Originally published in ITBrief

The latest survey by ADAPT highlights severe cybersecurity risks facing Australian organisations amid increasing adoption of Artificial Intelligence (AI).

ADAPT’s bi-annual Security Edge survey polled 133 Chief Information Security Officers (CISOs), revealing that 65% of them lack the resources required to secure their organisations effectively. This resource constraint comes at a time when there’s a notable drive towards AI adoption, with 24% of organisations having deployed AI and an additional 72% planning to do so.

Gabby Fredkin, Head of Analytics and Insight at ADAPT, emphasised the challenge: “CISOs are being asked to do more to protect their organisations, but without receiving the funding or internal skills needed to get the job done. They’re being spread extremely thin across multiple departments as their responsibilities widen, leaving them with less time to focus on the fundamentals of remaining secure as AI-based vulnerabilities and fast-moving regulation change the security landscape.”

The survey further suggests that many firms are still at an early stage of AI readiness, with 45% of CISOs admitting to an immature capacity to assign accountability to data or standardise data controls. Gabby Fredkin pointed out: “Organisations are more vulnerable to cyber attacks and other forms of leakage when their data policies aren’t fully under wraps. Improving the maturity of data infrastructure, and deciding exactly who is responsible for that data infrastructure, will determine just how secure companies will be as they push forward with AI. But the reality is most organisations have a long way to go on this front. It’s up to company leadership to support a data-driven culture, which means making company data more integrated, accessible, accurate, actionable, and governed by easily understood guardrails – which is often easier said than done.”

Compliance with incoming regulations, including the Privacy Act and other acts and frameworks, is highlighted as a priority, with 75% of CISOs deeming the implications of these regulations as critical. Fredkin stressed that: “The amount of collaboration needed between the IT and risk departments is unprecedented, but there are differences in how cyber resilience is viewed, causing some friction between teams. Typically speaking, organisations that are secure by nature are compliant with cyber regulations, while mere compliance doesn’t guarantee security. Though the CISO views IT resilience as a continuous process and journey, the board can sometimes see the issue as a box-ticking exercise, not asking whether or not the organisation is secure, but whether or not they’re meeting the minimum risk requirements as far as their risk appetite is concerned.”

Economic pressure has heightened these challenges, with insufficient funding currently the prime barrier to effective cybersecurity, previously ranked third behind lack of executive support and cyber skills shortage. Fredkin commented: “While CISOs and company boards might have different ideas about the budgets needed in order to remain secure, there’s no doubt that properly addressing the changing threat landscape calls for more investment. The most successful CISOs present the business case for cyber investment in net-present-value terms, making their boards think about the potential future cost of penalties and reputational harm against cybersecurity investment now, which seems like a reasonable investment in comparison.”

In summary, Australian CISOs are spending only 43% of their time on their core functions and are concerned about the scaling of software development risks due to AI. A notable 45% regarded risks from external developers as severe, while 44% were concerned about insufficient human oversight for AI-generated code.