Proofpoint：2024年首席信息安全官報告 2024 Voice of the CISO Global Insights into CISO Challenges,Expectations and Priorities

REPORT

2024VoiceoftheCISO

GlobalInsightsintoCISOChallenges,ExpectationsandPriorities

TABLEOFCONTENTS

3

Introduction

4

HeightenedConcernsButGrowingConfidence

7

HumanError:ThePersistentVulnerability

9

DataProtectionandInsiderThreats

13

TheCyberRealitiesforaCISOin2024

16

StrengtheningBoard-CISORelations

18

TheStoryContinues…UnrelentingPressureonCISOs

20

Conclusion

21

Methodology

2024VOICEOFTHECISO\REPORT

2024:Navigatingthe

CybersecurityMaelstrom

CISOshavehadalottocontendwithinrecentyears:aglobalpandemic,large-scaleremotework,andrecordlevelsofemployeeturnover.Fromtheoutsidelookingin,onecouldbeforgivenforthinkingthepast12monthshavebeenserenebycomparison.

ButforCISOscaughtinthewhirlwind,thiswastheyeartheperfectstormreacheditspeak.

Thankstohybridworkingasstandardandthegrowingrelianceoncloud

technology,theattacksurfacehasneverbeenlarger.Cyberthreatsaremoretargeted,sophisticated,andfrequentthaneverbefore.Meanwhile,employeesareincreasinglymobile–oftentakingdatawiththemwhentheychangejobs.

Andwhilegenerativeartificialintelligence(AI)toolsholdgreatpromise,theyalsohaveloweredthebartoentryforcybercriminals.Anyonewithafewpoundsnowhasthemeanstolaunchdevastatingattacks.

Tobesure,CISOsareenjoyingclosertieswithkeystakeholders,boardmembersandregulators.Butthisproximityalsobringshigherstakes,morepressure,and

heightenedexpectations.Andwithflatorreducedbudgets,CISOsmusttrytodomuchmorewithconsiderablyless.Inthisenvironmentoftightresourcesandrapidchange,shortcutsaresometimesnecessary.Buttheycanleadtohumanerror.

TobetterunderstandhowCISOsarenavigatinganotherhigh-pressureyear,

Proofpointsurveyed1,600CISOsaroundtheworld.Weaskedthemabouttheirroles,theiroutlookforthenexttwoyears,andhowtheyseetheirresponsibilitiesevolving.Forricherinsightsintocomplexcybersecuritypractices,thisyear’sVoiceoftheCISOsurveyedonlyorganisationswith1,000ormoreemployees.

Inthissummary,weexplorethedelicatebalancebetweenconcernandconfidenceasmanyfactorscombinetorampupthepressureontheCISO.

Wehearhowourpeoplecontinuetoputusatriskandwhatorganisationsaredoingtobolsterhuman-centricdefences.WealsodelveintothemindoftheCISO,tacklingthechallengingtopicsofburnout,personalliability,andboardroomrelationships.

Finally,welooktotheyearsaheadtogetabetterunderstandingofwhatwecanexpectonthecybersecurityhorizon.

Asalways,thisreportwouldnothavebeenpossiblewithouttheinsightofferedbycybersecurityandinformationsecurityprofessionalsacrosstheglobe.Weofferoursincerethanksforyourtimeandfeedback.

PatrickJoyce,GlobalResidentCISOatProofpoint

4

2024VOICEOFTHECISO\REPORT

HeightenedConcernsbutGrowingConfidence

CISOsarestrugglingwithajarringmixofchallenges:thewaningcybersecurity

spotlightasthepandemicfadesfromview;theongoingstruggletosecureremoteandhybridworkforces;whiplashasworkforcesreelfromtheGreatResignation,

techlayoffsandconstantbusinessrestructuring;andtheriseofhard-to-detect

70%

ofCISOsfeelatriskof

yeteasy-to-executethreats.

experiencingamaterialcyber

Whateverthecause,onethingisclear:CISOsarenervouslylookingoverthehorizon.Overtwo-thirds(70%)ofthosesurveyedfeelatriskofamaterialcyberattack

overthenext12months.Thisfigureisonlyaslightincreasefrom68%lastyear.

attackoverthenext12months.31%ratetheriskasverylikely.

