Story image

CISOs need to step up against cyber threats, report finds

By Catherine Knowles, Fri 10 Sep 2021

More than half of Oceania’s cybersecurity leaders (52%) say they have never felt as concerned as they do now about their ability to manage the cyber threat, according to the EY Global Information Security Survey 2021 (GISS).

As businesses in Oceania embrace digital transformation, the CISO is being left out of discussions and is failing to play a meaningful part in the change process, the report finds.

In addition, more than half (51%) of Oceania's cybersecurity leaders are working with budgets that fall short of what is required to manage the cyber related challenges they've seen in the past 12 months, according to the report. This compares with 42% of respondents worldwide.

Four in 10 Oceania respondents believe it is only a matter of time until they suffer a major breach that could have been avoided had they been able to invest more in their defences.

To add to the pressure, Oceania's CISOs need to focus on additional safeguards and security in the context of the digital transformation agenda that so many are pursuing.

Around half (47%) of organisations in the region are investing significantly in data and technology over the next 12 months, and 39% will embark on at least one comprehensive transformation initiative in the coming year.

The survey suggests that CISOs in Oceania are struggling to make the case for elevating cybersecurity to a business priority. Even when boards recognise the gravity of the threat, they do not necessarily respond with additional support.

Less than 30% (27%) of cybersecurity leaders in the region believe their boards and executive management teams fully understand the value and needs of the cybersecurity function. By contrast, a more reassuring 42% of CISOs in other regions take the same view.

Just one in four (26%) Oceania CISOs think this understanding leads directly to additional funding, compared to 41% globally.

EY Oceania cybersecurity, privacy and trusted technology partner Nicola Hermansson urges executives to start repositioning themselves as agents of change, as this will put them in a stronger position to secure additional resources.

She says, “CISOs in our region are often great at the technical side of cybersecurity, but the gap is in their ability to articulate risk and secure the investment they need to make a bigger impact.

"One of the senior executives we spoke to in the region agrees that business understanding is key for CISOs.

"Cyber risk is probably the second or third biggest operational risk of any major government department or private enterprise, and the individuals who have accountability for it have to be senior business executives who know how to get on with people."

Hermansson says, “One way forward is for Oceania's CISOs to find more engaging ways to communicate the technical nature of the threat.

“There is certainly good cause for doing so, 61% flag that their boards are making decisions on cybersecurity even when they do not possess the expertise to understand the issues at hand.

"The bigger challenge is to frame the cybersecurity imperative in a commercial context."

She continues, “CISOs point to the need for security by design during digital transformation projects, so new initiatives come to market with cyber protections baked in rather than retrofitted.

"But many are not yet demonstrating why the cybersecurity function is instrumental to new value creation. Typically, you see the security function sitting within the IT function in this region, and that results in cyber being seen as an IT risk, when it is actually a business risk.

"If security teams get closer to the business, they will have more chance of getting the business to understand and own that risk."

Recent stories
More stories