How Australian execs bolster cyber defences with AI and strategic budgets
Learn how Australian CISOs tackle cyber security challenges, leverage AI, and strategically allocate budgets to boost organisational resilience.In the past two years, the severe data breaches at Latitude, Medibank, and Optus have awakened CEOs and Boards across Australia to the critical need for robust cyber security measures.
These breaches have shown the extensive financial and reputational damage that can occur, making cyber security a top priority for organisations nationwide.
The announcement in early June that Medibank is being sued by the Australian Information Commissioner and potentially facing fines in the trillions for its 2022 cyberattack has sent shockwaves through corporate Australia.
This development reinforces the urgent need for comprehensive cyber security strategies.
Amid these challenges, Australian CISOs and CIOs are collaborating more closely than ever to build secure and trustworthy environments by design.
This concerted effort is reflected in the top five business outcomes CISOs and CIOs are expected to achieve this year.
ADAPT’s Research and Advisory clients can access the full report on The state of cyber security in Australia 2024.
The Role of AI in Cyber Security
Artificial Intelligence (AI) is revolutionising cyber security operations, and understanding its impact is crucial for modern organisations.
Automating Tasks to Empower Australian Cyber Teams
Since 2023, AI solutions have fundamentally augmented and bolstered organisations’ cyber capabilities.
They address skills gaps by automating low-value, time-consuming tasks and enabling cyber teams to focus on higher-value activities.
Almost one quarter (24%) of CISOs surveyed by ADAPT say they have already deployed AI initiatives, while a further 72% are planning or piloting AI initiatives in 2024.
Only 4% discourage the adoption of AI, indicating a broad recognition of AI’s potential benefits.
Australian CISOs surveyed by ADAPT this year identified insufficient time and resources as the number one barrier to getting the job done.
These AI tools can provide much-needed resourcing support for cyber teams under pressure to produce results.
Insufficient executive support and budget to secure the organisation follow.
Addressing Resource Shortfalls with AI Integration
Despite AI’s promise, many CISOs still lack the resources needed to provide high cyber protection to their organisations.
Two-thirds (66%) of security leaders surveyed by ADAPT say they lack the resources to deliver a world-class security service.
More than half (52%) need an increase in budget of less than 20%, with almost one-fifth wanting between 41% and 60% and a similar number wishing to double their resources.
Additionally, CISOs must know AI’s ‘double-edged sword’ nature. Criminal gangs are weaponising these tools, increasing their productivity in creating more complex and harder-to-detect attacks.
This heightens cyber risk further and shifts the balance in favour of cyber criminals, particularly given that only 29% of the CISOs surveyed by ADAPT believe they are mature enough to safeguard AI models against cyber threats.
Shaping AI Strategy and Improving Data Governance
Given AI’s rapid development and adoption across businesses, CISOs are increasingly influencing AI strategy within their organisations.
More than half (52%) say they are strategic advisers, 34% are consulted occasionally, and only 14% are still viewed as order takers/followers.
Organisations that are more prepared and mature around AI typically exhibit higher levels of cyber preparedness and overall resilience.
ADAPT’s latest CIO survey found that of the tech executives unprepared for AI, only 58% are seamless at cyber security and resilience.
Conversely, of those executives who are prepared for AI, 83% are seamless at delivering cyber security and resilience. A robust security and resilience strategy can make an organisation more AI-ready and vice versa.
Any success that CISOs have with AI will depend on the quality of their organisations’ data.
Despite some progress in data strategies over the past year, CISOs, like their CIO counterparts, must be more mature in many areas of the data stack.
Even though 15% of their budget is spent on securing data, most CISOs report that their organisations still need a mature data culture underpinned by good governance and policies.
More than half (56%) of the 103 Australian CISOs surveyed by ADAPT in April 2024 say they are unable to stop data leakage.
Additionally, 51% report a lack of accountability across their organisations for improving data maturity, and almost half (47%) say they need to be more mature in defining data ownership. Furthermore, 45% need more organisational maturity to protect intellectual property.
These results indicate a critical need for more funding to invest in the data literacy of end users
Improved data literacy can enable organisations to use advanced AI tools more effectively, supporting their data strategies and driving AI projects.
An ADAPT report (April 2024) outlines practical steps needed to elevate data governance, literacy, and culture for AI.
Addressing these challenges will be crucial for organisations leveraging AI fully and securely in their cyber operations.
Allocating Cyber Budgets to Strengthen Security
CISOs have provided ADAPT with detailed insights into how they are allocating their cyber budgets this year.
Approximately $16.1 million, or 73% of their total budget, is spent protecting mission-critical assets.
The largest portion of these budgets is dedicated to infrastructure protection, with nearly one-quarter (23%), or $5.1 million on average, used to replace ageing cyber systems and applications.
Infrastructure remains the most extensive area of expenditure due to its high costs and regulatory compliance requirements. This is largely because security in legacy environments is often an afterthought rather than integrated from the start.
Focusing on Endpoint and Application Protection
In addition to infrastructure, large portions of the budget are allocated to other critical areas. Around 20%, or $4.4 million on average, is spent on endpoint protection.
Furthermore, 30% of the budget is directed towards application and data protection, supporting hybrid workforces between offices and remote locations.
Compared to 2023, Australian CISOs have increased their budgets for infrastructure, endpoint, application, and data protection by 16%, 6%, 40%, and 27%, respectively.
This shift highlights the growing need to safeguard data and modernise technology to mitigate risks associated with legacy systems.
Enhancing Regulatory Compliance and Cyber Awareness
In 2024, CISOs also allocate 27% of their budgets, or $6 million on average, to regulatory compliance, risk management, and cyber awareness training.
Recognising the risk of non-compliance, 9% of the budget ensures adherence to various regulations and policies.
An equal share is spent on risk management and cyber training, which are consistent priorities in the top outcomes, initiatives, and investment areas.
Investing in Cyber Resilience and Skills Development
As the top investment priority this year, CISOs are taking practical steps to raise awareness and enhance skills in cyber security.
Collaborating with CHROs can support this effort by attracting and retaining talent. Despite increased spending and various initiatives to strengthen cyber postures, organisations cannot guarantee immunity to cyberattacks.
Executives should invest in their ability to respond to and recover from incidents while increasing overall cyber resilience.
Conclusion
In the past two years, severe data breaches at Latitude, Medibank, and Optus have highlighted the critical need for robust cyber security measures across Australia.
These incidents have shown the financial and reputational damage that can occur, making cyber security a top priority for organisations nationwide.
ADAPT’s 2024 cyber security report reveals that Australian CISOs are directing large portions of their budgets towards infrastructure, endpoint, application protection, and regulatory compliance.