Cybersecurity literacy, not technology, is the biggest headache for security leaders. Credit: Ryan McGuire The rush to invest in cybersecurity tools is creating drag on digital transformation, analysts have warned as new figures suggest “frazzled” Australian CISOs are feeling strain due to the ongoing challenges of the cybersecurity skills deficit, fatigued security teams, vulnerabilities in legacy systems, and other everyday challenges.Security leaders named cybersecurity awareness training as their top investment priority over the next 12 months, Australian research and advisory firm Adapt noted in a newly released report, which also found that the lack of in-house security skills was perceived as the biggest barrier to progressing with cybersecurity initiatives.Fully 85% of respondents claimed they were struggling due to a lack of skills and—despite recent Gartner findings that 65% of Australian workers consider themselves ‘savvy’ with digital technologies—nearly as many Adapt respondents named security awareness and budget constraints as their two other biggest sources of stress.The results confirm that skills, people, and budget remain the major operational challenges impeding better corporate cybersecurity postures. Why cybersecurity leaders are ‘frazzled’“Cybersecurity leaders have good reason to be frazzled,” said Adapt senior research strategist Aparna Sundararajan. They “are being asked to navigate a network of over 1,200 security vendors, manage thousands of staff not yet sold on the importance of security, negotiate budget increases, find the right talent, and accommodate fast-moving government mandates—all while dealing with a constantly evolving threat environment,” she said.No wonder 74% of cybersecurity leaders reported dealing with security “fatigue” exacerbated by the continuing threat from attacks usually tied to user error—including ransomware, which was cited by 90% of respondents as a threat, phishing attacks (84%), identity theft (79%), and third-party risks (79%). Aiming to improve their users’ cybersecurity awareness and head off potential compromises, cybersecurity leaders’ strong focus on user awareness training reinforced the importance of the human element in planning cybersecurity strategies for 2022—during which, Adapt found, 72% of security executives expect cybersecurity funding to increase.“It’s now beyond question that low cybersecurity literacy, not inadequate technology, presents the greatest barrier to robust security,” Sundararajan said, “and security leaders are responding by directing their budgets to awareness programs.”Security budgets: Too much of a good thing?Yet with many companies still working to recover from pandemic-driven hits to revenue, Adapt’s finding that 22% of respondents expect budget increases of 20% or more actually reinforces recent concerns by Gartner that a ‘cybersecurity tax’ may threaten Australian and New Zealander companies’ growth by limiting their ability to invest in other areas of IT.“The continuing need to invest heavily in cybersecurity in ANZ is creating a cybersecurity ‘tax’,” said Gartner distinguished research vice president Andy Rowsell-Jones in a statement, “hindering progress in other areas by redirecting investments that could be used for future innovation.”Although Gartner expects Australian IT budgets are overall expected to grow at their fastest rate in a decade, the research firm’s latest CIO survey, which included 114 ANZ CIOs and 2,273 from elsewhere in the world, corroborated Adapt’s results in finding that 73% of respondents will spend more on cybersecurity in 2022 than in 2021.That put cybersecurity ahead of even data analytics, the previous top investment priority, and was contributing to CIO expectations’ that 2022 would see decreasing investment in legacy infrastructure and data-centre technologies, application modernisation, and enterprise resource planning. Resolving the tension between investing in cybersecurity and investing in business change requires efforts to improve what Gartner has termed the ‘composability’ of the organisation: the mindset, technologies, and operating capabilities that enable organisations to innovate and adapt quickly to changing business needs.High degrees of composability have been linked with better business performance—63% of CIOs at highly-composable organisations reported superior business performance over the past year—but with just 4% of Australian organisations rated as highly composable, Rowsell-Jones said, businesses had a lot of work to do before they can make up for cybersecurity’s short-term revenue drain.“Australian leaders tend to think of business composability as being an IT thing, instead of a mindset change across the business,” he added, noting that “being a composable business means investing in flexibility and agility, putting in place a modular structure that enables assets to be reconfigured to suit conditions. This offers enormous value, but there’s a lack of pressure for organisations in ANZ to change.” Related content news Google Chrome zero-day jumps onto CISA's known vulnerability list A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. By Jon Gold Oct 03, 2023 3 mins Zero-day vulnerability Vulnerabilities Security brandpost The advantages and risks of large language models in the cloud Understanding the pros and cons of LLMs in the cloud is a step closer to optimized efficiency—but be mindful of security concerns along the way. By Daniel Prizmant, Senior Principal Researcher at Palo Alto Networks Oct 03, 2023 5 mins Cloud Security news Arm patches bugs in Mali GPUs that affect Android phones and Chromebooks The vulnerability with active exploitations allows local non-privileged users to access freed-up memory for staging new attacks. By Shweta Sharma Oct 03, 2023 3 mins Android Security Vulnerabilities news UK businesses face tightening cybersecurity budgets as incidents spike More than a quarter of UK organisations think their cybersecurity budget is inadequate to protect them from growing threats. By Michael Hill Oct 03, 2023 3 mins CSO and CISO Risk Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe