Global recession and a move to post-pandemic conditions are offering a reality check for chief information security officers, a new Proofpoint survey shows.

WHY IT MATTERS

The new report, 2023 Voice of the CISO, offers global insights into the challenges, priorities and expectations on information security professionals. 

CISOs from healthcare and more than dozen industries across 16 countries participated in the survey, which was published on Tuesday. Based on their responses to questions about their experiences over the last year and their outlooks for the years ahead, the findings shed light on "how the global recession is applying pressure to security budgets and how CISOs must remain steadfast in pressing the C-suite for critical controls to protect their organizations," said Lucia Milica Stacy, Proofpoint's global resident CISO, in the report's forward.

But more CISOs are seeing better engagement with boards on cybersecurity challenges and better relationships with them. They are taking on greater influence and board-level interactions are more frequent, the researchers said.

The survey revealed leadership has "a better read of security posture and understanding of the threat landscape" this year. 

For example, "CISO concerns seem to be filtering through to the rest of the C-suite; board members agree that email fraud poses the most pressing threat," the researchers said.

Among the biggest security threats the CISOs said they perceive:

• Business email compromise – 33%.
• Insider threats – 30%.
• Cloud account compromise – 29%.
• Distributed denial of service attacks –29%.
• Supply chain attacks – 27%.
• Ransomware attacks – 27%.
• Smishing and vishing – 27%.
• Malware – 26%.

Proofpoint stressed that, despite growing engagement with the boardroom, it's imperative CISOs gain the kind of support from leadership that results in the resources they need to maintain robust cybersecurity programs, "even when dealing with a difficult business climate." 

"Our adversaries do not stop in an economic downturn," the researchers said.

While 61% of the CISOs surveyed agreed that their organization is unprepared to cope with a cyberattack, data governance is one area where some may be overconfident.

More than half of those polled – 62% – say they are confident that their organizations can detect and remove a threat actor using stolen or compromised credentials before any material damage occurs. 

Proofpoint says that belief may be misguided. 

"While most organizations may have adequate endpoint detection and response technology, such tools will not alert on compromised credentials," the researchers noted.

To combat data loss, 39% of CISOs surveyed said they educate employees on data security best practices; 36% have a cloud solution in place, 36% have isolation technology to eliminate entering credentials on web forms, 35% have a data loss prevention agent, 35% have email security technology and 35% have endpoint security.

Though better engagement with leadership has helped support CISOs in the demands of their work, those surveyed reported struggling with personal liability risks and the pressure of excessive expectations.

Up from 49% in 2022 and 57% in 2021, almost two-thirds, or 61%, of the CISOs surveyed said they faced excessive expectations.

"With the panic to secure home and hybrid setups behind them, many organizations are now tightening cybersecurity budgets," the researchers said. 

"The shift leaves CISOs with the same objectives but fewer resources to achieve them."

Proofpoint noted the healthcare sector represented 6% of its survey respondents, and that those CISOs reported feeling the least pressure. The report also indicated that half of the healthcare CISOs said that cybersecurity expertise is present in their boardrooms – more so than the CISOs from other industries.

Censuswide conducted the 2023 survey between January 30 and February 7, surveying CISOs from organizations of 200 or more employees and with 100 CISOs interviewed in each country including the U.S., Canada, the U.K., France, Germany, Italy, Spain, Sweden, the Netherlands, United Arab Emirates, Kingdom of Saudi Arabia, Australia, Japan, Singapore, South Korea and Brazil.

THE LARGER TREND

With the threat of ransomware and other challenges, resignations are growing. The healthcare IT workforce is also reporting high levels of burnout, so the concern for cybersecurity workforce mental health is rising.

Research by the Australia-based mental wellbeing support organization Cybermindz found that cyber professionals "live with the notion that the one successful attack that could end their career could be just around the corner."

This stress is not new to healthcare, where lives are on the line every day. Health system CISOs have suggested rigorous and routine training for incident response across the enterprise to help build cybersecurity 'muscle memory' and resilience.

"If you're addressing an issue for the very first time, you won't be able to do it effectively, and so exercising regularly to be able to respond to incidents I think is really important in order to be able to face one when it actually does happen," Anahi Santiago, CISO at Delaware-based ChristianaCare, told Healthcare IT News in September.

ON THE RECORD

"That CISOs are voicing these concerns is a huge step in the right direction," said Proofpoint researchers in the report. "And with most feeling more aligned with board members, they have a solid foundation upon which to build and deliver change. The question is, with shrinking budgets and long-term talent shortages, will CISOs have the resources they need to do so?"

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.