Butcomparedto48%ofrespondentswhofeltsoin2022,today’sCISOsclearly

remainonhighalert.

Thatjustunderathird(31%)feelasignificantattackis“verylikely”furtherunderlinestheCISO’scollectiveanxiety,comparedto25%in2023.

PercentageofCISOswhoagreethattheirorganisationisatriskofamaterialcyberattackinthenext12months.

2024=70%

2023=68%

80%

91%

GlobalAverage

SouthKorea

France

.Germany

cUnitedArabEmirates

Sweden

Netherlands

qbItaly

87%

84%

83%80%

67%

Singapore

80%

74%

75%70%

75%

73%73%

72%

61%

Spain

69%

45%

Brazil

67%

55%

SaudiArabia

67%

65%60%

Ja卩an

63%

58%

61%

53%

Australia

61%

49%

58%

半UnitedKingdom

UnitedStates

90%

58%

Canada

2024

2023

CISOsinSouthKorea(91%),

Canada(90%),andtheUS(87%)aremostconcernedaboutexperiencingamaterialcyberattack.

Brazil’sCISOsarethemostoptimistic,withjust45%fearinganattack.

CISOs(70%)andboardmembers(73%)bothfeelthatamaterialcyberattackislikelyinthenext12months.

Education(86%),transport(77%),

andretail,healthcareandpublicsector(all74%)leadthewayforcyberattackconcernsacrossindustryverticals.

Boardmemberstatisticsfrom

“Cybersecurity:The2023BoardPerspectivereport.”

5

2024VOICEOFTHECISO\REPORT

AwarenessvsPreparedness

Agrowingconcernaroundthelikelihoodofacyberattackmayseemlikebadnews.Still,thatmostCISOsareawareofthepotentialriskstheyfaceisheartening.

Putsimply,CISOsarerighttobeconcerned;ascybercriminalsrefinetheir

tactics,targetourpeople,andworkalongtheattackchainformaximumimpact.

There’smoreroomforpositivethinkingwhenwelookatsecuritypreparedness,too.Alittleunderhalf(43%)ofCISOsagreethattheirorganisationisunpreparedtocopewithatargetedcyberattackin2024.Thisissomethingofanimprovementon2023(61%)and2022(50%).

Butwhileit'sgoodnewsthatmoreCISOsfeelpreparedforthechallengesahead,wecan’tignorethosewhodonotsharethissentiment.

That70%feelatriskofacyberattackyetalmosthalffeelunpreparedforitsimpactisconcerning.Ithighlightsagaintheunwaveringdisconnectbetweencybersecurityawarenessandpreparedness.

CISO’sviewofthethreatlandscape

WhatkeepsCISOsawakeatnight?Notsurprisingly,41%seeransomwareas

theleadingthreatacrossthenext12months.Malware(38%),emailfraud(36%),cloudaccountcompromise(34%),Insiderthreats(30%),andDDoSattacks

(30%)roundoutthetopfiveconcerns.

Severaloftheseissues–emailfraud,insiderthreats,DDoSattacks,andcloudaccountcompromise–remainonthelistfromlastyear.Ransomware’srisetothetopofthelistisaninterestingchange,ifnotunsurprisinggivenhigh-profileattacksin2023andinto2024.

Attackershavegreatlyraisedthestakeswithdoubleandtripleextortionthreatsandmaturingransomwareecosystems.That’swhyCISOsmustlookfor

opportunitiestodisruptattacksateverystageoftheattackchain–frominitialcompromisetolateralmovementandprivilegeescalationtodataexfiltration.

43%

ofCISOsagreethattheirorganisationisunpreparedtocopewithatargeted

cyberattackin2024.

PercentageofCISOswho

agreethattheirorganisationisunpreparedtocopewithatargetedcyberattackin2024.Topthreecountries:

SouthKorea

69%

Germany

55%

France

54%

GlobalAverage=43%

w

What,ifanything,doyouperceivetobethebiggestcybersecuritythreatswithinyourorganisation/industryinthenext12months?(Pickuptothree.)

