Blog

Poll Data: What CEOs Need to Know About Cybersecurity Going into 2022

Dec 06, 2021

MAR-Blog-CCSP-CEO-Hiring-for-Cloud-230x240-Banner-20211001 The end of the year is a good time to reflect on the past 12 months and create a plan to improve in 2022. Like years past, 2021 revealed more of the same for the cybersecurity industry—more breaches, bigger ransomware attacks, higher stakes. Some of the most disruptive cyberattacks occurred this year, such as JBS Foods, Kaseya and Colonial Pipeline. These attacks received global attention and spotlighted the need for even more attention on cybersecurity best practices.

To help CEOs around the globe better understand cyber risks and how to make their businesses more secure, (ISC)² conducted an online poll of 200 cybersecurity practitioners, whose roles range from cybersecurity leadership to cybersecurity team member, and asked them a simple question: What do you feel every CEO needs to know to make their business more secure heading into next year? After analyzing the responses, below are five recommendations every CEO should know going into 2022.

Understand cybersecurity impacts your bottom line

In our increasingly digital world, cybersecurity is critical to ensure business continuity and customer data and privacy is protected. However, most cybersecurity professionals stand firm that cybersecurity is not a high enough business priority. One respondent in a cybersecurity management role said, “security needs to be baked into the core of the business. Not just something to think about as an afterthought.” Another respondent said, “CEOs need to know that security is not an IT issue or a technology issue, but a business issue affecting all aspects of the company.”

One respondent encouraged making cybersecurity a competitive advantage, using it as a sales tool. Another respondent had a similar viewpoint, suggesting that CEOs “design security into the product, service or process and shift the work left to provide a more resilient and better outcome for your company and customers.” In addition to being a differentiator, cybersecurity must be at the core of digital transformation strategies because investments in advanced technologies are obsolete if they’re vulnerable to attacks or leaking data.

When cybersecurity is a key business objective, organizations build customer trust, strengthen brand reputation and save money in the long run, as the average cost of a data breach in 2021 rose to $4.24 million . One respondent said, “security is not only a business expense, but it’s a valid business need and [must] be funded appropriately to defend against ransomware and sophisticated threats.” If a cyberattack is successful, prepared organizations can detect and remediate faster and minimize the damage.

Make everyone responsible for cybersecurity 

A common theme across the board is that everyone is responsible for their organization’s cybersecurity. Phishing remains one the most common attack methods among cyber attackers, and the industry agrees that there can never be enough cybersecurity awareness training. In fact, cybersecurity training or awareness training was mentioned in 12% of the polled responses. All organizations are vulnerable to cyberattacks, “even small organizations are susceptible to attack and extortion, so emphasizing that security is everyone’s duty is critical,” said one respondent.

Frequent cybersecurity training is the best way to ensure employees keep cybersecurity top of mind, and it’s a cost-effective solution with impressive ROI. One respondent in a cybersecurity leadership role noted, “[simple] changes can have a significant impact on [an organization’s security posture]. Items such as MFA, security awareness training and vulnerability management with accountability go a long way in shoring up defenses.”

Respondents warned that CEOs cannot overlook the importance of awareness training. Put simply, one respondent in a cybersecurity management position said, “security awareness and insider threat programs are needed to secure a company in today’s world.”

Staff your security team, compensate them well

While having the proper cybersecurity tools is essential, they are useless if the cybersecurity team isn’t adequately trained to use them or appropriately staffed to manage the security program. One respondent recommended CEOs “hire certified or otherwise qualified cyber security personnel, pay them appropriately and provide the necessary resources and authorization to evaluate, identify and remediate vulnerabilities.”

Cybersecurity is a business investment. One respondent said, “There needs to be a larger investment in information security whether that be in [internal] teams or third-party contractors. Security is an investment, and there is a correlation between job openings and current salaries. Invest in training, wages, and growth opportunities.”

Depending on the size of your organization and the industry it operates in, one dedicated cybersecurity personnel might not be enough. One respondent noted that CEOs should know “how to hire and [properly train] people for the positions required inside your organization.” CEOs and hiring managers should work with security team leaders to determine their staffing needs. There is a shortage of 2.72 million cybersecurity professionals  and going solely after the cybersecurity “All-Stars” is not a viable strategy.

Cybersecurity leaders are increasingly hiring career changers, seeking out foundational nontechnical skills essential for cybersecurity career success, such as analytical thinking, curiosity, and problem-solving. Regardless of skill level, all staff should have access to professional development opportunities and be trained on the organization’s cybersecurity tools to perform effectively.

It’s also important to pay cybersecurity professionals well. Regardless of occupation, when employees are trained, supported and paid competitively, they report higher levels of job satisfaction and stay with the company. The cybersecurity job market is fierce, with nearly half  of professionals reporting that they are approached weekly by recruiters. 

 

Be ready for ransomware

According to the 2021 Verizon Data Breach Investigation Report , the frequency of ransomware attacks doubled this year, and the FBI reported a 62%  year-over-year increase of ransomware complaints. Ransomware has taken on new forms in recent years, with supply chain attacks, double extortion and ransomware as a service increasing in popularity among cyber attackers. Ransomware is one of the cybersecurity industry’s top concerns, as 10% of respondents mentioned ransomware.

Ransomware is inevitable—as one respondent said, “ransomware doesn’t happen only to others.” In order to be successful, organizations must have a frequently tested ransomware response plan and conduct yearly risk assessments. One respondent who is in a cybersecurity management role said, “[CEOs] must take personal ownership and responsibility for having effective and tested education and remediation plans for phishing and ransomware in your organization.” Another respondent in a similar role emphasized that CEOs need to ensure they’re getting the cyber basics right to thwart ransomware.

In addition to having a plan and doing the cyber basics, one respondent stressed the importance of hardening defenses by implementing advanced threat detection technologies and staffing up cybersecurity teams.

Invest in technology to enable remote work (because it’s not going away)

Enabling remote and hybrid work was one of the top poll topics, making up 13% of the responses. The global pandemic continues to evolve our world, particularly how we work. One respondent recommended that “every CEO ought to understand the risk associated with the working from home concept due to COVID-19.”

Although there are cyber risks, remote and hybrid work is here to stay as many professionals that can perform their job away from the office see it as a key perk. One respondent said, “the push from employees for more flexible and remote work is not going away, especially because there was no drop in productivity. [CEOs must] continue to invest in technologies that enable worker flexibility.”

Poll respondents raised various points about securing remote workers, urging CEOs to invest in asset management, implement zero-trust, promote mobility and flexibility without compromising security, re-evaluate business risks, implement secure remote technology, review BYOD policies, push for frequent security awareness training, among others. While the checklist may be lengthy, CEOs should discuss priorities and needs with their security leaders to develop their remote work strategy.

What do you think CEOs should know about cybersecurity heading into 2022? Share your thoughts and join the conversation on (ISC)² Community .