10 minute read 7 Sep 2021
A surfer diving into the ocean

Why CISOs in Oceania need to drive a new focus on cybersecurity

By Nicola Hermansson

EY Oceania Cyber Consulting Leader

Energetic and passionate leader. Provides cyber and privacy services focused on building trust. Wife. Mother. Average netball player.

10 minute read 7 Sep 2021

The EY Global Information Security Survey 2021 finds businesses in Oceania investing in growth without including the CISO in critical decisions.

In brief
  • A spate of recent cyber-attacks has been a wake-up call for businesses in Australia and New Zealand.
  • Addressing the skills shortage is the Chief Information Security Officer’s (CISO's) top priority as they look to support digital transformation and enable growth.
  • 61% warn that their executive teams are making decisions on cybersecurity without understanding the threat.

The governments of Australia and New Zealand have won global praise for their responses to COVID-19. Oceania’s businesses have, however, been less successful in escaping the cybersecurity threat that escalated in the wake of the crisis.

The risk of cyber-attack is growing at a time when many organisations urgently need to improve their defenses. “There has been an attitude in the past that the worst wouldn’t happen to us,” says Nicola Hermansson, EY Oceania Cybersecurity, Privacy and Trusted Technology Partner. “That complacency has been dispelled by some pretty significant breaches in our region.”

Hermansson points to denial-of-service attacks and ransomware strikes across the region that have seen anxiety levels soar. In the EY Global Information Security Survey 2021 (GISS), more than half of Oceania’s cybersecurity leaders (52%) say they have never felt as concerned as they do now about their ability to manage the cyber threat.

This concern is partly related to the spate of COVID-era attacks experienced by businesses worldwide. Almost eighty per cent (78%) of organisations in Oceania have seen an increase in the number of disruptive cyber-attacks during the past 12 months, while 44% are currently addressing the new risks posed by remote working.

But there is a wider issue at play. As businesses in Oceania embrace digital transformation, the CISO is being left out of discussions and is failing to play a meaningful part in the change process. Old weaknesses threaten to become serious vulnerabilities.

How, then, can Oceania’s CISOs confront the growing threat? And how can they build cybersecurity’s reputation as a growth-enabling function at the center of business transformation? Our research suggests that CISOs in Oceania have three priorities to address.

Secure additional budget to become an agent of change

CISOs in Oceania are frustrated. While budget pressures are a global concern in this year’s GISS, resources in Australia and New Zealand appear to be in particularly short supply. More than half (51%) of Oceania’s cybersecurity leaders are working with budgets that fall short of what is required to manage the cyber-related challenges that have emerged in the past 12 months. This compares with 42% of respondents worldwide.

The result is unease about unnecessary and avoidable risk. Four in 10 Oceania respondents believe it is only a matter of time until they suffer a major breach that could have been avoided had they been able to invest more in their defenses. Few will want to say “I told you so” when the company’s crown-jewel data is compromised by hackers.

To add to the pressure, Oceania’s CISOs need to focus on additional safeguards and security in the context of the digital transformation agenda that so many are pursuing. Around half (47%) of organisations in the region are investing significantly in data and technology over the next 12 months, and 39% will embark on at least one comprehensive transformation initiative in the coming year.

If CISOs do not have enough resources to confront today’s challenges, let alone the challenges of tomorrow, what should they do?

Hermansson urges these executives to start repositioning themselves as agents of change, as this will put them in a stronger position to secure additional resources. “CISOs in our region are often great at the technical side of cybersecurity, but the gap is in their ability to articulate risk and secure the investment they need to make a bigger impact,” she explains.

One of the senior executives we spoke to in the region agrees that business understanding is key. “Cyber risk is probably the second or third biggest operational risk of any major government department or private enterprise,” he says. “The individuals who have accountability for it have to be senior business executives who know how to get on with people.”

Help business leaders fathom the scale of threat

The survey suggests that CISOs in Oceania are struggling to make the case for elevating cybersecurity to a business priority. Even when boards recognise the gravity of the threat, they do not necessarily respond with additional support.

Less than 30% (27%) of cybersecurity leaders in the region believe their boards and executive management teams fully understand the value and needs of the cybersecurity function. By contrast, a more reassuring 42% of CISOs in other regions take the same view.

