Originally published in Information Age

Businesses must triage their critical data and accept that they can’t always protect it all from cyber security compromise, cyber security experts have warned as new research finds most Australian businesses dealt with up to ten cyber security incidents last year.

Nearly three-quarters of companies said they had suffered 10 cyber incidents and 40 per cent reported increasing cyber threats during the last year, Deloitte’s 2021 Future of Cyber Survey study found.

This had driven growing investment in security, with 64 per cent of respondents listing better data-security capabilities as their first priority over the next three years– followed by bolstering privacy capabilities (59 per cent) and better compliance (50 per cent).

Executives’ cyber awakening was tied to the growing exposure of digital transformation, which was rapidly accelerated last year by 69 per cent of boards of directors as they fought to survive a pandemic in which Australian businesses reported a new cyber attack every 8 minutes.

Transformation – including the modernisation of core finance, HR, manufacturing and other business systems by moving them to cloud platforms supported by remote-working and mobile workers – has exacerbated data’s exposure as companies’ hunger for innovation outpaces their ability to protect the data flowing within and between those systems.

Despite these threats, however, 93 per cent of global executives said they would continue investing in digital transformation.

Faced with the need to progress at any cost, said Deloitte global clients and industries leader Simon Owen, many executives would be forced to accept what might have seemed an unthinkable conclusion in the past: not everything can be saved.

Absolute security is an unrealistic nirvana,” Owen explained. “Leadership must make intelligent risk-based decisions on what to protect, and what assets are less important.”

Companies must “make these decisions swiftly,” he added, “then continually reassess them as the environments inside and outside organisations aren’t standing still.”

 

Two thirds of CISOs meet with CEO just twice a year

In a regulatory climate where directors are increasingly being held responsible for cyber security attacks, accepting cyber security breaches as inevitable is a big conceptual step – and simply spending more on security isn’t the solution.

Directors must work with company executives at every level to break down operational ‘silos’ that had left different business units with different levels of cyber security protection.

Developing a truly effective cyber security culture, Deloitte said, requires the empowerment of chief information security officers (CISOs) that have historically struggled to extend their influence outside of the IT organisation.

“Once cyber permeates an enterprise, it’s imperative to reposition where the CISO sits in the organisation chart,” the report noted.

Closer relationships to the CEO enhance the CISO’s ability to understand business priorities and to have visibility into innovations as they occur.”

[It] enables the cyber team to ensure necessary requirements, technical solutions and controls can be built into innovation initiatives from the ground up. This not only minimises risk at the outset but risk of overall product and service development.”

Despite the strong case for ubiquitous cyber security, a recent ADAPT survey found, two-thirds of CISOs said they only meet with their CEO twice per year at most – and 15 per cent never meet with their CEO.

Although a similar percentage reported increasing cyber security budgets, ADAPT senior research strategist Aparna Sundararajan warned that “new funding is encouraging, but we need more executive sponsorship of initiatives to fast-track cyber security awareness…. [this] is only possible through more face-time between security teams and senior leadership.”

Although many businesses are getting better at evaluating and sharing information about risk, Michael Daniel, president and CEO of threat-intelligence group the Cyber Threat Alliance, told Information Age the time for prevarication was long over.

“If you’re going to live in a digital environment and a digital world, then cyber security is not just an afterthought,” he said.

It’s actually the thing that makes it possible for you to deliver the products or services that your business in business for.”

Financial services companies had “taken this and run with it” but other industries were catching on, Daniel said, noting the success of complex multinationals like Johnson & Johnson in integrating information security across every business unit.

Really wrapping your mind around that is a real mindset change that many different sectors have started to go through,” he said. “Some are far ahead, but other sectors are really coming around to that view too…. It represents a real change in how they think about security.”