41%38%36%34%30%30%25%24%

RansomwareattacksMalwareEmailfraudCloudaccountInsiderthreatDistributeddenialofSupplychainattacksSmishing/Vishing

(businessemailcompromise(negligent,service(DDoS)

compromise)(Microsoft365,accidental,orattack

GoogleWorkspacecriminal)

orother)

6

2024VOICEOFTHECISO\REPORT

Onanotherpositivenote,boardsseemincreasinglyreceptivetotheconcernsoftheCISO.Bothappeartobecloselyaligned;boardmembersseemalware,insiderthreats,cloudaccountcompromise,andransomwareasthebiggestcybersecuritythreatsfacingtheirorganisations.

RansomwareisthetopconcernamongCISOsinJapan(64%),UK(51%),Sweden(49%),andtheNetherlands(49%).

★

Emailfraudremainsamongthetop

threeconcernssincethefirstVoiceoftheCISOreportin2021.Thisyear,itisofthemostconcernamongCISOsinSaudiArabia(50%),Australia(46%),Germany(46%),Canada(42%),TheNetherlands(42%),andJapan(42%).

Amongindustries,manufacturing

andproduction(54%),retail(46%),andhealthcare(43%)allagreethatransomwarewillbethebiggestthreatoverthenext12months.

Emailfraud,howeverisseenasthe

biggestthreatoverthenext12months

bythefollowingindustries:publicsector(61%),transport(58%),

andfinancialservices(41%).

★

★★

MalwarethreatsleadthewayinItaly(53%),Brazil(46%),andSingapore(45%).

“

Intoday'sevolvingthreatlandscape,CISOsarenavigatingthroughtheaftermathofthepandemic,adjustingtothenew

normalofhybridwork,andgrapplingwithenormoustechindustryshifts.Amidthesetransformativetimes,theemergence

ofsophisticatedcyberthreatsthatexploithumanvulnerabilitiesandsystemsisundeniable.Whiletheheightenedprobability

ofcyberattacksmightseemalarming,it'sreassuringthatCISOsareacutelyawareandpreparedforpotentialrisks.TheconcernCISOsharbourisatestamenttotheirvigilance;recognisingthatcybercriminalsarecontinuouslyhoningtheirstrategiesto

exploiteverylinkinoursecuritychains.

”

BrianCox,

VicePresidentandChiefInformationSecurityOfficer,CoxEnterprises

7

2024VOICEOFTHECISO\REPORT

HumanError:

ThePersistentVulnerability

Justasconcernaroundimpendingcyberattacksisgrowing,sotooisthe

consensusonthetopriskfactor:people.Inayearofgrowinginsiderthreatsanddatalosscausedbypeople,moreCISOsthaneverseehumanerror

astheirbiggestcybervulnerability.

Almostthree-quarters(74%)ofsurveyedCISOsfeelthisway,upfrom60%in2023and56%in2022.Boardmembersarenotasconvinced.Alittle

undertwo-thirds(63%)agreethathumanerroristhebiggestvulnerability,suggestingthatCISOshavemoreworktodotobringtheboardroomuptospeed.

74%

ofCISOsconsiderhuman

errortobetheirorganisation’sbiggestcybervulnerability.

PercentageofCISOsinagreementthathumanerroristheirorganisation'sbiggestcybervulnerability.

GlobalAverage

2024=74%2023=60%

20242023

AnevenhighernumberofCISOs(80%)seehumanrisk,includingemployeenegligence,asakeycybersecurityconcernoverthenexttwoyears.That’supfrom63%in2023.ThissentimentwasmostkeenlyfeltinFrance(91%),Canada(90%),Spain(86%),SouthKorea(85%),andSingapore(84%).

CISOsseemtounderstandthat,givenmostsuccessfulcyberattacksrequirehumaninteraction,datalossisinherentlyapeopleproblem.Still,86%believetheiremployeesunderstandtheirroleindefendingtheirorganisation;almosthalf(45%)stronglyagree.

Inotherwords,CISOsbelievetheirpeopleknowwhatisbeingaskedofthem

butstillfeelthattheyposeanenormousrisk.Theimplication:usersgraspwhat’sexpectedofthembutlacktheskills,knowledgeandtoolsrequiredtodefendtheirorganisation’sdata.

