The full report is shown here: ttps://www.securitymagazine.com/articles/91652-new-survey-reveals-ciso-stress-and-the-toll-it-takes
The benefits and disadvantages of a virtual CISO are shown here including the ISACA report 2019 indicating there is only 72% of all organisations with CISOs.
@rslade Was he promoted or blamed for the incident? Or did anyone really believe him?
A history lesson: the first use of the term "virus" was to refer to unwanted computer code occurred in 1972, in a science fiction novel, "When Harley was One", by David Gerrold. Fred Cohen formally defined the computer virus in 1983. It appears computer viruses were being written by individuals, although not named such, as early as 1981 on early Apple II computers.
Apparently, In November 1983, Fred Cohen (then a doctoral student in electrical engineering, at the University of Southern California) presented the idea of a computer virus to a computer security class led by Len Adelman. He demonstrated five prototype viruses on a VAX II/750 running Unix. Each virus obtained full control of the system within an hour. Cohen later showed that similar results could be obtained on a Tops-20 system, a VM/370 system, and a VMS system.
I have seen this but I guess I was lucky, very early on, a competitor called my CEO and said:
"you have been hit with a virus"
My CEO: flabbergasted and upset, called me. "his exact words.......WHY HAVEN'T YOU TOLD ME WE WERE HIT"
My response "by what" or "by who"
My CEO "well Joe from XYZ corp said we had a virus (specific name not important)"
My response "not that I am aware of, but please give me 1/2 hour to check into it"
About an hour later:
My response " we have checked and checked and we cannot find any trace of that virus or any other malware in our environ"
My CEO "are you sure, because if I find out differently, you are fired"
My response " if you think I am lying, please just fire me now.....however, can we find out where "Joe" got his information"
My CEO "good point" and goes on the call Joe.
Turns out, Joe's corp had been hit and the techs said, well if we got hit so did they, they are not as good as we are, because we have all the bells and whistles in place.
My CEO, then laughed out loud and told Joe that he would be happy to have his staff provide training to his folk......wow,
After that, and through an education program we were able to instill a mentality with Sr. Management that it was not a matter of if but when..............
Lucky for me, I stayed in that ISO role for close to twenty years.......(ooops, showing my age again)
Security is typically the last thing on their minds and only when bad things happen do they realize it's there so CISOs need to remind them of the risks, etc on a regular basis and yes getting time with them is difficult and sometimes impossible but persistence does pay off.
I've been told viruses are a hoax by a CIO (my boss at the time) and that all us security folks are absolutely delusional ... And a couple of month later we got ransomware in the network via an outdated flash plugin, worked until 3am to clean it up and restore from backups. He shortly after went back to the delusional, there are no risks stance. You just can't reason with stupid.