Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Voice of the CISO 2025: what the survey says about control gaps


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Across 1,600 security leaders in 16 countries, 76% expect a material cyberattack within 12 months, 66% reported material sensitive data loss, and only 6% have dedicated DLP resources despite near-universal DLP adoption, according to Proofpoint’s 2025 Voice of the CISO survey. The gap is not awareness; it is governance, resourcing, and control ownership.

NHIMG editorial — based on content published by Proofpoint: Voice of the CISO 2025 findings on cyber risk, data loss, and GenAI

By the numbers:

Questions worth separating out

Q: What breaks when DLP exists but no one owns it properly?

A: DLP becomes inconsistent, noisy, and easy to bypass when no team owns tuning, exception handling, and response.

Q: Why do insider risks remain high even when employees understand security policy?

A: Awareness does not remove access, and access is what insiders use.

Q: How should security teams govern GenAI applications without breaking usability?

A: Start by mapping the request path and applying controls where risk appears, not only at login.

Practitioner guidance

  • Tighten access around sensitive data paths Map who can reach sensitive data across cloud, collaboration, and GenAI tools, then reduce entitlement scope to the smallest business need.
  • Reassign ownership of DLP as a managed control Give a named owner responsibility for classification coverage, policy tuning, alert triage, and exception review.
  • Align insider-risk monitoring with identity reviews Connect unusual-access detection to entitlement review and privilege reduction, especially for users handling regulated or business-critical data.

What's in the full report

Proofpoint's full report covers the operational detail this post intentionally leaves for the source:

  • Breakdowns of the seven survey themes and how respondents ranked their top concerns across regions and roles.
  • The full set of survey percentages behind confidence, risk perception, insider threat, and GenAI governance.
  • Boardroom and accountability findings that show how CISOs are being evaluated on cyber risk and business impact.
  • The original commentary and framing from Proofpoint's resident CISO on the survey results.

👉 Read Proofpoint's 2025 Voice of the CISO report on cyber risk and GenAI governance →

Voice of the CISO 2025: what the survey says about control gaps?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Data loss is now a governance failure, not a tooling failure. Proofpoint’s findings show nearly universal DLP adoption alongside continued material data loss, which means the issue is not the existence of controls but the operational quality of ownership, tuning, and enforcement. In practice, controls that are not actively managed behave like policy theatre. Practitioners should treat DLP as a governed service with clear accountability, not a box to check.

A question worth separating out:

Q: Who is accountable when material data loss happens despite existing controls?

A: Accountability should sit with the control owner who is responsible for operating and proving effectiveness, not just the team that procured the tool. Boards and executives need evidence that access boundaries, DLP, and insider-risk controls are being tuned and tested. Without that evidence, governance becomes performative rather than protective.

👉 Read our full editorial: CISOs are confident, but material cyber risk is still rising



   
ReplyQuote
Share: