Poorly educated boards mean less cybersecurity funding for ANZ CISOs

“Frustrated” Australian and New Zealand CISOs are being left out of high-level strategic discussions, according to a regional survey that found more than half are fighting a rising tide of cybercriminal activity with budgets that are far too small for what’s required.

Fully 51% of the cybersecurity leaders in the Oceania region said their security budgets are less than what they require—well above the 42% figure who said they felt that way globally.

The gap between boards and CISOs

Four in 10 respondents to the EY Global Information Security Survey 2021 saying that it’s only a matter of time until their companies are breached in a way that could have been avoided, if they had had more funding.

“The result is unease about unnecessary and avoidable risk,” said Nicola Hermansson, cybersecurity, privacy, and trusted technology partner at EY Oceania, who warned that regional CISOs are “frustrated”. “While budget pressures are a global concern, resources in Australia and New Zealand appear to be in particularly short supply, and old weaknesses threaten to become serious vulnerabilities.”

Executive teams are particularly less well informed about cybersecurity issues, ANZ CISOs said, with just 27% of respondents agreeing that their boards and executive management teams fully understand the value and needs of cybersecurity—well behind the 42% of CISOs who felt that way globally.

Boards were even less appreciative of the demands of effective cybersecurity, with 30% of Oceania CISOs saying their company boards have trouble understanding the need for increased funding—compared with 23% globally.

Equally concerning were reports that 61% of CISOs said their boards are making decisions about cybersecurity even when they lack the expertise to understand the issues at the hand. Ineffective communication seems to be the culprit, with CISOs pressed to find “more engaging ways to communicate the technical nature of the threat,” Hermansson said. “If security teams get closer to the business, they will have more chance of getting the business to understand and own that risk.”

Challenging leadership dynamics

The figures bolster a persistent narrative about the disconnect between business and technology teams, which has hampered strategic investment in technology and cybersecurity-related areas.

In many ANZ companies, CISOs have been found to be no more effective at advocating for cybersecurity investments than CIOs, with ISACA’s recent State of Cybersecurity 2021 study finding no difference between organisational views about changes in cyberattacks, confidence levels relating to detecting and responding to cyber threats, and perceptions about cybercrime reporting.

Executives were more likely to value cyberrisk assessments in companies where CIOs manage the cybersecurity function, ISACA found, while boards were more likely to prioritise cybersecurity and have better alignment with organisational objectives when the cybersecurity function was managed by CISOs.

One way of ensuring that funding was better aligned with requirements was to conduct regular cybersecurity maturity assessments across the enterprise, which were reported to be the case by 68% of ISACA respondents and linked with having appropriate cybersecurity budgets and well-staffed teams.

“In a complex, constantly changing cybersecurity landscape that is subjecting enterprises to increasingly severe attacks, assessing cybersecurity maturity can play a role in determining whether enterprises have effective security programs,” said Renju Varghese, chief architect for cybersecurity and GRC services at IT consultancy HCL Technologies.

“Taking a proactive, risk-based approach to assessments, versus simply meeting compliance requirements, will serve enterprises well in ensuring their cybersecurity goals are met—and that they can continue to pivot as needed as the threat landscape shifts,” he said.

The implications of ongoing poor alignment are being felt at a high level, with the recently updated Digital Quality of Life Index ranking Australia 17th in the world overall—but 37th when it comes to cybersecurity.

How to change the cybersecurity dynamic with the board

There are signs that ANZ companies recognise the need for change, at least, with a recent survey from cybersecurity vendor Sophos finding that 43% of organisations expect that a CISO will be running their cybersecurity functions within two years—up from just 37% now.

This will be accompanied with a steady increase in the proportion of technology budgets spent on cybersecurity—which will increase from 6% of IT budgets to 9% within 24 months, the survey found.

Solution providers hoping to cash in on this, however, will need to make sure they take the time to understand companies’ business requirements—with 70% of the Sophos respondents citing poor understanding of business issues as the top mistake that product and service vendors make when engaging them.

To break down the lingering disconnects between business understanding and cybersecurity spend, EY’s Hermansson said, “The bigger challenge is to frame the cybersecurity imperative in a commercial context. … CISOs point to the need for security by design during digital transformation projects, so new initiatives come to market with cyber protections baked in rather than retrofitted. But many are not yet demonstrating why the cybersecurity function is instrumental to new value creation.”