Two-Thirds of U.S. Education CISOs See Material Cyber Attack as Likely in Next 12 Months

Nearly two-thirds of chief information security officers in the U.S. education sector believe they’re likely to experience a material cyber attack in the next 12 months, and 62% have dealt with a material loss of sensitive information in the past 12 months, according to the newest Voice of the CISO report published this week by cybersecurity company Proofpoint.

For the 2023 edition of the annual report, researchers at Censuswide surveyed 1,600 CISOs from organizations with 200 employees or more across different industries in 16 countries, on behalf of Proofpoint. The survey was conducted in late January and early February and included 112 CISOs from education organizations, whose responses were shared with THE Journal.

When asked how likely they believed a material cyber attack against their organization to be in the next 12 months, 63% of U.S. education CISOs surveyed answered “somewhat likely” or “very likely”; just 25% believed it unlikely.

The same number of U.S. education CISOs, 63%, agreed that “if impacted by ransomware within the next 12 months, their organization is likely to pay a ransom to restore systems/prevent the release of data,” according to the survey results, while 25% said they disagreed. Of all the CISOs surveyed, 62% said a ransom was likely to be paid to prevent the release of data, according to the report.

More than half, or 61%, of all respondents agreed that their organization is unprepared to cope with a targeted cyber attack. Among education CISOs in the United States, 38% agreed they are unprepared, with a full 50% answering “neither agree nor disagree.” Not a single education CISO indicated that their organization is prepared for such an attack.

Proofpoint’s Voice of the CISO findings “reveal that most CISOs have returned to the elevated concerns they experienced early in the pandemic,” the company said. “This pronounced shift suggests that security professionals see the threat landscape heating up once again, and have recalibrated their level of concern to match.” 

Key Findings From Education CISOs 

  • Education CISOs from the United States said they believe their biggest threat — by a longshot — is ransomware, with 63% listing it as their biggest concern. 

  • Other types of cyber threats top of mind for education respondents were:

    • DDoS attacks (38%)

    • Cloud account compromise (38%)

    • Smishing/vishing (38%)

  • 75% agreed that “human risk, including malicious and negligent employees, is a key cybersecurity concern for me in the next two years.” Not a single education respondent disagreed on this question.

  • 52% of U.S. education respondents agreed that their board sees eye to eye with them on the issue of cybersecurity — the lowest of all sectors surveyed.

  • 67% of U.S. education CISOs said they agree that “cybersecurity expertise should be a board-level requirement.” The U.S. average from all sectors was 70%, “suggesting that many believe technical knowledge is lacking in the boardroom,” Proofpoint said in the report. 

“Many CISOs no longer feel the sense of calm they may have briefly experienced, when they were upbeat after conquering the chaos wreaked by the pandemic. Back to ‘business as usual’, they are less assured in their organization’s abilities to defend against cyber risk,” said Lucia Milică Stacy, global resident CISO at Proofpoint. “Our 2023 Voice of the CISO report reveals that amidst the rising difficulties of protecting their people and defending data, CISOs are being tested at a personal level with higher expectations, burnout, and uncertainty about personal liability. The improving relationship between security leaders and board members gives us hope, however, and this partnership will enable organizations to overcome the new challenges they face this year and beyond.” 

Learn more and download the full report at

About the Author

Kristal Kuykendall is editor, 1105 Media Education Group. She can be reached at [email protected].