CISOsinSaudiArabia(84%),Canada(83%),andFrance

(82%)aremostconcernedabouthumanerrorbeingtheirorganisation’sbiggestcybervulnerability.

CISOswithinthesesectors:education(89%),media

leisureandentertainment

(85%),andpublicsector

(78%)believehumanerror

istheirorganisation’sbiggestcybervulnerability.

8

2024VOICEOFTHECISO\REPORT

Protectingagainstthepeopleproblem

Tomitigatethisareaofhumanvulnerability,manyCISOsareturningtoAI-poweredtechnology.Ofthosesurveyed,87%arelookingtodeploysuchtoolstoprotect

againsthumanerrorandblockadvancedhuman-centriccyberthreats.

Thisholdstrueacrossallsurveyedindustries,withretail(81%),IT,technologyandtelecoms(89%),andeducation(88%)leadingtheway.

87%

ofglobalCISOsarelookingto

deployAI-poweredcapabilities

tohelpprotecttheirorganisationsagainsthumanerrorandadvancedhuman-centriccyberthreats.

PercentageofCISOsbyindustrywhoarelookingatdeployingAI-poweredcapabilitiestohelpprotecttheirorganisationsagainsthumanerrorandadvancedhuman-centriccyberthreats.

91%89%89%88%88%87%87%85%85%82%81%

Media,leisure

and

entertainment

Businessand

professional

services

Energy,oil/gasandutilities

Manufacturingandproduction

IT,technologyandtelecoms

EducationHealthcare

Financialservices

Publicsector

Transport

Retail

“

Asthedigitallandscapeevolves,CISOsunanimouslypointtooneconstantinthecybersecurityequation:thehumanelement.Despiterecognisingthatinsiderthreatsandinadvertentdatamishandlingareontherise,there'saconsensusthatemployees

areawareoftheircybersecurityresponsibilities.Yet,there'sanacknowledgmentofacriticalgap–understandingdoesn'talwaysequatetocapability.Tobridgethisdivide,CISOsincreasinglyseekAI-driventechnologiesasanallyinreinforcinghumandefencesagainstsophisticatedcyberthreats.

”

MartinBally

VP&ChiefInformationSecurityOfficer,CampbellSoupCompany

9

2024VOICEOFTHECISO\REPORT

DataProtectionandInsiderThreats

Anincreasingawarenessofbothrisklevelsandriskfactorslookstohavetranslatedtotightersecurityoverthepast12months.Thisyear,fewerthanhalf(46%)of

globalCISOsreportedamateriallossofsensitiveinformation–downfrom63%lastyear.

Thatsaid,severalcountriescameinconsiderablyhigherthanthisworldwide

average.Overtwo-thirds(77%)ofCISOsinSouthKoreareportedthelossof

sensitivedata,followedby61%inCanada,58%inFrance,and57%inGermany.

77%oforganisationsin

SouthKoreadealtwith

materialdatalossinthe

lastyear–thehighestrateofanycountrysurveyed.

PercentageofCISOswhoseorganisationshavedealtwithamateriallossofsensitiveinformationinthepast12months.

GlobalAverage

87%

85%

2024=46%

2023=63%

76%

75%69%

77%

74%

74%

65%

61%

58%

58%

57%

55%

54%

54%

58%52%

49%

47%

45%

45%

46%

41%

40%

42%

39%

39%

UnitedArabEmirates

32%

34%

31%

SouthKorea

Germany

Sweden

些UnitedStates

Spain

Netherlands

sBrazil

UnitedKingdom

Australia

Ja卩an

Singapore

SaudiArabia

Italy

27%

Canada

France

J

2024

2023

Whereindustriesareconcerned,education(68%),financialservices(54%),andmedia,leisureandentertainment(54%)arethemostaffectedbysensitivedatalossinthisyear’sreport.

Asforwhat’sbehindtheseevents,manyfamiliarfacesareondisplay.OftheCISOswhoexperiencedasensitivedataloss,42%laytheblameonnegligentinsiders/

carelessemployees.Othercommonfactorsincludeexternalattacks(40%)andmaliciousorcriminalinsiders(36%).

10

2024VOICEOFTHECISO\REPORT

Employeesarealsopotentiallyresponsibleformanymorefactorsonthelist,fromsystemmisconfiguration(27%)tolostorstolendevices(28%).

Humanfactorshaverisenyearonyear,representingtheleadingcause

ofdataloss.It’snowonderthatpeopleremainsuchapressingconcernfortheworld’sCISOs.

★

Maliciousorcriminalinsidersarethethirdleadingcause

ofdatalossafterexternal

attacks(cybercriminalor

state-sponsored).TheyaretheNo.1factorinAustralia(49%),UAE(44%),Germany(44%),andFrance(38%)

Whatwasthecauseofthedatalossevent?(Pickallthatapply.)

(Respondentswhoseorganisationdealtwithamateriallossofsensitiveinformationinthepast12months.)

42%

Negligentinsider/Employeecarelessness(Anemployeethatunknowinglymisusesdata)

40%

Externalattack(cybercriminalornation-state)

36%

Maliciousorcriminalinsider(Anemployeethatmisusesdatatointentionallyharmtheorganisation)

35%

OSVulnerabilityonendpoint/server/device/other

33%

Compromisedinsider(Anemployeewhosecredentialswerestolen)

28%

27%

Lost/stolendevicesSystemmisconfiguration

010203040

Tofurtherunderlinethispoint,peoplecontinuetocontributetodataloss

elsewhere.Almostthree-quarters(73%)ofCISOssaidthatemployeesleaving

95%

theirorganisationplayedaroleinadatalossevent.

ofCISOsintheeducation

Astherateofresignationsfellbacktopre-pandemiclevelsinmanycountries

sectorhavelostdatawith

towardstheendof2023,concernaroundlosingdatatojobswitchersis

anemployeeleavingtheir

downfrom82%lastyear.Butthereisnoroomforcomplacency.Themodern

organisation.Healthcare

workforcechangesjobsmorefrequentlythananygenerationinhistory,anddata

(89%),media,leisureand

willcontinuetoleavewiththematanalarmingrate.

entertainment(88%),financial

Thetrendismostpronouncedamongindustriesthathandlelargeamountsof

services(83%),andtransport

highlysensitiveinformation,underliningthechallengeofprotectingdataagainstintentionalexfiltration.

(80%)completethetopfive.

11

2024VOICEOFTHECISO\REPORT

Theconsequencesofmaterialdatalossstretchfarandwide.MostCISOsreportedfinancialloss(43%),post-attackrecoverycostssuchasoperationaldowntimeanddatarecovery(41%),andlossofcriticaldata(40%).

Whatwastheendresultoftheeventonyourorganisation?(Pickallthatapply.)

(Respondentswhoseorganisationdealtwithmateriallossofsensitiveinformationinthepast12months.)

Financialloss

post-attackrecover

costs(operarionaldowntime,

datarecovery,legal,etc.)

lossofcriticaldata

credentialtheft

Reputationaldamage

Regulatorsanctions(finesormarket

loss/sanctions)

Lossofcustomers

Newtoolsandchangingpriorities

CombatingdatalossremainsatoppriorityforCISOsaroundtheworld,forobviousreasons.Abouthalfeducateemployeesaboutsecuritybestpractices(53%)and

usecloudsecuritysolutions(52%)togetahandleontheissue.

Othersdeploydedicateddatalossprevention(DLP)technology(51%),endpointsecurity(49%),emailsecurity(48%),orisolationtechnology(42%)toblock

employeesfromenteringcredentialsonwebforms.

Aspeopleremainourmostvitallineofdefencerightacrosstheattackchain,

CISOsarerighttoplaceusereducationasapivotalpartoftheirsecuritystrategy.Butgiventhat80%ofCISOsalsoseehumanerrorandnegligenceasatop

concern,it’snotclearwhatfruitsthoseeffortshaveborne.

Whatprotocolsdoyouhaveinplacetocombatorganisationaldataloss?

Financialloss(43%),post-attackrecoverycosts

(operationaldowntime,

datarecovery,legal)(41%),

andlossofcriticaldata(40%)arethebiggestconsequencesofdataloss.

weeducateeMployeesondatasecuritybestpractices

wehaveacloudsecuritysolutioninplace(e·g.CASB)

wehaveaDataloss

prevention(DLP)technolog

inplace

wehaveendpointsecuritytechnologyinplace

wehaveemailsecuritytechologyinplac

wehaveisolationtechnology

whichavoidsemployees

enteringcredentialsonwebforms

Goingforward,CISOshaveaclearideaofhowbesttotackledataloss.Some87%agreethatinformationprotectionanddatagovernancearetoppriorities.Thisisamajoruptickfrompreviousyears–61%in2023and59%in2022.

TheadoptionofDLPtechnologyhasalsosurged,upto51%thisyearfrom35%in2023.Asaresult,81%ofCISOsnowbelievethattheirdataisadequately

protected.That’supfrom60%in2023and56%in2022.

AsoutlinedinProofpoint’s2023BoardPerspectiveReportthree-quartersofboardmemberssharedthisview,puttingtheboardroomincloseragreementwiththeirCISOsthaninpreviousyears.

12

2024VOICEOFTHECISO\REPORT

Spotlighton:Recovery

EveryCISOstrivestodefendtheorganisationfromcyberattacks.Butasthreatsgrowmoreadvancedandtargeted,securityteamsoftenworkfromthepremisethattheirdefenceswillbecompromisedorbreachedatsomepoint.Andwhenthathappens,theyneedtoknowhowtorecover–fast.

Inaransomwareattack,62%ofCISOssaidtheirorganisationswouldlikelypaytheattackertorestoresystemsoravoidthereleaseofcompanydata.Thisfigureisunchangedfromlastyear’ssurvey.

Manyothersplantorelyoninsurancecoverage.Overall,79%ofCISOsagreethatifhitbyacyberattackinthenext12months,theywouldusecyberinsurancetocoverlosses.

Investingincyberinsuranceisusuallyapreferredoption.Butit’snosubstitute

forarobustcybersecuritydefence.Buyingacomprehensivepolicyisnotas

straightforwardasitoncewas.Andinsurersofteninsistonstringentprotocolsandprotectionsasaconditionofcoverage.CISOsusinginsuranceasafallbackshouldcheckpolicydocumentsandensuretheirorganisationhastherightamountand

typeofcoverage.

Ifimpactedbyransomware

withinthenext12months,

myorganisationislikelytopayaransomtorestoresystems/preventthereleaseofdata.

Topthreecountries:

SaudiArabia

83%

Canada

82%

SouthKorea

79%

“

CISOsworldwidecontinuetostrengthencyberdefences,recognisingthatthehumanfactorcontinuestobetheprimarydriverofdataloss.Evenasthetidalwaveofresignationsstabilises,thetransientnatureoftoday'sworkforcesignifiesthattheriskof

datawalkingoutthedoorremainsmorethanamerepossibility–it'sanalarmingcertainty.Particularlyinsectorswheresensitiveinformationisthecurrency,CISOsfindnoreprievefromvigilance.Therelentlesspaceofjobmovementensuresthatprotecting

againstdatalossisnotjustaprioritybutanongoingbattleinthedigitalrealm.

”

PhilRoss

ChiefInformationSecurityOfficer,AirNewZealand

13

2024VOICEOFTHECISO\REPORT

TheCyberRealitiesforaCISOin2024

There’sbeennowaytoavoidtheriseofgenerativeAIoverthepastyear.Whetherit’sanetforceforgoodorbadwillplayout–andbedebated–foryearstocome.Butonething’sforsure:it’snotgoinganywhere.

Sofar,CISOsareapproachingthetechnologywithadegreeofcaution.Alittlemorethanhalf(54%)believethetechnologyposessomeformofasecurityrisktotheirorganisation.

SpotlightonAI:Thedouble-edgedsword

MuchismadeofAI'spotentialtoaidcybercriminals,andrightlyso.Withthis

technology,attackscouldgeteasiertoscaleandsimplertocarryout.Advancedtechniquesonceoutofreachforanyonebutwell-fundedcybercriminalgangsandstate-sponsoredattackersarenowupforgrabs.

However,greateraccessibilityofgenerativeAImodelscanonlyhelpdefenders,too.Evenintheseearlystages,wecanalreadyconnectthedotsbetween

externalthreats,sensitivecontent,andanomalousbehavioursoractivity.That’ssomethingthathasnotbeenpossibleatthesamespeedandscalewithhumanmoderationortraditionalanalysis.

Withthisinformation,wecaninterveneincommunications,focusprotectionswheretheyaremostneeded,andstoporlimitthreatsbeforetheyoccur.

Giventhehype-and-bustcycleofmanytechnologytrends,itmightbetemptingtodismissAIasanotherfad.Butit’salreadychangingcybersecurity.Andasthetechnologyimprovesandsecurityleaderslearnnewandbetterwaystoapplyit,AIcouldtransformtheindustry.

54%

ofCISOsbelieve

generativeAIposesa

risktotheirorganisation.

CISOsinSouthKorea(75%),Canada(73%),andFrance(64%)feelmostatrisk

fromChatGPT/generativeAI.

PercentageofCISOsbyindustrywhobelievegenerativeAIisasecurityrisktotheirorganisation.

68%

66%

62%

Businessand

professional

services

61%

Media,leisure

and

entertainment

58%

Financialservices

54%

IT,technologyandtelecoms

49%

Manufacturingandproduction

42%

41%

37%

Energy,oil/gasandutilities

Education

Healthcare

Retail

Transport

65%

Publicsector

ChatGPTandothergenerativeAImodelstopthelistofsystemsintroducingrisktoorganisations.ButtheCISOsalsohaveakeeneyeonotherplatformssuchasSlack,Teamsandothercollaborationtools(39%),aswellastheubiquitousMicrosoft365(38%).

14

2024VOICEOFTHECISO\REPORT

Spotlightonbudgetsandpriorities

AIisnottheonlymajortrendtakingitstollonCISOs.Changingeconomicconditionsaroundtheworldarealsopilingaddedpressureonalready

overstretchedsecurityteams.

Overall,59%ofCISOsagreethateconomicconditionshavehurttheirorganisation,upslightlyfrom58%inthepreviousyear.

CISOsinSouthKoreaarebeinghitthehardest,with79%feelingtheimpactoftheturbulenteconomy.ThoseinCanada(72%),France(68%),Germany(68%),andSpain(64%)arenotfarbehind.

Withmanysecuritybudgetsremainingflatatbest,CISOsknowtheyaretaskedwithdoingmore–oratleast,thesame–forless.Almosthalf(48%)havebeenaskedtocutstaff,delaybackfillsorreducespending.

Todeliverthemostvalueinthisenvironment,most(58%)plantofocusonimprovinginformationprotectionandenablinggreaterbusinessinnovation,justlikewesawin2023.

Inanotablechangetolastyear’sfindings,improvingemployeecybersecurityawarenessisnowthesecond-highestpriorityfortheCISOs.Whileperhapsnotsurprising,therankinggivesyetanotherclearsignthathuman-centricsecurityisnowafirmfixtureinmostcyberstrategies.

PercentageofCISOswhoagreethatthecurrenteconomicdownturnandbusinesschallengeshavenegativelyimpactedtheirorganisation'sabilitytoresourcecybersecuritybudgets.

Cybersecuritybudgetshave

beencutmostseverelyin

education(68%),healthcare

(68%),financialservices

(55%),media,leisureand

entertainment(55%),andIT,

technologyandtelecoms(48%)

79%

72%

68%

68%

64%

63%

62%

63%

59%

58%

55%

51%

52%

48%

49%

Germany

Australia

半UnitedKingdom

些UnitedStates

UnitedArabEmirates

Netherlands

SouthKorea

Singapore

'wSweden

Canada

France

Ja卩an

Spain

Brazil

Italy

40%

SaudiArabia

15

2024VOICEOFTHECISO\REPORT

Whatarethetopprioritiesforyourorganisation'sITsecuritydepartmentoverthenexttwoyears?(Pickuptothree.)

58%

Improvinginformationprotectionanddataclassification,Enablingbusinessinnovation(e.g.DevSecOps,productdevelopment)

54%

Improvingemployeecybersecurityawareness

45