Andrew Rose, Resident CISO, EMEA at Proofpoint
Security teams have had it rough for a few years—the changes driven by COVID were just the icing on a sponge cake of threat, risk, and peril. CISOs in KSA had been adapting to an ever-growing set of responsibilities covering operational resilience, application and product development, business continuity, compliance, privacy, risk management and, increasingly, physical security. It was not a role for the faint of heart, and that was before COVID delivered the hammer blow of cost cutting, enforced business agility and remote working with immediate, immovable deadlines.
This year, Proofpoint’s 2022 Voice of the CISO report found that CISOs in KSA feel that they have successfully navigated through this turbulent time and are emerging on the other side mostly intact. They would be right to take confidence from their sheer survival of the last few years. It is a validation of their control selection, management skills, and strategic vision.
Organisational cyber preparedness has greatly improved as increasing familiarity with the post-pandemic work environment has left CISOs feeling better equipped to deal with cyber threats. While 66% of CISOs in KSA believed they were unprepared for a targeted attack in 2021, this is down to 28% this year.
The Challenging Threat Landscape
There was continued recognition that the human was the primary attack surface for their enterprise, with 38% of CISOs in KSA considering human error to be their biggest cyber vulnerability. When asked how employees were most likely to cause a data breach, CISOs in the KSA named compromised insider attacks as the most likely vector, where employees inadvertently expose their credentials, giving cybercriminals access to sensitive data.
Long-term hybrid working creates a larger data protection challenge, with employees now forming the defensive perimeter wherever they work. Around 29% of CISOs in KSA agree that they have seen an increase in targeted attacks in the last 12 months.
CISOs across all regions also believe that the expectations of their superiors and colleagues are excessive. While CISOs in KSA feel less pressured, board buy-in remains precarious. Twenty eight percent of CISOs in the Kingdom feel that expectations of their roles are excessive, down from 65% last year.
However, the perceived lack of alignment with the boardroom has increased, with only 10% of CISOs in KSA strongly agreeing that their board sees eye-to-eye with them on issues of cybersecurity. CISOs listed disruption to operations, loss of revenue and loss of current customers as top board concerns.
After two years of unprecedented disruption and new ways of working, CISOs in KSA have had to prioritize their efforts to address cyber threats targeting today’s distributed, hybrid workforce.
Looking ahead, there is a lack of consensus among CISOs as to the most significant threats targeting their organization. Supply chain attacks topped the list for CISOs in KSA at 32%, closely followed by smishing/vishing attacks (30%) and ransomware (29%), while Insider threats–whether negligent, accidental, or criminal came in at 28%.
With employees working from everywhere, cloud adoption now filling workplace gaps, and some short-term tactical controls still in place, IT setups are increasingly complex. Overall, CISOs appear to have embraced 2022 as the ‘calm after the storm’. However, they must remain vigilant as the storm hasn’t yet abated— organisations simply became accustomed to it, like the frog sitting calmly in the pan of gradually heating water. As geopolitical tensions rise and people-focused attacks escalate, the same gaps of user awareness, preparation, and prevention are ready to boil the water again.