As businesses continue to grapple with the pandemic and draw lessons from its impact on operations, one thing is becoming clear: businesses can no longer afford to ignore the real threats of cyberattacks.
That was one of the topics discussed at the Proofpoint 2021 Voice of the CISO Roundtable, an event that brought together chief information security officers from various sectors to talk about the pandemic’s impacts on their role within their organizations.
As some of the participants noted, the sudden change in operations caused by the pandemic – in particular, the immediate need to set up the IT infrastructure needed to allow almost all of their employees to work remotely – was a natural (if sped up) progression in terms of where business was already heading.
“At the beginning of the pandemic – I’m looking at March of 2020 - there was a lot of discussion about our ability to be able to work remotely,” said Martin Littmann, CTO & CISO, at Houston-based Kelsey-Seybold Clinic.
“We were, to a certain extent, already well prepared for a bunch of remote work. Some of the concern we had was now we’re going to throttle up our infrastructure and have a whole lot of people working remotely instead of a smaller number, and would we be ready to do that.”
Littman said his organization was able to achieve that goal thanks to the steps towards more remote work that had already been taken before the pandemic, a position that Paige Adams, the Schaumburg, IL-based global CISO at Zurich Insurance, echoed in his remarks -- adding that a company’s rapid response to the challenges posed by the pandemic was only possible when CISOs had a critical voice within their organizations.
“The role of the CISO has been evolving over the last several years, maybe more sharply so in the past year,” he said.
“If you look back at CISOs 10 years ago versus five years ago, what you’re starting to see is the CISO is more and more part of the core business operation and is seen as a business enabler. And I think that’s because more companies are adopting cyber security as a core part of their business strategy. More often, the CISO has a seat at the table.”
Even so, many CISOs remain uneasy about how far their influence goes when it comes to protecting their organizations.
Released prior to the roundtable discussion, Proofpoint’s 2021 Voice of the CISO report explores some of the challenges facing CISOs, particularly after a year like no other.
Among the findings, a full two-thirds (66%) of CISOs surveyed felt their organizations were unprepared to handle a cyberattack, while 58% consider human error to be their biggest cyber vulnerability - proving that the work-from-home model necessitated by the pandemic has tested CISOs like never before.
“Last year, cybersecurity teams around the world were challenged to enhance their security posture in this new and changing landscape, literally overnight,” said Lucia Milică, global resident CISO at Proofpoint and the roundtable’s moderator.
“This required a balancing act between supporting remote work and avoiding business interruption, while securing those environments. With the future of work becoming increasingly flexible, this challenge now extends into next year and beyond.”
Other findings from the report:
- Sixty-four per cent (64%) of surveyed CISOs feel at risk of suffering a material cyberattack in the next 12 months.
- When asked about the types of attacks they expect to face, there was no clear answer, with diverse threats such as business email compromise (34%), cloud account compromise (33%), and insider threats (31%) topping the list.
- Despite recent headlines of high-profile attacks, supply chain attacks came in fifth, with 29%, and ransomware seventh, with 27%.
Perhaps more troubling was the finding that user awareness of cyber threats doesn’t always lead to behavioral change.
While more than half of survey respondents believe employees understand their role in protecting their organization from cyber threats, 58% of global CISOs still consider human error to be their organization’s biggest cyber vulnerability, listing purposefully leaking data (criminal insider attack), clicking malicious links, or downloading compromised files as the most likely ways employees put their business at risk.
A good portion of the roundtable discussion was also spent discussing how long-term hybrid work environments present a new challenge for CISOs: 58% of CISOs agree that remote working has made their organization more vulnerable to targeted cyberattacks, with three in five revealing they had seen an increase in targeted attacks in the last 12 months.
“In addition to securing many more points of attack and educating users on long-term remote and hybrid work, CISOs must instill confidence among customers, internal stakeholders, and the market that such setups are workable indefinitely,” Milică said.