Blog
August 29, 2025

The CISO Confidence Paradox: Why Security Leaders Might Be Overly Optimistic

Our survey reveals 89% of CISOs believe security training has been successful, despite naming human error as a major concern.

Download
Download

In the ever-evolving landscape of data security, Chief Information Security Officers (CISOs) and security leaders face threats from every direction. Despite this challenging environment, a striking paradox emerges from Metomic’s 2024 CISO Survey: a high degree of confidence among security leaders, even in the face of concerning statistics.

‍

High Confidence Amidst High Risk

In our mission to offer deep insights and informed perspectives on the state of data security, Metomic commissioned Harris Interactive to conduct a survey of 413 CISOs and security leaders working across the U.S. and UK1.

The survey reveals that 90% of CISOs and IT security leaders are confident their organizations can meet key security objectives. This confidence extends to security awareness training, with 89% agreeing that security awareness training initiatives have been successful. Furthermore, the majority (80%) believe their organization runs security training programs for employees outside the security organization often enough, and a significant 93% believe employees possess a high level of awareness regarding confidential and sensitive business data handling.

However, this optimism stands in stark contrast to the realities uncovered by the same report. Our analysis of 6.5 million Google Drive files revealed for typical modern businesses, between 15-40% of documents contain sensitive information, in many cases up to 95% of those have misconfigured access settings. This could put an organization at risk of a data breach or cybersecurity attack. The proliferation of SaaS solutions like Slack, Jira, Zendesk, Microsoft Teams, and ChatGPT further significantly increases the likelihood of a data breach.

Adding to this concern, the World Economic Forum states that 95% of cybersecurity issues can be traced back to human error2. This means employees are often unintentionally providing cybercriminals with opportunities to exploit systems by sharing sensitive information like personally identifiable information (PII), login credentials, and credit card numbers over unsecured collaborative work tools.

‍

The Gap Between Training Success and Real-World Incidents

CISOs recognize the threats, with over 80% identifying customer data breaches, phishing schemes, and compromised accounts as their top data security concerns. Indeed, more than half of the respondents have already experienced malware and phishing attacks either occasionally or frequently.

This raises a critical question.

If training initiatives are so successful, why are these incidents still so prevalent, and why does human error remain the leading cause of breaches?

‍

What Happens Once Security Training Is Over?

While robust security awareness training is undoubtedly crucial, its episodic nature may leave gaps in continuous protection.

Security leaders acknowledge this challenge, with 80% agreeing that security culture and awareness is their most crucial challenge. Budget is also a significant concern, listed by over 75% of respondents as a major challenge for the next 12 months.

An effective data security strategy requires more than just periodic training; it necessitates a strong, ingrained security culture and the right tools to empower employees to stop threats before they cause damage.

‍

Metomic: Bridging the Gap Between Productivity and Persistent Security

At Metomic, we believe companies shouldn’t have to choose between workplace productivity and robust data security. Our platform is designed to provide security leaders with full visibility into their organization’s SaaS environments.

As a next-generation security solution focused on cloud-based applications, Metomic gives security teams clear visibility into their organization’s SaaS network to manage sensitive data and detect security threats. This allows businesses to take full advantage of their SaaS application network while implementing and maintaining a strong data security framework across the entire organization.

We help CISOs effectively implement security policies across the entire company, ensuring that the principles taught in security awareness training are consistently applied and enforced, safeguarding critical business data long after the training session concludes.

‍

Resources

  1. Metomic’s 2024 CISO Survey: Insights from the Security Leaders Keeping Critical Business Data Safe
  2. The Global Risks Report 2022 Insight Report
Table of content
Table of contents
Table of contents
Table of contents
Table of contents
Table of contents

Anna Stankiewicz

Marketing Manager

In the ever-evolving landscape of data security, Chief Information Security Officers (CISOs) and security leaders face threats from every direction. Despite this challenging environment, a striking paradox emerges from Metomic’s 2024 CISO Survey: a high degree of confidence among security leaders, even in the face of concerning statistics.

‍

High Confidence Amidst High Risk

In our mission to offer deep insights and informed perspectives on the state of data security, Metomic commissioned Harris Interactive to conduct a survey of 413 CISOs and security leaders working across the U.S. and UK1.

The survey reveals that 90% of CISOs and IT security leaders are confident their organizations can meet key security objectives. This confidence extends to security awareness training, with 89% agreeing that security awareness training initiatives have been successful. Furthermore, the majority (80%) believe their organization runs security training programs for employees outside the security organization often enough, and a significant 93% believe employees possess a high level of awareness regarding confidential and sensitive business data handling.

However, this optimism stands in stark contrast to the realities uncovered by the same report. Our analysis of 6.5 million Google Drive files revealed for typical modern businesses, between 15-40% of documents contain sensitive information, in many cases up to 95% of those have misconfigured access settings. This could put an organization at risk of a data breach or cybersecurity attack. The proliferation of SaaS solutions like Slack, Jira, Zendesk, Microsoft Teams, and ChatGPT further significantly increases the likelihood of a data breach.

Adding to this concern, the World Economic Forum states that 95% of cybersecurity issues can be traced back to human error2. This means employees are often unintentionally providing cybercriminals with opportunities to exploit systems by sharing sensitive information like personally identifiable information (PII), login credentials, and credit card numbers over unsecured collaborative work tools.

‍

The Gap Between Training Success and Real-World Incidents

CISOs recognize the threats, with over 80% identifying customer data breaches, phishing schemes, and compromised accounts as their top data security concerns. Indeed, more than half of the respondents have already experienced malware and phishing attacks either occasionally or frequently.

