Originally published in CSO

The rush to invest in cybersecurity tools is creating drag on digital transformation, analysts have warned as new figures suggest “frazzled” Australian CISOs are feeling strain due to the ongoing challenges of the cybersecurity skills deficit, fatigued security teams, vulnerabilities in legacy systems, and other everyday challenges.

Security leaders named cybersecurity awareness training as their top investment priority over the next 12 months, Australian research and advisory firm Adapt noted in a newly released report, which also found that the lack of in-house security skills was perceived as the biggest barrier to progressing with cybersecurity initiatives.

Fully 85% of respondents claimed they were struggling due to a lack of skills and—despite recent Gartner findings that 65% of Australian workers consider themselves ‘savvy’ with digital technologies—nearly as many Adapt respondents named security awareness and budget constraints as their two other biggest sources of stress.

The results confirm that skills, people, and budget remain the major operational challenges impeding better corporate cybersecurity postures.


Why cybersecurity leaders are ‘frazzled’

“Cybersecurity leaders have good reason to be frazzled,” said Adapt senior research strategist Aparna Sundararajan. They “are being asked to navigate a network of over 1,200 security vendors, manage thousands of staff not yet sold on the importance of security, negotiate budget increases, find the right talent, and accommodate fast-moving government mandates—all while dealing with a constantly evolving threat environment,” she said.

No wonder 74% of cybersecurity leaders reported dealing with security “fatigue” exacerbated by the continuing threat from attacks usually tied to user error—including ransomware, which was cited by 90% of respondents as a threat, phishing attacks (84%), identity theft (79%), and third-party risks (79%).

Aiming to improve their users’ cybersecurity awareness and head off potential compromises, cybersecurity leaders’ strong focus on user awareness training reinforced the importance of the human element in planning cybersecurity strategies for 2022—during which, Adapt found, 72% of security executives expect cybersecurity funding to increase.

It’s now beyond question that low cybersecurity literacy, not inadequate technology, presents the greatest barrier to robust security,” Sundararajan said, “and security leaders are responding by directing their budgets to awareness programs.”


Security budgets: Too much of a good thing?

Yet with many companies still working to recover from pandemic-driven hits to revenue, Adapt’s finding that 22% of respondents expect budget increases of 20% or more actually reinforces recent concerns by Gartner that a ‘cybersecurity tax’ may threaten Australian and New Zealander companies’ growth by limiting their ability to invest in other areas of IT.

“The continuing need to invest heavily in cybersecurity in ANZ is creating a cybersecurity ‘tax’,” said Gartner distinguished research vice president Andy Rowsell-Jones in a statement, “hindering progress in other areas by redirecting investments that could be used for future innovation.”

Although Gartner expects Australian IT budgets are overall expected to grow at their fastest rate in a decade, the research firm’s latest CIO survey, which included 114 ANZ CIOs and 2,273 from elsewhere in the world, corroborated Adapt’s results in finding that 73% of respondents will spend more on cybersecurity in 2022 than in 2021.

That put cybersecurity ahead of even data analytics, the previous top investment priority, and was contributing to CIO expectations’ that 2022 would see decreasing investment in legacy infrastructure and data-centre technologies, application modernisation, and enterprise resource planning.

Resolving the tension between investing in cybersecurity and investing in business change requires efforts to improve what Gartner has termed the ‘composability’ of the organisation: the mindset, technologies, and operating capabilities that enable organisations to innovate and adapt quickly to changing business needs.

High degrees of composability have been linked with better business performance—63% of CIOs at highly-composable organisations reported superior business performance over the past year—but with just 4% of Australian organisations rated as highly composable, Rowsell-Jones said, businesses had a lot of work to do before they can make up for cybersecurity’s short-term revenue drain.

Australian leaders tend to think of business composability as being an IT thing, instead of a mindset change across the business,” he added, noting that

being a composable business means investing in flexibility and agility, putting in place a modular structure that enables assets to be reconfigured to suit conditions. This offers enormous value, but there’s a lack of pressure for organisations in ANZ to change.”