Over three quarters of cybersecurity leaders believe that the board level decision makers above them do not understand the cybersecurity risks associated with how their employees act in the workplace.
That is according to a report by MetaCompliance, published on July 9 and based on responses from over 200 CISOs across Europe. Of those surveyed, 78% said that C-level executives do not fully understand cybersecurity risks, at a time when employees are bombarded with phishing attacks and are forced to contend with security challenges around the rise of AI.
This lack of understanding, and sometimes interest, from the board has created headaches for cybersecurity leaders, who are faced with bolstering resilience against cyber threats despite a lack of consistent senior-level backing.
Indeed, according to the survey, 79% of CISOs said leadership support for security awareness initiatives fades over time, making it harder to ensure the organization and its employees are protected against evolving cyber threats, such as the rise of AI-based social engineering attacks.
Reduced Confidence in Cyber Reliance
This has resulted in a situation where CISOs feel less confident in their organization’s cyber resilience than they did 12 months ago. Half of those who feel this way cited the rise of increasingly sophisticated and scalable AI-based social engineering attacks as their primary reason for this.
“AI has changed the context for human risk. Attackers are no longer relying on obvious scams or poorly written phishing emails. They can now create highly convincing impersonation attempts, social engineering attacks and fraudulent communications at scale,” said James Mackay, CEO at MetaCompliance.
“That makes senior leadership alignment more important than ever. Human cyber risk is no longer just an awareness issue or a training issue; it is a strategic business risk. But our research shows that many CISOs are still trying to drive change without consistent senior support, clear ownership or a shared understanding of the risk across the business,” he added.
Read more: How Faster Cyber-Attacks Are Reshaping Enterprise Cybersecurity Strategies
According to those surveyed, another reason why CISOs are struggling is because of a lack of joined up thinking across stakeholders in the business, which is making it different to manage human cyber risk. For example, one section of the organization might have different policies in place to another, leading to complications around security and access, which could ultimately lead to data loss or a cyber incident.
The rise of LLMs and AI agents in the workplace has further complicated this: 40% of those CISOs surveyed fear employees are sharing sensitive information with generative AI platforms, which could result in data breaches or privacy violations for the organization.
In this environment, it is therefore vital that executives are fully invested in the potential threats posed by cyber risks, otherwise they face leaving their CISO ill-equipped to face the cybersecurity challenges the organization.
“If leadership support fades after the initial push, organisations are left exposed. Building resilience against AI-enabled threats requires sustained executive backing, better stakeholder alignment and a more intelligent, behaviour-led approach to managing human cyber risk,” said MacKay.
