Australian CSOs expecting more IT-security budget than they’re likely to get

Many Australian IT leaders mistakenly believe they will see IT-security budgets increasing over the next two years but executives have other thoughts on the issue, according to recent research that found the misalignment of expectations is stronger in Australia than in other countries in the Asia-Pacific region.

Fully 27 percent of IT-security executives in the global study of 1100 senior executives predicted a major increase in their security budget over the next two years, but only 13 percent of the C-suite respondents saw similar growth on the horizon.

This, despite broad agreement that the risk of cyberattacks is increasing – a statement agreed to by 16 percent of C-suite respondents and 18 percent of IT-security executives.The research work – conducted by the Economist Intelligence Unit on behalf of VMware – found that despite IT executives’ growing concerns cybersecurity is only the ninth most-important strategic priority for Australia’s C-suite executives.

Although Australia’s C-suite and security leaders were largely aligned around the importance of protecting the company’s reputation, regulated data and customer information, the business leaders were far less clear on the importance of cybersecurity policy in achieving these goals.

Just 5 percent of those executives said protecting against cyber-attacks was a priority, compared with 28 percent of IT executives. Australian business leaders were more concerned with issues such as acquiring new customers (14 percent vs 6 percent) and growing internationally (16 percent vs 8 percent).“The C-suite’s priorities are clear,” the report’s authors note. “Their primary single concern is to safeguard the reputation and brand of the firm.

In contrast, security executives are focused on the data and the software…. Lack of commitment [to security] can have direct implications for firms’ security posture, by limiting funding and diminishing the impetus for organisational change.”Businesses face ongoing compromises of businesses across all industry sectors, with fraudulent mobile apps, espionage-minded hackers, and ever-changing and increasingly-malicious ransomware adding to recognised threats such as security risks that permeate critical infrastructure.

Despite these multitudinous threats, the EIU findings suggest that business executives still downplay the threat of cybersecurity incidents: far fewer C-suite respondents agreed that their company was likely to experience a serious cyber-breach within 90 days (12 percent vs 31 percent of IT-security executives), one year (23 percent vs 40 percent), three years (25 percent vs 38 percent), and five years (27 percent vs 39 percent).While they recognise security as an abstract threat, it appears that business executives are still falling back into their comfort zones, focusing on business growth even as security advisors are recommending that businesses get more proactive about tracking down cybercriminals and acting to protect themselves online.

The Australian results were below global benchmarks, with 35 percent of global IT executives citing protection against cyber-attacks as their #1 priority and acquiring new customers, at 14 percent, given more than twice the priority that it is amongst Australian IT executives.Some 13 percent of global IT executives also prioritised ensuring regulatory compliance while 9 percent saw it as crucial to launch new products and services.

Those findings were echoed when C-suite executives and IT leaders were asked what was the single most important asset in the company that needed to be protected from cyber-attacks. IT-security leaders nominated regulated data (25 percent), customer information (20 percent), the company’s reputation with customers (16 percent) and the company’s applications and services (14 percent).

C-suite respondents, on the other hand, were more concerned about protecting the company’s reputation with customers (25 percent), private internal communications (14 percent), strategic plans and initiatives (12 percent), regulated data (12 percent), and customer information (10 percent).“Total information security is an impractical goal,” the report concludes, “so companies need to prioritise their more valuable or vulnerable assets.

Unfortunately, this study reveals that the C-suite and security leadership are not in sync on what needs to be protected the most.”