Insights from Proofpoint’s 2024 Voice of the CISO Report

Mike Pearlstein is CEO of Fusion Computing and holds the CISSP, the gold standard in cybersecurity certification. He has led Fusion’s managed IT and cybersecurity practice since 2012, serving Canadian businesses across Toronto, Hamilton, and Metro Vancouver.

The voice of the ciso 2026 conversation in Canadian boardrooms still leans heavily on Proofpoint’s 2024 Voice of the CISO study, and the findings haven’t aged out. The headline numbers tell the story: 65% of security leaders say their role is misunderstood by company leadership, 74% point to staff behavior as the largest vulnerability, and board-level cybersecurity reporting is now a standing agenda item.

For Canadian SMBs at 10 to 150 employees, that communication gap between technical teams and executives is where most preventable losses originate.

Executive Summary

Proofpoint surveyed 1,600 CISOs across 16 countries for the 2024 report. The data underneath the headlines tells a story Canadian SMBs should recognize: cyberattack risk is perceived as high, preparedness is improving slowly, and the human element keeps showing up as both the largest vulnerability and the largest opportunity. It’s the gap that matters here, not the headline percentages.

Three themes anchor the rest of this article. First, the perception gap between security leaders and the boards they report to. Second, the human-layer problem and the AI tools being deployed to address it. Third, what each finding means for a Canadian SMB at 10 to 150 employees operating under the dual obligations of PIPEDA privacy law alongside the CyberSecure Canada baseline.

Why this matters for Canadian businesses: The Canadian Centre for Cyber Security National Cyber Threat Assessment 2025-2026 identifies ransomware, business email compromise, and credential-theft phishing as the dominant threats facing Canadian organizations. These are the same human-layer vectors that 74% of CISO respondents in the Proofpoint study flag as their top risk. Source: cyber.gc.ca.

Key Findings

Perceived risk runs ahead of perceived readiness

Seventy percent of CISO respondents see themselves as exposed to a material cyberattack within the next 12 months. Forty-three percent describe their organization as unprepared to manage one. The gap isn’t closing fast enough.

In the cybersecurity assessments we run for Canadian SMBs, that gap is wider than the Proofpoint sample suggests. We routinely find tabletop exercises that haven’t been run since 2019. Incident response plans live in a SharePoint folder no one has opened in 18 months. The first time the plan gets used is during the incident itself, which is the worst possible time to find the gaps.

Human error is the number one attack vector

Seventy-four percent of executives surveyed view employees as the largest vulnerability in their organizations. Eighty-seven percent plan to deploy AI-driven tools to address human-centric threats. That’s a strategic shift away from perimeter-only thinking toward behavior-aware defenses.

For Canadian SMBs the calculus is similar but the budget is smaller. Security awareness training that actually changes behavior beats a CA$40,000 shiny tool nine times out of ten. The Verizon 2025 Data Breach Investigations Report continues to put the human element behind roughly 60% of breaches, which lines up with what the Proofpoint sample sees from the top down.

Why this matters for Canadian businesses: The Canadian Anti-Fraud Centre logged over CA$77 million in confirmed business email compromise losses across Canadian organizations in 2024 alone. Most of those incidents began with a single phished credential, the exact human-layer vector that 74% of the Proofpoint CISO respondents flag as their top risk. Source: antifraudcentre-centreantifraude.ca.

Insider risk keeps growing with workforce churn

Forty-six percent of respondents reported dealing with sensitive data loss in the past year. Seventy-three percent of those incidents involved employees leaving the organization. The offboarding window is where credentials get walked out the door.

Why this matters for Canadian businesses: Statistics Canada’s 2024 Survey of Cyber Security and Cybercrime shows that small and mid-sized firms are hit most often yet operate with the lightest security budgets. That economic-pressure dynamic is exactly what 59% of CISO respondents describe when they say budget constraints limit needed investment. Source: statcan.gc.ca.

Economic pressure is reshaping security investment

Fifty-nine percent of CISO respondents say economic conditions are limiting their ability to make critical cybersecurity investments. Sixty-two percent say their organization would pay a ransom to prevent data exposure and restore systems. Those two numbers move in the same direction for a reason.

The IBM Cost of a Data Breach 2025 report puts the global average breach cost at US$4.88 million, with Canadian organizations sitting close to the high end. When prevention budget is constrained, recovery cost goes up, and ransom payment starts to look like a rational decision under duress. That’s the trap.

Personal liability is now a board-level concern

Sixty-six percent of CISO respondents express concern about personal liability for cyber incidents. That’s a meaningful shift from five years ago, when liability was mostly a corporate concept. SEC enforcement actions in the United States and proposed director-level duties in Canada are part of the reason. A documented vCISO engagement is the cleanest evidence a board can show that reasonable security oversight exists.

Cyber insurance is the safety net, not the strategy

Seventy-nine percent of CISO respondents rely on cyber insurance to recover from potential losses. Premiums are climbing, and so are the technical controls insurers require before binding a policy: multi-factor authentication, endpoint detection and response, an incident response plan, and security awareness training as the defensible baseline.

Why this matters for Canadian businesses: The Ponemon 2025 Cost of Insider Risks report puts the average annual cost of insider-driven incidents at US$17.4 million per organization. For a Canadian SMB the absolute number is smaller, but the per-incident hit relative to revenue is often larger because mid-market firms lack the headcount to detect and contain insider events early. Source: ponemon.org.

Board alignment is improving

Eighty-four percent of CISO respondents are confident their board agrees with them on cybersecurity priorities. That’s the highest level in five years of the survey. The catch is that alignment doesn’t automatically translate to budget, and 65% still say their role is misunderstood by leadership. Translating risk into a business conversation is the single fastest way to close that misunderstanding gap.

Book a CISSP-led cybersecurity consultation

What the Proofpoint findings mean for Canadian SMBs

The CISO sample in the Proofpoint study skews toward large enterprises with named security leadership. Canadian SMBs at 10 to 150 employees rarely have a dedicated CISO, and they don’t need one. The findings still apply, though, and the translation matters. Here’s how the top three themes map to the SMB reality we see in our practice.

The communication gap shows up differently. In a 1,000-person firm, the gap is between the CISO and the board. In a 60-person Hamilton accounting firm, the gap is between the IT contractor and the managing partner.

The partner thinks they’re covered because they pay for antivirus and have a firewall. The contractor knows the backup hasn’t been tested in six months, and two senior staff have local admin rights they shouldn’t. Nobody’s having that conversation until something breaks.

Human error is the same problem at any size. The Canadian Anti-Fraud Centre continues to log record losses from BEC and ransomware events that begin with a single phished credential. In our 13 years operating Fusion Computing, the breaches we’ve responded to almost always trace back to an inbox or a credential, not a zero-day.

Across managed clients we maintain a 93% first-contact resolution rate on security tickets, which is the internal benchmark we measure new analysts against.

Insider risk is a workflow problem. The Proofpoint finding that 73% of data-loss incidents involve departing employees lines up with what we see in audits. Offboarding workflows are often a checklist in someone’s head. Microsoft 365 licenses stay active for weeks. OneDrive folders get downloaded the day before resignation.

The fix is process: same-day access revocation paired with identity provider deprovisioning, plus conditional access policies that flag bulk downloads in the 30 days before a known departure. CISSP-led cybersecurity services close this gap in our managed engagements as a standing checklist item, not an exception.

The compliance anchor for Canadian SMBs is not Bill C-8. Bill C-8 applies to federally regulated critical sectors only. For firms of 10 to 150 employees in Ontario, British Columbia, and Alberta, the relevant frameworks are CyberSecure Canada (the federal SMB certification), PIPEDA for privacy, CIS Controls v8.1 as the technical baseline, and PHIPA for healthcare entities. That’s a tighter playbook than the enterprise CISO is working from, which is an advantage.

Why this matters for Canadian businesses: The Sophos Active Adversary Report 2026 shows attacker dwell time is shrinking and median time-to-encryption for ransomware now sits under 24 hours. For SMBs without 24/7 monitoring, that window closes before anyone notices the intrusion. Source: sophos.com.

Implications for Cybersecurity Strategy

The Proofpoint study notes that 68% of CISO respondents feel their organization is at risk of a material cyberattack within the next 12 months, yet only 61% have a tested incident response plan from the past year. That gap between risk awareness and tested readiness is where most breaches escalate into business-impact events, and where Canadian SMBs consistently underinvest.

Six priorities translate the findings into action. We’ve ordered them by what an SMB owner can actually move on this quarter; you don’t need to tackle all six at once.

