Home News CISOs are Struggling with Continuous Security Debts: Surveys

CISOs are Struggling with Continuous Security Debts: Surveys

CISOs and other security leaders are facing constant obstacles in mitigating rising cyberattacks with unchanged cybersecurity budgets.

CISOs in remote working

With the increase in the volume of cyberattacks, security leaders are changing their cybersecurity measures accordingly. However, cybercriminals too become consistent in advancing their hacking skills to create new techniques to launch cyberattacks. From high-profile ransomware attacks to sharing malicious tools and offensive knowledge-making, cybercriminal groups are becoming more effective.

Most CISOs and other security professionals report that turning away cybersecurity budgets is increasing the volume of cyberattacks. According to a joint security analysis from F-Secure and Omnisperience, CISOs encountered a rising security debt to protect their organizations against evolving cyber threats.

According to the analysis, 96% of CISOs stated that they face well-organized cybercriminal attacks motivated by financial gain. Nearly 72% of them said adversaries are moving faster than they are, and a similar number (69%) say their adversaries have improved their attack capabilities in the last 12-18 months.

Key Findings:

  • Employees are the primary attack vector, according to 71% of the CISOs interviewed, as attackers take advantage of social channels to launch more sophisticated targeted attacks.
  • The top three threats CISOs and their teams face are phishing, ransomware, and business email compromise (BEC).
  • Securing the mobile or remote workforce, which has exploded during the pandemic, presents several risks, particularly where employees and devices are separated from traditional controls that could prevent their compromise.
  • A vast majority of CISOs – 71% – report that their ideas about what constitutes “good security” have evolved recently.

“Despite pervasive ‘security debt’ and reporting a rising number of cyberattacks, CISOs say that say the number of incidents, which includes a breach or unauthorized access to a system, they faced remained pretty much the same. This could be because CISOs have made the right investments. However, it is the incidents that haven’t been discovered which worry us most. Because of the sophisticated nature of some of these attacks, organizations may not have the technology or people to identify they are in the middle of a compromise that, for example, may result in a ransomware deployment month down the road,” said F-Secure’s Michael Greaves, security advisor for Managed Detection and Response.

Apathetic Leadership a Major Concern

A similar joint analysis from cybersecurity firm Sophos and Tech Research Asia revealed that cybersecurity budgets remained stagnant and executive teams continue to underestimate the consequences of cyberattacks. The survey “The Future of Cybersecurity in Asia Pacific and Japan” found that nearly 70% of organizations in the Asia Pacific suffered a data breach in 2020, an increase of 36% from 2019.

It was found that cybersecurity budgets remained unchanged between 2019 and 2021 despite the increase in cyberattacks. Around 59% of organizations claimed that their cybersecurity budget is below where it needs to be, the same percentage it was in 2019.

“Ultimately, security is about right-sizing the risk. If the risk increases, budgets should also increase, but in this climate of uncertainty, we’ve seen organizations take a conservative approach to security spending, which is impacting their ability to stay ahead of cybercriminals,” said Trevor Clarke, lead analyst, and director at Tech Research Asia.