Each year, Proofpoint conducts a survey of CISOs from across the globe to understand their perspectives and concerns. This year, our 2022 Voice of the CISO report captured surprising input from over 1,400 security leaders, including CISOs in the UAE.
Last year’s report highlighted an overabundance of worried leaders, concerned about the escalating threat landscape, and unsure of what risks to prioritise next. CISOs felt overwhelmed and under siege–it was a tough gig!
This year, the results felt a little more encouraging as CISOs in the UAE expressed more confidence about their cybersecurity posture after two years of unprecedented disruption. While, more than two in five CISOs surveyed in the UAE (44 percent) expressed that they feel that their organisation is at risk of suffering a material cyber-attack in the next 12 months, this is significantly down from 68 percent last year.
The good news
Security teams have had it rough for a few years—the changes driven by COVID were just the icing on a sponge cake of threat, risk, and peril. CISOs had been adapting to an ever-growing set of responsibilities covering operational resilience, application and product development, business continuity, compliance, privacy, risk management and, increasingly, physical security. It was not a role for the faint of heart, and that was before COVID delivered the hammer blow of cost cutting, enforced business agility and remote working with immediate, immovable deadlines.
It is interesting to consider then, that CISOs seem to feel that they have successfully navigated through this turbulent time and are emerging on the other side mostly intact. They would be right to take confidence from their sheer survival of the last few years. It is a validation of their control selection, management skills, and strategic vision.
Organisational cyber preparedness has greatly improved as increasing familiarity with the post-pandemic work environment has left CISOs feeling better equipped to deal with cyber threats. While 72 percent of CISOs in the UAE believed they were unprepared for a targeted attack in 2021, this is down to 47 percent this year.
The not so good news
There was continued recognition that the human was the primary attack surface for their enterprise, with 50 percent of UAE CISOs considering human error to be their biggest cyber vulnerability. When asked how employees were most likely to cause a data breach, CISOs in the UAE named malicious insider as the most likely vector, where employees intentionally steal company information.
Long-term hybrid working creates a larger data protection challenge, with employees now forming the defensive perimeter wherever they work. Around 32 percent of CISOs in the UAE agree that they have seen an increase in targeted attacks in the last 12 months. And more than 1 in 3 (37 percent) say that increases in employee transitions means that protecting data has become a greater challenge.
CISOs across all regions also believe that the expectations of their superiors and colleagues are excessive. While CISOs feel less pressured, board buy-in remains precarious as cyber risk worries business leaders. Thirty eight percent of CISOs feel that expectations of their role are excessive, down from 67 percent last year.
However, the perceived lack of alignment with the boardroom has increased, with only 14 percent of CISOs in the UAE strongly agreeing that their board sees eye-to-eye with them on issues of cybersecurity. When considering cyber risk, Emirati CISOs listed significant downtime, impact on business valuation and loss in revenue as top board concerns.
Why the sense of calm?
It appears the tough cybersecurity decisions throughout last year were not always aligned with the CISOs’ recommendations or risk appetite. We all know stories of corners being cut, and issues side-lined for the sake of business efficacy. This has reminded CISOs that, after a period of focus, support, and empowerment, the board really has other issues to manage as well, and security is just one piece of the puzzle.
As good corporate citizens, security leadership successfully managed risks and saw real benefits from taking a path that, perhaps in isolation, they would not have selected themselves. Even without proper credit, they can rightly be pleased that their tactics worked.
Insider threats cost businesses $15.4 million annually: Proofpoint
Looking forward
After two years of unprecedented disruption and new ways of working, CISOs in the UAE have had to prioritise their efforts to address cyber threats targeting today’s distributed, hybrid workforce.
Looking ahead, there is a lack of consensus among CISOs as to the most significant threats targeting their organisation. Business Email Compromise and Cloud Account Compromise (O365 or G suite accounts being compromised) topped the list for CISOs in the UAE, both at 35 percent. They were closely followed by insider threats–whether negligent, accidental, or criminal–with 31 percent. Despite dominating recent headlines, ransomware came in at 28 percent.
With employees working from everywhere, cloud adoption now filling workplace gaps, and some short-term tactical controls still in place, IT setups are increasingly complex. Overall, CISOs appear to have embraced 2022 as the ‘calm after the storm’. However, they must remain vigilant as the storm hasn’t yet abated— organisations simply became accustomed to it, like the frog sitting calmly in the pan of gradually heating water. As geopolitical tensions rise and people-focused attacks escalate, the same gaps of user awareness, preparation, and prevention are ready to boil the water again.