Similarly, while 23% of CISOs outside of Oceania say their boards have difficulties understanding the need for increased funding, the figure rises to 30%, on average, in Australia and New Zealand. Just one in four (26%) Oceania CISOs think this understanding leads directly to additional funding, compared to 41% globally.

One way forward is for Oceania’s CISOs to find more engaging ways to communicate the technical nature of the threat. There is certainly good cause for doing so, 61% flag that their boards are making decisions on cybersecurity even when they do not possess the expertise to understand the issues at hand.

But the bigger challenge is to frame the cybersecurity imperative in a commercial context. CISOs point to the need for security by design during digital transformation projects, so new initiatives come to market with cyber protections baked in rather than retrofitted. But many are not yet demonstrating why the cybersecurity function is instrumental to new value creation.

“Typically, you see the security function sitting within the IT function in this region, and that results in cyber being seen as an IT risk, when it is actually a business risk,” says Hermansson. “If security teams get closer to the business, they will have more chance of getting the business to understand and own that risk.”

Broaden the skills base and enable professional development

Skills shortages are an ongoing challenge for cybersecurity functions in Oceania. Part of the issue is a widespread lack of qualified experts in the region: the not-for-profit AustCyber warned last year, for example, that Australia alone would face a shortfall of 18,000 experts by 2026. But this year’s GISS suggests that further training is required even when organisations in Oceania have recruited all the people they need.

Indeed, 42% of CISOs in Oceania say that improving their skills base is a top priority for the cybersecurity function; only 31% of respondents globally took this view.

CISOs are clear about their problem areas. Just 38% of Oceania cybersecurity leaders are confident in their teams’ understanding and anticipation of the latest strategies taken by threat actors. And well under half (39%) are assured in their team’s ability to ensure digital initiatives are secure by design.

One silver lining of the pandemic may be the way it has brought the skills issue into relief. Prior to the crisis, CISOs would have looked to plug their talent gaps by hiring from abroad. With borders in the region closed, that has not been possible, exposing Oceania’s lack of expertise.

“In a way, that creates lots of opportunity for people who want to get into this space,” says Hermansson. “As security professionals, we’ve got to do our best to educate, to train, and to upskill our workforces.”

Cyber and privacy leaders' agenda

Cyber and privacy leaders must act now to tackle today’s most pressing security challenges.

Read more

Conclusion: How Oceania’s CISOs should rise to the challenge

CISOs in Oceania face challenges that would be familiar to many of their counterparts around the world. But, in many instances, they have a more urgent need to upgrade their capabilities and reach a higher level of maturity. With that in mind, three responses could prove crucial:

Prioritise the skills gap – with a broader remit than in the past
There is no escaping Oceania’s shortage of cybersecurity professionals, at least in the short term, and upskilling the existing skills-base must become a critical priority. But CISOs should aim higher than this: building knowledge of the cybersecurity threat across the enterprise has the potential to reduce pressure on the function. By deepening board-members understanding of the threat, they will ensure they receive additional support.

To become more persuasive and influential, cybersecurity professionals also need to focus on softer skills. Right now, just 24% of Oceania CISOs believe their executive management team would describe the cybersecurity function as speaking the same language as the business.

Build new bridges across the organisation
Operating within the IT function, and often focused on technical issues, too many cybersecurity functions have failed to build strong relationships with key business partners.

Just one in five CISOs in Oceania (21%) describe their relationship with marketing as one of high trust and consultation. Investing time in growing these relationships will not only enable CISOs to play a broader role in transformation, and to be included in the earliest stages of planning, but also secure new advocates as they push for increased resources.

Reposition cybersecurity as an enabler
One of the biggest challenges for Oceania CISOs is to change the perception of their colleagues. Too many are seen as blockers of new initiatives, rather than enablers of transformation that are essential for making new technology initiatives secure and sustainable. Just 27% believe their executives see them as commercially minded, and just 28% say they are thought of as enabling innovation.

Resetting these outdated perceptions – reframing cybersecurity as a strategically minded enabler of change, critical for realising the business’ technology ambitions – should be a top priority for the post-pandemic era.

Summary

To support growth in the face of an increasing cyber threat, CISOs in Oceania need to secure the right skills and educate the executive team about the scale of the cyber challenge and the strategic value that they can provide to the business.

About this article

By Nicola Hermansson

EY Oceania Cyber Consulting Leader

Energetic and passionate leader. Provides cyber and privacy services focused on building trust. Wife. Mother. Average netball player.