Retailers have a much greater awareness of IT security threats and costs than public sector organizations, according to the latest Proofpoint “Voice of the CISO report.” Could the difference be driven by accounting and the profit factor – and not their IT networks?
Diving into the CISO pool
The 1,200 CISOs in the Proofpoint survey started out speaking with fairly unanimous voice: the cybersecurity scene is a mess – and is not getting better. Almost two-thirds of surveyed CISOs felt their organization was at a real risk of a material cyberattack in the next 12 months – and one out of five thought that this risk was very high. Out of the 14 countries, CISOs from UK, Germany, and Sweden were the most pessimistic on this question, scoring between 81% and 78%.
Overall, CISOs felt that pandemic’s forced march to home office had left them more exposed with 58% reporting an increase in targeted attacks since the shift to remote working. But looking ahead into a post-COVID world, there was some varied optimism that the past year’s steps would pay off in the new hybrid workplace. But not all organizations saw cyber-criminality the same, with major differences between CISOs from different economic sectors.
Retail sees the damage and costs to cyber criminality
CISOs from the retail sector were at the lead of anticipating significant financial costs to a cyber attack. The Proofpoint survey found that 83% of the CISOs in the retail sector thought that the potential for damage from a cyber-security attack was high.
However, CISOs from the public sector saw potential cyber-security damage in a much less negative light. Nearly a quarter of these CISOs (24%) did not expect major damage from such an event, a whopping 59 percentage points less than their retail colleagues – and a significant 10 percentage points more than the survey average.
Tallying the cost from human error
Retail CISOs were also quite negative on the risks from human element also, with 73% listing human error as the single biggest risk factor in their organizations. Close behind them were those from financial services, with 61% of these CISOs also rating the human factor is their most pressing challenge.
But once again, public sector CISOs were much more ambivalent about the human risk, with only 54% picking humans as the biggest risk factor. They were joined on this perspective by CISOs from the education and healthcare verticals, clocking in at 53% and 48% respectively.
Mission control, we have an issue
With this big of a gap, it is hard to believe that almost two-thirds of all surveyed CISOs believed they were at risk of a cyberattack in the next year. Given the number of ransomware attacks on the public sector and hospitals in recent months, it’s clear vulnerabilities are being actively exploited there. So there must be some reasons why retail and finance CISOs see costs being higher and the human element more critical than their colleagues over in the public sector.
The difference is in the cost perception
Retail CISOs are risk and cost sensitive simply because they take an immediate hit when a security event takes place.
As retailers, they deal with the manufacture, movement, sales, and service of an object. Within this process, they have an accounting system which assigns costs to every step. Fast user verification, more potential revenue; failure to remove user access, lost revenue. But for public services, it is more difficult to get such a clear profit/loss analysis – even if the service is essential. After all, what is the cost of delayed drivers’ license or a health center closed by an invasive hacker?
The similarities are in the identification
Despite the differing focus on profits, there is a lot of commonality between all of the surveyed CISOs in the technological issues. Together, almost two-thirds shared a common emphasis on four key priority areas. This “to-do” list was topped by enhanced core security controls (35%), support for remote working (33%), improved security automation (32%), and increased security awareness (32%).
In a nutshell, their priority is on identity security. They need to ensure that the people which belong in their networks are securely there – and those other people are not.
All of these organization CISOs – regardless if they are from the private or public sector – struggle through the authentication and verification processes for their users. They know that traditional passwords are a mess, multi-factor authentication is essential for securing the digital identities of their users, and it is difficult to smoothly manage disparate identity management systems. They know that more efficient ID management means both increased system automation and easier user participation. After all, it does not matter if you are selling toy blocks or issuing building permits: securely managing the digital identities of your end users is a mission critical task.
Would you like to know more on securing the digital identities?
Download our whitepaper that describes the complex challenges of managing secure access to data and IT systems in an increasingly digitalised and regulated reality.