Why CISOs in Oceania need to drive a new focus on cybersecurity

The EY Global Information Security Survey 2021 finds businesses in Oceania investing in growth without including the CISO in critical decisions.

The governments of Australia and New Zealand have won global praise for their responses to COVID-19. Oceania’s businesses have, however, been less successful in escaping the cybersecurity threat that escalated in the wake of the crisis.

The risk of cyber-attack is growing at a time when many organisations urgently need to improve their defenses. “There has been an attitude in the past that the worst wouldn’t happen to us,” says Nicola Hermansson, EY Oceania Cybersecurity, Privacy and Trusted Technology Partner. “That complacency has been dispelled by some pretty significant breaches in our region.”

Hermansson points to denial-of-service attacks and ransomware strikes across the region that have seen anxiety levels soar. In the EY Global Information Security Survey 2021 (GISS), more than half of Oceania’s cybersecurity leaders (52%) say they have never felt as concerned as they do now about their ability to manage the cyber threat.

This concern is partly related to the spate of COVID-era attacks experienced by businesses worldwide. Almost eighty per cent (78%) of organisations in Oceania have seen an increase in the number of disruptive cyber-attacks during the past 12 months, while 44% are currently addressing the new risks posed by remote working.

But there is a wider issue at play. As businesses in Oceania embrace digital transformation, the CISO is being left out of discussions and is failing to play a meaningful part in the change process. Old weaknesses threaten to become serious vulnerabilities.

How, then, can Oceania’s CISOs confront the growing threat? And how can they build cybersecurity’s reputation as a growth-enabling function at the center of business transformation? Our research suggests that CISOs in Oceania have three priorities to address.

Secure additional budget to become an agent of change

CISOs in Oceania are frustrated. While budget pressures are a global concern in this year’s GISS, resources in Australia and New Zealand appear to be in particularly short supply. More than half (51%) of Oceania’s cybersecurity leaders are working with budgets that fall short of what is required to manage the cyber-related challenges that have emerged in the past 12 months. This compares with 42% of respondents worldwide.

The result is unease about unnecessary and avoidable risk. Four in 10 Oceania respondents believe it is only a matter of time until they suffer a major breach that could have been avoided had they been able to invest more in their defenses. Few will want to say “I told you so” when the company’s crown-jewel data is compromised by hackers.

To add to the pressure, Oceania’s CISOs need to focus on additional safeguards and security in the context of the digital transformation agenda that so many are pursuing. Around half (47%) of organisations in the region are investing significantly in data and technology over the next 12 months, and 39% will embark on at least one comprehensive transformation initiative in the coming year.

If CISOs do not have enough resources to confront today’s challenges, let alone the challenges of tomorrow, what should they do?

Hermansson urges these executives to start repositioning themselves as agents of change, as this will put them in a stronger position to secure additional resources. “CISOs in our region are often great at the technical side of cybersecurity, but the gap is in their ability to articulate risk and secure the investment they need to make a bigger impact,” she explains.

One of the senior executives we spoke to in the region agrees that business understanding is key. “Cyber risk is probably the second or third biggest operational risk of any major government department or private enterprise,” he says. “The individuals who have accountability for it have to be senior business executives who know how to get on with people.”

Broaden the skills base and enable professional development

Skills shortages are an ongoing challenge for cybersecurity functions in Oceania. Part of the issue is a widespread lack of qualified experts in the region: the not-for-profit AustCyber warned last year, for example, that Australia alone would face a shortfall of 18,000 experts by 2026. But this year’s GISS suggests that further training is required even when organisations in Oceania have recruited all the people they need.

Indeed, 42% of CISOs in Oceania say that improving their skills base is a top priority for the cybersecurity function; only 31% of respondents globally took this view.

CISOs are clear about their problem areas. Just 38% of Oceania cybersecurity leaders are confident in their teams’ understanding and anticipation of the latest strategies taken by threat actors. And well under half (39%) are assured in their team’s ability to ensure digital initiatives are secure by design.

One silver lining of the pandemic may be the way it has brought the skills issue into relief. Prior to the crisis, CISOs would have looked to plug their talent gaps by hiring from abroad. With borders in the region closed, that has not been possible, exposing Oceania’s lack of expertise.

“In a way, that creates lots of opportunity for people who want to get into this space,” says Hermansson. “As security professionals, we’ve got to do our best to educate, to train, and to upskill our workforces.”

Conclusion: How Oceania’s CISOs should rise to the challenge

CISOs in Oceania face challenges that would be familiar to many of their counterparts around the world. But, in many instances, they have a more urgent need to upgrade their capabilities and reach a higher level of maturity. With that in mind, three responses could prove crucial:

Prioritise the skills gap – with a broader remit than in the past
There is no escaping Oceania’s shortage of cybersecurity professionals, at least in the short term, and upskilling the existing skills-base must become a critical priority. But CISOs should aim higher than this: building knowledge of the cybersecurity threat across the enterprise has the potential to reduce pressure on the function. By deepening board-members understanding of the threat, they will ensure they receive additional support.

To become more persuasive and influential, cybersecurity professionals also need to focus on softer skills. Right now, just 24% of Oceania CISOs believe their executive management team would describe the cybersecurity function as speaking the same language as the business.

Build new bridges across the organisation
Operating within the IT function, and often focused on technical issues, too many cybersecurity functions have failed to build strong relationships with key business partners.

Just one in five CISOs in Oceania (21%) describe their relationship with marketing as one of high trust and consultation. Investing time in growing these relationships will not only enable CISOs to play a broader role in transformation, and to be included in the earliest stages of planning, but also secure new advocates as they push for increased resources.

Reposition cybersecurity as an enabler
One of the biggest challenges for Oceania CISOs is to change the perception of their colleagues. Too many are seen as blockers of new initiatives, rather than enablers of transformation that are essential for making new technology initiatives secure and sustainable. Just 27% believe their executives see them as commercially minded, and just 28% say they are thought of as enabling innovation.

Resetting these outdated perceptions – reframing cybersecurity as a strategically minded enabler of change, critical for realising the business’ technology ambitions – should be a top priority for the post-pandemic era.