This raises a critical question.

If training initiatives are so successful, why are these incidents still so prevalent, and why does human error remain the leading cause of breaches?

‍

What Happens Once Security Training Is Over?

While robust security awareness training is undoubtedly crucial, its episodic nature may leave gaps in continuous protection.

Security leaders acknowledge this challenge, with 80% agreeing that security culture and awareness is their most crucial challenge. Budget is also a significant concern, listed by over 75% of respondents as a major challenge for the next 12 months.

An effective data security strategy requires more than just periodic training; it necessitates a strong, ingrained security culture and the right tools to empower employees to stop threats before they cause damage.

‍

Metomic: Bridging the Gap Between Productivity and Persistent Security

At Metomic, we believe companies shouldn’t have to choose between workplace productivity and robust data security. Our platform is designed to provide security leaders with full visibility into their organization’s SaaS environments.

As a next-generation security solution focused on cloud-based applications, Metomic gives security teams clear visibility into their organization’s SaaS network to manage sensitive data and detect security threats. This allows businesses to take full advantage of their SaaS application network while implementing and maintaining a strong data security framework across the entire organization.

We help CISOs effectively implement security policies across the entire company, ensuring that the principles taught in security awareness training are consistently applied and enforced, safeguarding critical business data long after the training session concludes.

‍

Resources

  1. Metomic’s 2024 CISO Survey: Insights from the Security Leaders Keeping Critical Business Data Safe
  2. The Global Risks Report 2022 Insight Report

In the ever-evolving landscape of data security, Chief Information Security Officers (CISOs) and security leaders face threats from every direction. Despite this challenging environment, a striking paradox emerges from Metomic’s 2024 CISO Survey: a high degree of confidence among security leaders, even in the face of concerning statistics.

‍

High Confidence Amidst High Risk

In our mission to offer deep insights and informed perspectives on the state of data security, Metomic commissioned Harris Interactive to conduct a survey of 413 CISOs and security leaders working across the U.S. and UK1.

The survey reveals that 90% of CISOs and IT security leaders are confident their organizations can meet key security objectives. This confidence extends to security awareness training, with 89% agreeing that security awareness training initiatives have been successful. Furthermore, the majority (80%) believe their organization runs security training programs for employees outside the security organization often enough, and a significant 93% believe employees possess a high level of awareness regarding confidential and sensitive business data handling.

However, this optimism stands in stark contrast to the realities uncovered by the same report. Our analysis of 6.5 million Google Drive files revealed for typical modern businesses, between 15-40% of documents contain sensitive information, in many cases up to 95% of those have misconfigured access settings. This could put an organization at risk of a data breach or cybersecurity attack. The proliferation of SaaS solutions like Slack, Jira, Zendesk, Microsoft Teams, and ChatGPT further significantly increases the likelihood of a data breach.

Adding to this concern, the World Economic Forum states that 95% of cybersecurity issues can be traced back to human error2. This means employees are often unintentionally providing cybercriminals with opportunities to exploit systems by sharing sensitive information like personally identifiable information (PII), login credentials, and credit card numbers over unsecured collaborative work tools.

‍

The Gap Between Training Success and Real-World Incidents

CISOs recognize the threats, with over 80% identifying customer data breaches, phishing schemes, and compromised accounts as their top data security concerns. Indeed, more than half of the respondents have already experienced malware and phishing attacks either occasionally or frequently.

This raises a critical question.

If training initiatives are so successful, why are these incidents still so prevalent, and why does human error remain the leading cause of breaches?

‍

What Happens Once Security Training Is Over?

While robust security awareness training is undoubtedly crucial, its episodic nature may leave gaps in continuous protection.

Security leaders acknowledge this challenge, with 80% agreeing that security culture and awareness is their most crucial challenge. Budget is also a significant concern, listed by over 75% of respondents as a major challenge for the next 12 months.

An effective data security strategy requires more than just periodic training; it necessitates a strong, ingrained security culture and the right tools to empower employees to stop threats before they cause damage.

‍

Metomic: Bridging the Gap Between Productivity and Persistent Security

At Metomic, we believe companies shouldn’t have to choose between workplace productivity and robust data security. Our platform is designed to provide security leaders with full visibility into their organization’s SaaS environments.

As a next-generation security solution focused on cloud-based applications, Metomic gives security teams clear visibility into their organization’s SaaS network to manage sensitive data and detect security threats. This allows businesses to take full advantage of their SaaS application network while implementing and maintaining a strong data security framework across the entire organization.

We help CISOs effectively implement security policies across the entire company, ensuring that the principles taught in security awareness training are consistently applied and enforced, safeguarding critical business data long after the training session concludes.

‍

Resources

  1. Metomic’s 2024 CISO Survey: Insights from the Security Leaders Keeping Critical Business Data Safe
  2. The Global Risks Report 2022 Insight Report

Anna Stankiewicz

Marketing Manager

Latest posts

Al and the Evolving Cybersecurity Landscape: Introducing Metomic's 2025 CISO Survey Insights

Metomic's 2025 CISO survey details how 404 leaders face AI risks, shifting threats, and resource gaps, highlighting key cybersecurity challenges and priorities.

Whitepapers & Reports

The Hidden Danger in Your AI Workflows: Lessons from the AgentFlayer Attack

The AgentFlayer attack demonstrates how malicious documents with hidden prompts can hijack AI tools like ChatGPT to steal sensitive data from connected cloud storage accounts, highlighting the urgent need for organizations to implement AI-aware security measures that balance productivity benefits with data protection as AI integration deepens.

Blog