders perceive as the biggest challenges and risks facing their organization.
Cyber security at the top of the list
The issue of cyber security is high on the agenda of company management. 77 percent of the participants confirm that cyber security is a top priority in the management of their company. 76 percent discuss the topic at least once a month. 75 percent of participants believe they have a thorough understanding of the systemic risks their organizations face and 76 percent affirm they have made appropriate investments in cybersecurity.
Executives do not feel well prepared
In many cases, this optimism seems inappropriate or based on misjudgments. For example, nearly two-thirds (65%) of respondents believe their organization is at risk of a major cyberattack in the next 12 months. Almost half (47%) believe their organization is unprepared for a targeted attack. And only two-thirds of senior management rank human error as the number one cybersecurity vulnerability, despite the fact that the World Economic Forum has found that this factor drives 95 percent of all cybersecurity incidents. In the assessment of the risk emanating from human error, German executives come off best. 80 percent of them rate this factor as their biggest cyber vulnerability. This is the highest value in all the countries examined.
600 executives in the survey
The Cybersecurity: The 2022 Board Perspective study examines the responses of 600 executives in organizations with 5.000 or more employees across various industries. In August 2022, 50 board members were surveyed in each of 12 countries: the US, Canada, the UK, France, Germany, Italy, Spain, Australia, Singapore, Japan, Brazil and Mexico.
The report examines three key areas: the cyber threats and risks management faces, its level of preparedness to counter these threats, and its alignment with the CISOs (Chief Information Security Officers) compared to their assessments that Proofpoint analyzed in its Voice of the CISO 2022 report. There is a significant discrepancy between the two perspectives when it comes to assessing cyber risks, consequences and threats.
Threat landscape must be understood
“It is encouraging to see that cybersecurity is finally a focus of boardroom conversations. However, our report shows that leadership still has a long way to go when it comes to understanding the threat landscape and preparing their organizations for cyberattacks,” commented Lucia Milică, Vice President and Global Resident CISO at Proofpoint. “One of the ways management can improve its preparedness is by engaging with its CISOs. The relationship between senior management and CISOs is critical to protecting people and data, and both sides must strive to communicate and collaborate more effectively to ensure business success.”
The Proofpoint and CAMS cybersecurity study sheds light on global trends, as well as industry and region-specific differences among business leaders. Key results include:
- There is a disconnect between senior management and CISOs when assessing the risk posed by cybercriminals
65 percent of C-suite leaders believe their organization is at risk of a major cyberattack in the next 12 months, compared to 48 percent of CISOs. In Germany, as many as 70 percent of management assume that their company is at risk of a significant cyber attack in the next 12 months, compared to 40 percent of German CISOs. - Despite increased awareness of the dangers and the corresponding budgets, organizations are insufficiently prepared
75 percent of global respondents believe they understand their organization's systemic risks, 76 percent believe they have adequately invested in cybersecurity, 75 percent believe their data is adequately protected, and 76 percent at least discuss once a month on cybersecurity. Yet these efforts seem insufficient, with 47 percent of respondents believing their organization is unprepared to deal with a cyberattack in the next 12 months. In Germany, this is even 50 percent. - In contrast to their peers around the world, the management team of German organizations assesses the most serious consequences of a successful cyber attack in a similar way to their CISOs
Disclosure of internal data tops the list of management concerns for organizations worldwide (37%), closely followed by damage to reputation (34%) and loss of revenue (33%). These concerns are in sharp contrast to those of CISOs, who are more concerned about significant downtime, business disruption and the impact on business valuations. In Germany, on the other hand, management and CISOs agree: Significant downtime is at the top of the list of concerns for both. - The relationship between board members and CISOs needs improvement
There is a huge gap between the perspectives of executives and CISOs around the world: while 69 percent of executives say they communicate with their CISO as equals, only 51 percent of CISOs agree. In Germany, this discrepancy is even more pronounced: 89 percent of executives see themselves as equals with their CISO (the highest value among all countries surveyed), but only 48 percent of CISOs in Germany are of the same opinion. - There is a broad consensus among senior management and CISOs on different types of threats
Globally, members of management cited email fraud/business email compromise (BEC) as their top concern (41%), followed by cloud account compromise (37%) and ransomware (32%). While email fraud/BEC and cloud account compromises are also a concern for CISOs, unlike C-suite, they see insiders as the biggest threat. Executives in Germany cited cloud account compromise as their top concern (50%), followed by Distributed Denial of Service (DDoS, 44%) and ransomware (40%). German CISOs also ranked these threats as their top three concerns. - Managers are becoming increasingly comfortable with the requirements of the supervisory authorities
80% of global respondents think organizations should be required to report a serious cyberattack to regulators within a reasonable timeframe, and only 6% disagree. In Germany, 78 percent have a positive opinion of such a reporting requirement, and none of those surveyed spoke out against it.
“Leaders play a key role in the cyber security culture and posture of their organizations. They have fiduciary and regulatory responsibility for their organizations. Therefore, they need to understand the cybersecurity threats their organizations are facing as well as the strategy their organizations are pursuing to become cyber resilient,” explains Dr. Keri Pearlson, Executive Director at Cybersecurity at MIT Sloan (CAMS). "Better alignment of cybersecurity priorities between CISOs and executives will go a long way in improving the protection and resilience of their organizations."
More at proofpoint.com
About Proofpoint Proofpoint, Inc. is a leading cybersecurity company. The focus for Proofpoint is the protection of employees. Because these mean the greatest capital for a company, but also the greatest risk. With an integrated suite of cloud-based cybersecurity solutions, Proofpoint helps organizations around the world stop targeted threats, protect their data, and educate enterprise IT users about the risks of cyberattacks.