- CISOs are increasingly concerned about the likelihood of falling victim to a cybersecurity attack, with 67 percent reporting that they think their organization will face that type of data breach in 2018, according to a recent survey.
Conducted by the Ponemon Institute and sponsored by Opus, What CISOs Are Worried About in 2018 gathered the responses of over 500 CISOs and other information security professionals. Survey participants were able to have more than one response on questions.
Seventy percent of CISOs said that a lack of competent in-house staff was their top security threat, with 65 percent stating that “inadequate in-house expertise” was the top reason they would likely have a data breach.
Most respondents were concerned over a careless employee falling for a phishing scam (65 percent), a significant disruption caused by malware (61 percent), a cyberattack causing significant downtime (59 percent), and a large-scale data breach involving more than 10,000 customer or employee records (53 percent).
"It's not an easy time to be a CISO – there's a lot of pain obvious in these survey results,” Ponemon Institute Chairman and Founder Dr. Larry Ponemon said in a statement. “Data breaches and cyber-attacks continue to plague organizations and the responsibility of protecting sensitive data stops with the CISO.”
“It's critical that companies support CISOs and reduce risk by implementing standard processes, including policy review and documentation, senior leadership and board member oversight, as well as other safeguards to reduce their vulnerability," he continued
Source: Opus/Ponemon Institute
Sixty percent of respondents reported that Internet of Things (IoT) devices were the most challenging technology to secure. Mobile devices (54 percent), cloud (50 percent), and social media (38 percent) were also cited as difficult technologies to secure properly, the report found.
Half of CISOs said that their concerns over a third-party causing a data breach either increased significantly or increased in the past year.
In response though, 37 percent reported that they expect their organization’s IT security budget to either increase significantly or increase. Forty percent stated that their IT security budget would likely stay the same, with 16 percent saying it would decrease.
"Once again, we find that people – not just third parties – are the weak link in information security,” Opus VP of Innovation & Alliances stated. “Smart companies can't prevent all data breaches, but implementing solid risk management programs supported by good governance, training, proven frameworks and robust technology will go a long way to reducing risk and alleviating CISO stress.”
Respondents indicated that boards of directors will begin to have more involvement in IT security. Nineteen percent said the board of directors would become significantly more involved, while 31 percent said the board would be more involved.
Over half of respondents (56 percent) stated that the inability to recover sensitive and confidential data was the top negative consequence that would stem from a data breach. Losing relationships with third parties or business partners (54 percent), losing their own job (45 percent), and losing customers (40 percent) were also key concerns.
CISOs did show optimism when asked about their organization’s cybersecurity posture, with 37 percent stating that it would improve in 2018. Thirty-seven percent of respondents also said that they believed their organization’s security posture stay around the same level.
Offering cyber intelligence improvements, improving staffing, reducing complexity, improving technologies, and having better cybersecurity leadership were the top five ways CISOs felt their cybersecurity posture could improve.
Proper cybersecurity leadership is becoming an increasingly key concern for organizations, especially in healthcare.
A Q4 2017 Black Book survey showed that 84 percent of healthcare organizations do not have a cybersecurity leader. Eleven percent said they plan to implement a cybersecurity officer for 2018.
Just 15 percent of the 323 strategic decision makers at US healthcare organizations who were surveyed said they have a CISO currently in charge.
"The low security posture of most healthcare organizations may prove a target demographic for which these attacks are successful," Black Book Managing Partner Doug Brown said in a statement. “Cybersecurity has to be a top-down strategic initiative as it's far too difficult for IT security teams to achieve their goals without the board leading the charge."