Proofpoint today released its annual Voice of the CISO report, which reveals that most CISOs have returned to the elevated concerns they experienced early in the pandemic. Fifty five percent of CISOs in Saudi Arabia surveyed feel at risk of a material cyber-attack, compared to 27% the year before, when they may have felt a brief sense of calm after adapting to the chaos of the pandemic. This year’s data is a shift back to 2021, when 58% of CISOs in the Kingdom believed a material attack was imminent. Likewise, sentiments about preparedness levels have reversed: 49% feel unprepared to cope with a targeted cyber-attack, showing a significant increase over last year’s 28% and a decrease from 2021’s 66%.
While organizations have largely overcome the disruptions of the last two years, the effects of the Great Resignation and employee turnover continue to linger, exacerbated by the recent wave of mass layoffs—90% of CISOs in Saudi Arabia say that employees leaving the organization played a role in a data loss event. Even though 65% of security leaders had to deal with the loss of sensitive information in the past 12 months, 50% believe they have adequate data protection in place.
“Years of sustained remote and hybrid working has resulted in an increased risk around insider threat incidents, with our research revealing that nearly all CISOs in Saudi Arabia agree that people leaving the organization contribute to data loss,” said Emile Abou Saleh, Regional Director, Middle East and Africa at Proofpoint, “The rising challenges of protecting people and data, high expectations, burnout, and uncertainty about personal liability are testing CISOs in Saudi Arabia. The way forward is to implement layered defenses, including a dedicated insider threat management solution and strong security awareness training, so organizations are well protected against threats that focus on people as the main perimeter.”
Proofpoint’s Voice of the CISO report for 2023 includes the following findings about the Saudi Arabia :
- CISOs in Saudi Arabia have returned to the elevated concerns they experienced early in the pandemic, while also feeling more unprepared than last year: 55% of CISOs in Saudi Arabia feel at risk of experiencing a material cyber-attack in the next 12 months, compared to 27% last year and 58% in 2021. Further, 49% believe their organization is unprepared to cope with a targeted cyber-attack, compared to 28% last year and 66% in 2021.
- The loss of sensitive data is exacerbated by employee turnover: 65% of Saudi security leaders reported having to deal with a material loss of sensitive data in the past 12 months, and of those, 90% agreed that employees leaving the organization contributed to the loss. Despite those losses, 50% of CISOs in Saudi Arabia believe they have adequate controls to protect their data.
- Malware tops the list of the most significant threats:the top threats perceived by CISOs in Saudi Arabia have shifted, with malware now leading the way, followed by insider threats, ransomware attacks and email fraud (business account compromise). Last year, supply chain attacks were the top concern, followed closely by smishing/vishing and ransomware attacks.
- Most organizations are unlikely to pay a ransom if impacted by ransomware: Only 37% of CISOs in Saudi Arabia believe their organization would pay to restore systems and prevent data release if attacked by ransomware in the next 12 months, much lower than the global average of 62%. But they are more likely to rely on insurance to shift the risk—49% said they would place a cyber insurance claim to recover losses incurred in various types of attacks.
- Supply chain risk is an increasing priority: 48% of CISOs in Saudi Arabia say they have adequate controls in place to mitigate supply chain risk, an increase from last year’s 35%. While these protections may feel adequate for now, going forward, CISOs may feel more strapped for resources—42% say the shaky economy has negatively impacted their cybersecurity budget.
- People risk grows as a concern: there is an increase in the number of CISOs in Saudi Arabia who view human error as their organization’s biggest cyber vulnerability—48% in this year’s survey vs. 38% in 2022 and 69% in 2021. At the same time, 40% of CISOs believe that employees understand their role in protecting the organization, compared to 43% in 2022 and 62% in 2021; this illustrates a struggle to build a strong security culture.
- CISOs and boards are much more in tune: 45% of CISOs in Saudi Arabia agree their board members see eye-to-eye with them on cybersecurity issues. This is a substantial increase from the 28% of CISOs who shared this view last year but far below the 65% who felt this way in 2021.
- Mounting CISO pressures are making the job increasingly unsustainable: 51% of CISOs in Saudi Arabia feel they face unreasonable job expectations, a significant increase from last year’s 28%. While the return to their new reality may be one reason behind this view, CISOs’ job-related angst is a likely contributor as well—43% are concerned about personal liability and 39% say they have experienced burnout in the past 12 months.
“Security leaders must remain steadfast in protecting their people and data, a task made increasingly difficult as insiders prove themselves as a significant contributor to sensitive data loss,” said Ryan Kalember, executive vice president of cybersecurity strategy for Proofpoint. “If recent devastating attacks are any indication, CISOs have an even tougher road ahead, especially given the precarious security budgets and new job pressures. Now that they have returned to elevated levels of concern, CISOs must ensure they focus on the right priorities to move their organizations toward cyber resilience.”