The EY Global Information Security Survey 2021 (GISS) has revealed more than half of Oceania’s cyber security leaders (52 per cent) say they have never felt as concerned as they do now about their ability to manage the cyber threat.
The survey has also identified the CISO is being left out of discussions and is failing to play a meaningful part in the change process as businesses in Oceania embrace digital transformation.
CISOs in Oceania are frustrated, according to Nicola Hermansson, EY Oceania cybersecurity, privacy and trusted technology partner.
“While budget pressures are a global concern in this year’s GISS, resources in Australia and New Zealand appear to be in particularly short supply, and old weaknesses threaten to become serious vulnerabilities,” Hermansson added.
"More than half (51 per cent) of Oceania’s cybersecurity leaders are working with budgets that fall short of what is required to manage the cyber-related challenges they’ve seen in the past 12 months. This compares with 42 per cent of respondents worldwide.
“The result is unease about unnecessary and avoidable risk.”
Four out of 10 Oceania respondents believe it is only a matter of time until they suffer a major breach that could have been avoided had they been able to invest more in their defences.
“To add to the pressure, Oceania’s CISOs need to focus on additional safeguards and security in the context of the digital transformation agenda that so many are pursuing,” Hermansson said.
“Few will want to say 'I told you so' when the company’s crown-jewel data is compromised by hackers.”
Around half (47 per cent) of organisations in the region are investing significantly in data and technology over the next 12 months, and 39 per cent will embark on at least one comprehensive transformation initiative in the coming year.
Hermansson is urging executives to start repositioning themselves as agents of change, as this will put them in a stronger position to secure additional resources.
“CISOs in our region are often great at the technical side of cybersecurity, but the gap is in their ability to articulate risk and secure the investment they need to make a bigger impact,” she said.
“One of the senior executives we spoke to in the region agrees that business understanding is key for CISOs.
“Cyber risk is probably the second or third biggest operational risk of any major government department or private enterprise, and the individuals who have accountability for it have to be senior business executives who know how to get on with people.”
The survey suggests that CISOs in Oceania are struggling to make the case for elevating cybersecurity to a business priority. Even when boards recognise the gravity of the threat, they do not necessarily respond with additional support.
Only 27 per cent of cyber security leaders in the region believe their boards and executive management teams fully understand the value and needs of the cyber security function. By contrast, a more reassuring 42 per cent of CISOs in other regions take the same view.
Similarly, while 23 per cent of CISOs outside of Oceania say their boards have difficulties understanding the need for increased funding, the figure rises to 30 per cent, on average, in Australia and New Zealand. Just one in four (26 per cent) Oceania CISOs think this understanding leads directly to additional funding, compared with 41 per cent globally.
“One way forward is for Oceania’s CISOs to find more engaging ways to communicate the technical nature of the threat,” Hermansson said.
The survey has found that over 61 per cent of CISOs flag that their boards are making decisions on cybersecurity even when they do not possess the expertise to understand the issues at hand.
“The bigger challenge is to frame the cybersecurity imperative in a commercial context,” Hermansson said.
“CISOs point to the need for security by design during digital transformation projects, so new initiatives come to market with cyber protections baked in rather than retrofitted.
“Typically, you see the security function sitting within the IT function in this region, and that results in cyber being seen as an IT risk, when it is actually a business risk.
"If security teams get closer to the business, they will have more chance of getting the business to understand and own that risk.”
Nastasha is a Journalist at Momentum Media, she reports extensively across veterans issues, cyber security and geopolitics in the Indo-Pacific. Previously, she was a Content Producer at Verizon Media, a Digital Producer for Yahoo! 7 and Channel 7, a Digital Journalist at Sky News Australia, as well as a Website Manager and Digital Producer at SBS Australia. She started her career in media as a Video Producer and Digital News Presenter at News Corp Australia.