Director of Cybersecurity Strategy for Asia Pacific and Japan, Proofpoint
Unveiling its latest insights, Proofpoint, a prominent cybersecurity and compliance firm, has launched the much-anticipated Cybersecurity: The 2023 Board Perspective report. The report, drawing responses from 659 board members across 12 countries, including three from the APAC region, sheds light on evolving sentiments and concerns within boardrooms.
Among the findings, Singaporean board directors emerge with heightened apprehension regarding generative AI’s security implications for their organisations, closely trailing Japan and surpassing Australia in this regard. Their concerns are compounded by a notable surge in perceived cyber threats compared to the previous year, marking a 35% increase and placing them ahead of the global average.
Despite leading in acknowledging sufficient investment in cybersecurity, Singaporean boards rank poorly in preparedness against cyber threats, as highlighted by the imminent dangers of supply chain attacks and insider threats, which are projected to result in significant financial losses.
Given these mounting concerns, exploring these pressing issues becomes imperative. In an effort to delve deeper, CIO World Asia had the privilege to interview Jennifer Cheng, Director of Cybersecurity Strategy for Asia Pacific and Japan at Proofpoint, providing invaluable insights. With her two decades of expertise, Cheng discusses the shifting landscape between 2022 and 2023, the intricate dynamics of generative AI in cybersecurity, the disparity between funding and preparedness, and the crucial significance of board-CISO alignment.
Evolution of Board Perspective and Cyber Landscape: Dominant Cyber Threats in 2023 vs. 2022
The perception of cyber risk among Singaporean board members has undergone a drastic shift. In 2022, 66% believed their organisations faced a potential cyber attack within the next year, a figure slightly lower than the global average of 73%. However, by 2023, this perception surged significantly. A staggering 89% of Singaporean board members perceived their organisations as vulnerable to material cyber attacks, marking a substantial 35% increase year-over-year.
Concurrently, there has been an upward trend in preparedness for cyber threats. Despite discussions about cybersecurity occurring among 68% of board members on a monthly basis in 2022, only 62% felt their organisations were adequately equipped to handle cyberattacks. Contrastingly, in 2023, even with increased cybersecurity investments and awareness, only 81% of board members deemed their organisations prepared. This discrepancy between perception and actual readiness remains a persistent concern.
The shifting landscape of concerns regarding cyber threats is evident. In 2022, primary concerns among Singaporean board members revolved around email fraud, business email compromise (BEC), and ransomware, cited by 36% as top worries. However, by 2023, the focus had broadened to encompass malware, ransomware, insider threats, and supply chain attacks, with 43% highlighting malware as their foremost concern. This shift highlights an evolving threat landscape.
Despite an improvement in alignment between board members and Chief Information Security Officers (CISOs) in 2023—where 76% of board members reported synchronisation with their CISOs compared to 60% of CISOs acknowledging the same—significant gaps persist. Although 59% of Singaporean board directors claim increased interaction with security leaders (a substantial rise from 37% the previous year), 40% of boardrooms still lack robust relationships.
The emergence of generative AI (such as ChatGPT) has sparked heightened apprehension. In 2023, 78% of Singaporean board members expressed concerns about generative AI as a security risk for their organisations. This growing unease signifies a heightened awareness of the risks associated with emerging technologies.
Exploring the Opportunities and Challenges of Generative AI in Cybersecurity
Generative AI, undoubtedly reshaping work dynamics, automated content creation, data-driven insights, and business streamlining. While its potential in cybersecurity is promising, not every security issue necessitates AI/ML, a crucial reminder as we assess its scope.
In cybersecurity defence, Gen AI significantly bolsters security, particularly in scenarios involving large language models (LLMs) or managing sensitive data transfer. Advanced AI and machine learning prove invaluable in identifying risks and fortifying threat detection protocols.
Despite its potential, inherent risks accompany this nascent technology:
- IP Leakage: Input into Gen AI platforms isn’t private, utilized by AI for further learning. Concerns over content ownership and intellectual property arise if these platforms aid content creation or source code scrutiny.
- Inaccurate Information: Gen AI can produce erroneous content. If unverified, such inaccuracies might perpetuate misinformation.
- Bias: Learning from existing data, Gen AI inherits biases, raising ethical concerns about potentially exacerbating biases compared to humans.
- Privacy Compliance: Lack of inherent privacy safeguards may lead employees to input personally identifiable information, posing privacy compliance challenges.
Exploited by malicious actors, Gen AI enables sophisticated phishing and email campaigns. Crafting convincing messages becomes accessible, raising concerns about user vulnerability.
To counter these risks, leveraging existing tools like threat intelligence, data loss protection (DLP), Insider Risk Platforms, and cloud security brokers becomes pivotal. These technologies complement Gen AI’s capabilities, reinforcing a robust cybersecurity strategy. However, judicious integration of Gen AI tailored to specific cybersecurity needs remains essential.
Why Boards Still Feel Unprepared for Cyber Attacks Despite Increased Cybersecurity Budgets
Cybersecurity remains a prominent concern, highlighted by the continuous occurrence of cyberattacks and the looming anticipation of future threats for organisations. Despite heightened awareness and increased cybersecurity budgets, there’s a prevalent sentiment among boards of feeling ill-equipped to handle cyberattacks. Proofpoint’s Board of Directors report reveals that over half, around 53% of surveyed board members, express a sense of unpreparedness, despite an overwhelming 97% anticipating expansions in their cybersecurity budgets. Various factors contribute to this disconnect.
One factor involves a heavy reliance on cyber insurance as a safety net against cyber threats. In Singapore, for example, Proofpoint’s 2023 State of the Phish report found that 90% of surveyed organisations held cyber insurance. Notably, among organisations affected by ransomware, 95% had their ransoms fully or partially paid by cyber insurance providers. This trend hints at organisations prioritising financial recovery over proactive cybersecurity measures, leading to a pervasive feeling of unpreparedness.
Another significant facet is the allocation of cybersecurity budgets. While resources often go into staffing and technology, the critical area of cybersecurity awareness training tends to be overlooked. These training programs are pivotal in empowering employees to identify and respond effectively to threats, fostering a people-centric approach essential in countering evolving threats. Trained employees adept at spotting unexpected threats, such as personalised phishing emails or misleading messages from presumed colleagues, significantly disrupt the attack chain.
A considerable challenge contributing to this sense of unpreparedness stems from the scarcity of skilled cybersecurity professionals. Acquiring and retaining experts capable of effectively managing and responding to cyber threats remains challenging. The existing skills gap in the cybersecurity domain leaves organisations feeling inadequately equipped.
Moreover, the need to align people, processes, and technology is crucial. Merely possessing adequate tools isn’t enough for comprehensive cybersecurity. Aligning cybersecurity practices within business processes and ensuring a harmonious synergy between technology and the workforce are crucial in mitigating risks effectively.
Additionally, boards may lack the necessary data and insights to grasp the true impact of cybersecurity threats on the business. Equipping boards with data and analytics showcasing potential financial and operational consequences of cyberattacks is imperative for informed decision-making and resource allocation. Without such data, boards might struggle to gauge the severity of the risks they face, contributing to their sense of unpreparedness.
The Crucial Significance of Board-CISO Alignment
Achieving success as a strategic cybersecurity leader demands a blend of technical expertise, business acumen, and leadership prowess. A competent CISO not only aligns cybersecurity initiatives with organisational objectives but also effectively communicates the value of cybersecurity investments to executives and board members. Establishing this connection is pivotal for a CISO’s success.
A robust board-CISO relationship holds paramount importance. CISOs must navigate risks by considering employee perspectives, bridging security gaps, and managing incidents under high-pressure scenarios. They play a critical role in grasping the broader context of cybersecurity while maintaining expertise in risk assessment.
Given the escalating frequency and sophistication of cyber threats, alignment between board members and CISOs transcends luxury—it’s a necessity for organisational protection. This alignment necessitates a shared understanding across three critical domains: metrics, benchmarks, and impact. Without this alignment, confronting contemporary threats becomes significantly challenging.
Boards, typically focused on financial outcomes, might struggle to fully comprehend the technical nuances of cybersecurity. This communication gap and lack of shared understanding of cyber risk could disadvantage organisations in facing current threats.
While disagreements may naturally arise, persistent discord between boards and CISOs hampers the creation of an effective cybersecurity strategy. However, recognizing the direct impact of cybersecurity on the organisational bottom line is a step forward for boards. Yet, it’s crucial for them to consistently prioritise cybersecurity on their agenda and evolve into better partners for CISOs.
The board-CISO relationship serves as a linchpin in safeguarding personnel and data. Effective communication and collaborative efforts between both parties are crucial in fortifying an organisation’s resilience against cyber threats. In today’s dynamic threat landscape, alignment between leadership and security experts isn’t a cure-all, but it’s an essential prerequisite for robust cybersecurity governance and risk mitigation.
As the cyber landscape continues to evolve and threats become more complex, the imperative for boardrooms to align with cybersecurity strategies becomes increasingly evident. The 2023 Board Perspective report by Proofpoint illuminates not just the rising concerns but also the critical need for collaboration, awareness, and preparedness.
Bridging the gaps between perception and readiness, leveraging emerging technologies judiciously, and nurturing a robust board-CISO partnership will be instrumental in steering organisations through the intricate maze of cyber risks. As we move forward, adapting to this ever-changing landscape isn’t just about technology; it’s about fostering a culture of vigilance, adaptability, and collective responsibility to safeguard against the evolving cyber challenges of tomorrow.