itb-nz logo
Story image

GCSB report: NZ firms lack CISOs, human investment

01 Nov 2018

More than 80% of New Zealand’s nationally significant organisations don’t have a dedicated chief information security officer (CISO), with many opting to either include responsibilities in a broader role or simply go without a CISO altogether.

The Government Communication Security Bureau (GCSB) and National Cybersecurity Centre (NCSC) published the country’s first benchmark of how 250 of NZ’s nationally significant organisations stack up when it comes to cybersecurity.

Of those surveyed, 63% have a cybersecurity incident response plan, but 33% of those had not tested that plan in the last year.

Despite the lack of a CISO to guide the way, 73% of organisations increased their cybersecurity spending in the last year. 

Seventy percent of organisations had increased spending on new security tools, while 45% had increased spend on more IT security staff. Fifty-four percent increased spending on IT staff training.

While tools and vulnerability assessments are a central focus for spending, the benchmark says that these are coming with an even higher price – the cost of investment in people. 

Fifty-two percent of organisations said they do not have enough skilled staff to meet their security requirements. 

What’s more, cybersecurity spending isn’t necessarily resulting in more cyber-confident organisations. 41% of organisations are mildly confident or not confident in their ability to detect an intrusion.

Managed security service providers should also take note: Of the organisations who use MSP services, 36% say they have no mechanism to confirm whether their provider is delivering on the agreed level of security.

“Overall it appears that digital transformation is outpacing investment in cybersecurity and as a result we found a range of resilience levels,” says GCSB director—general Andrew Hampton.

“While most organisations are heading in the right direction, more work needs to be done to improve cyber resilience across the board.”

The benchmark report adds that there are four areas of good practice that can help organisations focus their efforts for the greatest effect.

They include: •    Governance – Promoting cybersecurity at a senior leadership level to protect an organisation’s most important digital assets.  •    Investment – Investing in cybersecurity to minimise risk and maximise returns.  •    Readiness – Preparing the organisation to detect, respond, and recover from a cybersecurity incident.  •    Supply Chain – Maintaining oversight and awareness of the cybersecurity risks in an organisation’s supply chain.

Each of the 250 organisations received its own individualised and commercially-sensitive report as part of the findings. The reports cover actions that the organisations can take to increase their cyber resilience.

Those actions include: •    Establishing clear accountability for cybersecurity; •    Regular reporting on cybersecurity, including near misses, to executives and directors; •    Balancing strategic investment in assets and staff over vulnerability assessment; •    Identification of critical information assets and risks to those assets; •    Having a dedicated budget line for IT security; •    Preparing and regularly testing a cybersecurity incident response plan, and •    Ensuring third party vendors include specific cybersecurity service level agreements and the right to be audited on cybersecurity performance.

“Cybersecurity is a team sport and we all have to do our bit. In this interconnected world we are all just one click away from a potential threat,” Hampton concludes.

The GCSB and the NCSC are committed to working with less mature organisations to raise overall cybersecurity resilience.

Link image
Get Fortinet's cyber expertise at your fingertips
Whether you're interested in threat reports, solutions, or webinars - Fortinet's vast resources are essential reading.More
Story image
Starschema launches COVID-19 dataset on Snowflake's Data Exchange
“It’s essential organisations have access to accurate, near real-time data in this rapidly evolving environment and were humbled that the platform architecture is uniquely positioned to help democratise access to Starschema’s data in this time of need.”More
Story image
Axios Systems bolsters University of Canterbury's IT service management
“The Axios Systems team had clearly addressed the requirements set out in our RFP Documentation. Not only did they answer the question of assyst’s capability, but also commented on how we could expand the use of the same functionality in the future phases of our implementation."More
Story image
Interview: Barracuda decision-makers discuss public cloud security
Last month, Barracuda released a report outlining the security barriers organisations must overcome to adopt the public cloud, as studies reveal that security was the top concern for such organisations.More
Link image
Learn the art of working remotely
Use Microsoft Teams to your advantage with short, sharp courses for all of your staff - complete with bonus Mastering Remote Working Madness = presentation.More
Story image
Local Govt NZ: 12-months rates freeze misguided during COVID-19 pandemic
The request from the Taxpayers’ Union to implement a 12-month rates freeze is misguided and has the potential to put the brakes on economic recovery.More