Two-thirds of CISOs say their organizations are vulnerable when it comes to cloud applications and infrastructure, such as Google Cloud, new research by Nuspire found. (Photo by Sean Gallup/Getty Images)

Managed security services provider Nuspire released research that found two-thirds of CISOs believe their organizations are vulnerable to attack, especially when it comes to cloud applications, end users, and cloud infrastructure.

The survey, released Thursday, also found that CISOs are highly concerned about end-users and see the need for more education to prevent ransomware and phishing attacks — especially in an era of remote work.

When remote/hybrid working models started to gain traction, CIOs responded by allowing the business to use whatever "as a service" tools necessary to enable the business to become more agile, said Corey O’Connor, director of products at DoControl. O’Connor said this challenged CISOs as the risk introduced to the business fell solely on them.

“The risk was theirs to own and did not fall back onto the various departments within the business,” O’Connor said. “Naturally this created security gaps that needed to be addressed as organizations began to navigate the ‘new normal’ for working environments.”

Matthew Warner, co-founder and CTO at Blumira, added that treating cloud infrastructure differently than traditional on-premise is where many organizations start to create weaknesses in their security programs. Warner said it’s often very easy to move into cloud services and assume that because the company pays for the compute and support, it’s also secure by default.

“In reality, cloud becomes another vertical of infrastructure and effort that must be maintained, monitored, and validated by new processes in an environment,” Warner said. “CISOs must apply the same level of policy and process to cloud security and ensure that their environment aligns to baseline security expectations — otherwise the creation of unknown tech debt and risk will only grow.”