1. Make security awareness training a behavior program, not a video. Monthly phishing simulations with measured click rates, follow-up coaching, and quarterly trend reporting to the leadership team. The Ponemon Institute consistently finds that organizations with mature awareness programs reduce successful phishing by 50% or more within 12 months.
2. Layer AI-assisted detection over the human element. Modern endpoint detection and response and behavior analytics catch the lateral movement and credential abuse that signature-based tools miss. The Proofpoint finding that 87% of executives plan to deploy AI is the right direction; the implementation is where most SMBs need help.
3. Lock down the offboarding workflow. Same-day access revocation, identity provider deprovisioning, license reclamation, and a conditional-access policy that flags bulk download in the 30 days before a known departure. This single workflow change addresses the 73% of insider-driven data loss the Proofpoint study identifies.
4. Test the incident response plan. A tabletop exercise once per year, scenario-driven, with the leadership team in the room. Most plans we audit fail the first test, which is the point of running it.
5. Right-size cyber insurance. Review coverage and required controls annually. Most policies now require MFA, EDR, immutable backups, and an incident response plan as conditions of coverage. Talking to your broker before the audit beats finding out at claim time that you weren’t covered.
6. Engage the board in plain language. The 65% misunderstanding statistic isn’t a CISO problem; it’s a translation problem. Quarterly board reporting in business risk terms (revenue at risk, regulatory exposure, customer trust impact) closes the gap faster than any technical briefing.

Talk to a Canadian CISSP about your readiness gap

Conclusion

The Proofpoint 2024 Voice of the CISO study mirrors what we see in Canadian SMB audits: risk perception is high, readiness is uneven, and the human layer is both the largest vulnerability and the largest opportunity. The fix isn’t more tools. It’s tested process, trained people, and a 72-hour notification plan you’ve actually rehearsed. Book a cybersecurity readiness call to translate these findings into your next 90 days.

Frequently Asked Questions

What are the key findings of Proofpoint’s 2024 Voice of the CISO report?

The 2024 study surveyed 1,600 CISOs and found that 70% see themselves as exposed to a material cyberattack in the next 12 months, while 43% don’t feel ready to manage one. Human error was named the largest vulnerability by 74% of respondents, and 87% plan to deploy AI tools to address human-centric threats. Data loss tied to departing employees was also a top concern, with 46% reporting an incident in the past year.

Fusion Computing is a Canadian-owned managed IT and cybersecurity provider serving businesses with 10 to 150 employees since 2012. With a 93% first-contact resolution rate and CISSP-certified security leadership, Fusion delivers monitoring, help desk, and security services aligned to CIS Controls v8.1 and CyberSecure Canada guidance.

Why do CISOs consider employees the largest cybersecurity vulnerability?

Employees are targeted because attackers find it faster to trick a person than to break a technical control. Phishing and pretexting attacks exploit human psychology rather than software flaws. Even well-intentioned staff can accidentally share credentials or misconfigure access controls. That’s why human-focused training and identity-behavior monitoring are top priorities for most security leaders.

How are CISOs using AI to address cybersecurity threats?

Security leaders are deploying AI-driven tools for threat detection, behavioral analysis, and automated response to reduce the time between attack and containment. AI processes security event data at a scale no human team can match, identifying anomalies that indicate a breach in progress. It’s particularly useful for detecting subtle persistent threats that traditional signature-based tools won’t catch.

What is the impact of the economic environment on cybersecurity investment?

The 2024 study found that 59% of CISO respondents believe economic conditions are limiting their ability to make needed cybersecurity investments. Budget pressure leads to understaffed security teams, delayed tool deployments, and deferred risk remediation. This widens the gap between the threat environment and organizational defenses, which is why many security leaders are prioritizing managed services that multiply the effectiveness of limited resources.

How prevalent are insider threats in cybersecurity?

The Proofpoint study found that 46% of CISO respondents dealt with sensitive data loss in the past year, and 73% of those incidents involved departing employees. Insider risk includes both malicious actors and negligent staff. Managing this risk requires data loss prevention tools, clear offboarding procedures that revoke access on the same day, and monitoring for unusual data movement before and after notice.

What should Canadian SMBs do if they can’t fully fund a cybersecurity program?

Prioritize controls that address the most likely and highest-impact threats. For most Canadian SMBs that means multi-factor authentication, endpoint detection and response, email filtering, and behavior-changing training. Partner with a managed security provider to extend capabilities without adding headcount. Be transparent with leadership about residual risk when budget constraints prevent full implementation of recommended controls.

How does the Proofpoint study apply to Canadian businesses under PIPEDA?

The findings translate directly. PIPEDA’s breach notification requirement gives Canadian organizations a 72-hour window to assess real risk of significant harm and notify the Office of the Privacy Commissioner. That clock starts the moment a breach is identified, which is why tested incident response and clear escalation paths matter more for Canadian SMBs than they do for global enterprises with full security operations centers.

What baseline cybersecurity controls do Canadian cyber insurers now require?

Canadian cyber insurers now consistently require multi-factor authentication on every external access path, endpoint detection and response on every endpoint, immutable backups held offline or in a separate trust boundary, a documented incident response plan that has been tested in the past 12 months, and an ongoing security awareness training program. CyberSecure Canada certification often satisfies these requirements and is increasingly recognized as the defensible baseline for SMB policies.

---

Fusion Computing serves Canadian businesses across: