What are CISOs Worried About in 2018? Data Breaches and the Human Factor, Survey Finds | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

What are CISOs Worried About in 2018? Data Breaches and the Human Factor, Survey Finds

January 16, 2018
by Heather Landi
| Reprints

Two-thirds of chief information security officers (CISOs) believe that their companies are more likely to fall victim to a cyber attack or will face a data breach this year, according to a report based on a survey of more than 600 CISOs.

A recent Ponemon Institute survey of 612 chief information security officers (CISOs) and other information security professionals, conducted in November and December 2017, sought to examine key concerns and opinions of CISOs and CIOs focused on information security and cyber risk in 2018. Perhaps unsurprisingly, cyber risk and data breaches remain key concerns of CISOs at a time when high-profile data breaches continue to pose a threat to various industries, including healthcare.

However, the survey findings indicate that the “human factor”, and human error, are some of the biggest worries keeping CISOs awake at night. When asked which threats they worry most about in 2018, 70 percent of CISO respondents cited “lack of competent in-house staff” as the number one concern, followed by data breaches (66 percent), cyber attacks (59 percent), inability to reduce employee negligence (54 percent) and ransomware (48 percent). Other top concerns include potential breach due to unsecured IoT devices in the workplace, cited by 47 percent of respondents; a third-party data breach (42 percent), inadequate budget (34 percent) and inability to reduce malicious insider risk (25 percent).

The survey also found that 37 percent of CISOs and other security leaders believe that their organization’s cybersecurity posture will improve in 2018, while another 37 percent stated that the cybersecurity posture will stay at about the same level.

Among the CISO respondents, 18 percent work at financial services companies, 11 percent work at healthcare and pharmaceutical organizations, 11 percent represent industrial and manufacturing, 10 percent work in the public sector, 9 percent work in retail organizations and the remaining respondents work in a number of industries including communications, consumer products, education and research and energy and utilities. The survey was sponsored by Opus, a provider of compliance and risk management solutions.

When asked what they predict will happen to their organization in 2018, CISOs and other top security leaders indicated that malware, cyber attacks and data breaches are top of mind, yet human error actually leads the list of CISOs’ worries. Sixty-five percent of respondents worry that a careless employee will fall for a phishing scam that results in a credential threat. Sixty-one percent predict a significant disruption to business processes caused by malware, and 59 percent predict a cyber attack that causes significant downtime. About half predict a data breach involving 10,000 or more customer or employee records as well as the leakage of business confidential information, such as emails.

As noted above, the survey responses indicate that CISOs view the human factor as the leading security threat, with seven in 10 CISOs calling “lack of competent in-house staff” their number one concern and 65 percent report “inadequate in-house expertise” as the top reason they are likely to have a data breach. Other key reasons seen as likely reasons for a data breach include the inability to protect sensitive and confidential data from unauthorized access (59 percent), inability to keep up with the stealth of the attackers (56 percent) and failure to control third parties’ use of sensitive data (51 percent).

The survey results indicate that CISOs are feeling the stress, as 69 percent predict that their roles will become even more stressful in 2018, while 63 percent expect information security budgets to decline or remain flat. What’s more, a little less than half of respondents (45 percent) fear job loss in the event of a data breach, and 44 percent anticipate making a lateral move in their company, but not in IT security.

Looking at board-level support for IT security practices, half of respondents anticipate that their board of directors will become more involved, 19 percent significantly so, which provides the essential backup CISOs and risk professionals require. Thirty-eight percent of respondents said the board of directors will maintain the same level of involvement in the organization’s IT security practices.

Third-party companies and organizations are a top concern, with 60 percent of respondents reporting their concern of a data reach from a partner or vendor has increased since last year.

In the area of disruptive technologies, CISOs view Internet of Things (IoT) devices as the most challenging to secure (60 percent), followed by mobile (54 percent) and cloud (50 percent).

There is a silver lining to the survey results, as 37 percent of CISO respondents see a path to improve cybersecurity posture. CISOs identified top improvements that hold promise, including cyber-intelligence improvements (65 percent), improvement in staffing (61 percent), reduction in complexity (60 percent), improvement in technologies (59 percent) and cybersecurity leadership (54 percent).


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



Geisinger National Precision Health Hires Illumina Exec to Lead Business Development

Integrated health system Geisinger has hired a high-profile genetic counselor to head up business development for Geisinger National Precision Health, which was created to extend the Geisinger model on the national scene.

$30M VC Fund Launched to Spur Innovation in Cardiovascular Care

The American Heart Association, together with Philips and UPMC, has announced the launch of Cardeation Capital, a $30 million collaborative venture capital fund designed to spur healthcare innovation in heart disease and stroke care.

Epic Wins Labor Dispute in Closely Divided Supreme Court Decision

Epic Systems Corporation won a major labor-law ruling in the Supreme Court on Monday, centering around the extent of corporations’ right to force employees to sign arbitration agreements, and with a 5-4 ruling in its favor

Survey: Two-Thirds of Physician Practices Seeking Out Value-Based Care Consulting Firms

Most physician organizations are not prepared for the move to value-based care, and 95 percent CIOs of group practices and large clinics state they do not have the information technology or staff in-house needed to transform value-based care end-to-end, according to a recent Black Book Market Research.

Cumberland Consulting Buys LinkEHR, Provider of Epic Help Desk Services

Cumberland Consulting Group, a healthcare consulting and services firm, has acquired LinkEHR, which provides remote application support, including Epic help desk services.

Population Health Tool that Provides City-Level Data Expands to 500 Cities

A data visualization tool that helps city officials understand the health status of their population, called the City Health Dashboard, has now expanded to 500 of the largest cities in the U.S., enabling local leaders to identify and take action around the most pressing health needs in their cities and communities.