Estimated reading time: 5 minutes
Security Leaders Expect Cyberattacks Soon –
Proofpoint’s 2025 Voice of the CISO report delivers a stark message: most chief information security officers (CISOs) feel under siege.
“76% feel their company is at risk of a material cyberattack within the next 12 months,” the report states. That’s up from 70% last year. More than a third (36%) believe an attack is “highly likely.”
The survey of 1,600 CISOs across 16 countries shows mounting anxiety. “Over half (58%) of global CISOs agree that their organization is unprepared for a cyberattack in 2025,” according to Proofpoint.
This sense of vulnerability is global. Canadian CISOs are most concerned, with 76% admitting they are not ready, while Spanish CISOs show the most confidence, at 33%.
Data Loss Surges Despite Protections
The report highlights a steep rise in breaches. “Two-thirds (66%) indicated that they experienced a material loss of sensitive information within the past 12 months,” compared to 46% in 2024.
Indian CISOs reported the worst outcome, with 99% saying their organizations lost sensitive data. In contrast, Spain reported the lowest at 33%. Financial services topped all industries, with 87% experiencing losses, while education reported a loss rate of only 29%.
The paradox is striking. “Despite near-universal adoption of DLP programs, material data loss remains alarmingly common,” said Phil Ross, CISO of Air New Zealand.
Attacks Multiply from All Directions
CISOs see threats everywhere. Email fraud and insider threats are tied as the top concerns at 37% each. Ransomware follows closely at 36%, with supply chain and cloud account compromises not far behind.
The report warns that outcomes converge regardless of the vector. “Whether caused by a careless insider, a spoofed email, malicious payload or compromised supplier, the end result is the same: data loss.”
Facing this pressure, many CISOs expect to pay up. “Two-thirds (66%) of CISOs said their organization would be likely to pay a ransom to restore systems or prevent the release of data,” the report notes.
Check out our latest podcast – Incident Response Best Practices
People Still the Weakest Link
Human error remains the perennial problem. “66% agree that human risk is their organization’s greatest cyber vulnerability,” according to the report.
This persists despite 68% believing their employees understand security best practices. Proofpoint points to a gap between awareness and action. “Employees who truly understand their role… cannot also be the biggest risk their organization faces.”
Training is often sidelined. Insider risk management programs are missing in many firms. “More than a quarter (26%) of French companies do not have an insider risk management program in place,” the report found.
AI: Both Tool and Threat
Generative AI deepens the challenge. “60% of global CISOs believe generative AI poses a risk to their organization, up from 54% in 2024,” the report says.
Concerns focus on customer data loss through public tools like ChatGPT. U.S. CISOs are the most wary, at 80%, while those in Spain are the least concerned, at 39%.
Still, CISOs know they must adapt. “Enabling the safe use of AI tools and automation technologies is a top priority over the next two years for 64% of global CISOs,” according to Proofpoint.
Boardroom Trust Slips Back
Boardroom alignment has weakened after years of progress. “Of this year’s surveyed CISOs, just under two-thirds (64%) agree that their board sees eye to eye with them,” compared to 84% in 2024.
The drop is steepest in Spain, Singapore, and Japan. Australia, Mexico, and Canada report the highest alignment.
Proofpoint’s Ben McLaughlin urged CISOs to reshape board perception. “CISOs must actively shape board understanding of cybersecurity as a strategic, risk-based function.”
Get The Cyber Insurance News Upload Delivered
Every Sunday
Subscribe to our newsletter!
Burnout Rises with Responsibility
Leadership strain is clear. “For the second year running, two-thirds of CISOs (66%) feel they are subject to excessive expectations,” Proofpoint reports.
At the same time, accountability weighs heavily. “Over two-thirds (67%) feel they are personally held accountable when a cybersecurity incident occurs,” a burden felt most in the U.S., Mexico, and Canada.
Some relief exists. “65% of CISOs reporting that their organization has taken steps to protect them from personal liability,” the survey found. Still, stress levels continue climbing.
Cox Enterprises’ CISO Brian Cox captured the tension: “The pressure on CISOs remains unrelenting, with high expectations and increasing personal accountability defining the role.”
Familiar Warnings, New Urgency
The report’s conclusion is blunt. “CISOs could be forgiven for thinking life is on repeat… most believe a cyberattack is imminent, that they are unprepared… and feel their people are their greatest areas of risk.”
Generative AI now magnifies the landscape. Organizations juggle opportunity and risk, but expectations on CISOs grow heavier. The role evolves, but the warning remains the same: the canary in the coal mine keeps singing.
Plain-Speaking Analogy
The life of a CISO today is like one great big game of Whack-a-Mole, but these moles come as cybersecurity risks and they hit first and hit back, 24/7.
Related Posts
