9th April 2024, Sydney, Australia – Following a survey of 137 Australian Chief Information Security Officers (CISOs) representing organisations responsible for over 26% of Australia’s GDP, local technology research and advisory organisation, ADAPT, has today released the results of its 2024 Security Edge survey.
Mr. Gabby Fredkin, Head of Analytics and Insight at ADAPT, noted a significant general improvement in organisations’ overall cyber posture over the last twelve months, but cautions over fast-evolving AI and third-party risks:
“While resourcing still isn’t where it should be[1], there’s been a great deal of improvement in the cybersecurity posture of organisations. We’re more secure and compliant than we were 12 months ago, but incoming and sometimes complicated legislation combined with emergent AI-based risks means cyber teams have more on their plates than ever, so deciding which measures need the most attention is becoming even harder.
That said, we can see a real improvement in cyber culture: The majority of CISOs believe their organisation’s understanding of cyber risk is maturing, they’re reporting a stronger relationship with their executive teams, are collaborating more effectively with their product teams, and are much better at implementing security into their processes from the beginning”.
Organisations press on with AI deployments despite security concerns
The survey revealed most CISOs are deploying Artificial Intelligence despite being largely unable to protect AI infrastructure and defend against AI-based attacks, suggesting a lack of readiness to safely adopt the technology[2].
While ADAPT’s February 2024 CIO Edge survey revealed just 9% of CIOs feel ready to harness the value of AI in 2024, the Security Edge survey suggested less than a third (29%) of CISOs consider their ability to safeguard their AI models against cyber risks as “mature”. Mr. Fredkin believes a lack of data maturity[3] is the main factor preventing the safe adoption of AI for the majority of Australian organisations:
“The potential for AI to amplify the risk posed to our data remains huge until we improve how we handle it. It’s up to company leadership, not just the cyber or IT leaders, to support a data-driven culture, which means making company data more integrated, accessible, accurate, actionable, and governed by easily understood guardrails – no small feat.”
Compliance trumping threat prevention and detection
“Ensuring governance and compliance” ranked first among the security goals of respondents, with “safeguarding organisational data” and “enhancing cyber resilience” listed as their second and third priorities, respectively.
Additionally, when asked, about how they spend their time, CISOs indicated they are spending more time on compliance than taking specific steps to protect their organisation. Fredkin says while improving rates compliance are promising[4], he’s careful to remind CISOs compliance doesn’t necessarily equal security:
“If you’re secure, you’re likely compliant by nature. The question, which is one for the private sector and regulators to work out together, is how we can avoid viewing compliance as a box-ticking exercise, instead making compliance a by-product of being secure and trusted.”
Third-party risks require more attention: ADAPT analyst
The survey revealed just over a third (35%) of Australian CISOs are confident in their ability to defend their organisation against third-party risks, while 22% of respondents claimed protecting against third-party threats continues to be “full of friction”.
Additionally, protection against third-party breaches fell from the fifth investment priority to eighth over the last twelve months. While Fredkin understands CISOs priority for compliance and cyber awareness[5], the spate of high-profile third-party breaches should give pause to organisations not yet dedicated to tackling the issue:
“We’re not asking enough questions about how we assess our third-party providers, particularly as the risks posed by AI become more serious. Vendors would be served well to improve their transparency about if (and how) their customer’s data will be used to train emerging AI models, considering a full 40% CISOs consider the risks presented by their software supply chain as ‘severe’.”
Footnote:
1. 66% of CISOs said they lack the resources to effectively execute their cyber strategies, on average requiring 41% more resources
2. 72% of CISOs plan on deploying AI in the next twelve months, while 91% claim they remain unprepared for its potential cybersecurity impact
3. The survey revealed over half [56%] of CISOs aren’t able to effectively prevent data leakage from their organisation, while 51% indicate a lack of accountability for improving their data maturity, and 47% consider their ability to define ownership of data as “immature”.
4. 66% of CISOs claimed their ability to comply with regulations is now “seamless”, while 69% of respondents said they’re better at connecting their security budgets to business and regulatory outcomes than the same time 12 months ago
5. 41% of CISOs are now conducting cyber awareness training among their teams monthly, compared to just 30% of those CISOs in the previous 12 months