Request a Quote

Australian CEOs Struggling to Face Cyber Risk Realities

We Keep you Connected

Australian CEOs Struggling to Face Cyber Risk Realities

Australian CEOs Struggling to Face Cyber Risk Realities
Your email has been sent
Research has found 91% of CEOs view IT security as a technical function that’s the CIO or CISO’s problem, meaning IT leaders have more work to do to engage senior executives and boards.
Fear and the more technical aspects of cybersecurity are still stopping Australian CEOs from engaging more deeply with cybersecurity risks, despite a string of high-profile cyberattacks that have hit Australian brands, including Optus and Medibank and millions of their customers.
New research from consulting firm Accenture found that only one in five (19%) of Australian CEOs are currently dedicating board meetings to discussing cybersecurity issues, while 34% think cybersecurity isn’t a strategic matter and requires episodic rather than ongoing attention.
The results indicate that, despite a rise in data breach costs in Australia and a fast-changing threat landscape, including a potential escalation of social engineering attacks due to generative AI, local CEOs are not taking an “always on” approach to assessing and mitigating cyber risk.
IT leaders can play a role in increasing cyber risk engagement by talking in a language CEOs understand, engaging with boards of directors worried about their own liability and being clear on what best practices and investment levels they should target in their organizations.
Accenture’s Australian findings, drawn from a survey of 1,000 CEOs in large companies around the globe for its The Cyber-Resilient CEO report, found that 91% of CEOs still believe cybersecurity is a technical function that’s the responsibility of the CISO or CIO, not theirs.
Only one-third (28%) of Australian CEOs strongly agreed they had deep knowledge of the evolving cyberthreat landscape they were facing. At the same time, 93% lacked confidence in their organization’s ability to prevent or mitigate future cyberattacks.
SEE: Is rapid data recovery the best hope Australia has against ransomware?
Accenture Security Director for Australia and New Zealand Jacqui Kernot told TechRepublic that despite the risks and costs associated with being a victim of a cyberattack, cybersecurity was still not being given the level of attention it should be at the CEO level.
“It is quite frightening that even after all the noise in the press, the really visible breaches, we still haven’t had that leaning in and uplift from our CEO population,” Kernot said. “My view is we really need to think about why that hasn’t shifted so much and how to empower our CEOs.”
The IT security function has become a “black art” that was full of mystery and fear for outsiders, including nontechnical CEOs, Kernot said. CEOs not engaging with cyber risks were just like people taking their PC to a technical expert to get it fixed, rather than fixing it themselves.
The technical nature of security and the language of security experts could overcomplicate building awareness around cybersecurity, Kernot said. That said, a new generation of digital natives who understand tech are helping to build cultural change and could help engage CEOs.
Recent high-profile breaches and expanding regulation and penalties had put the majority of CEOs into a “mild form of panic,” Kernot said. She said no CEO wanted to be on TV managing a data breach, and there was recognition of how such an event could impact share prices.
SEE: What can IT leaders do about the rising data breach costs in Australia?
Discomfort was causing some CEOs to lean in and increase their cybersecurity knowledge. However, Kernot said that, as demonstrated by the survey results, there were many who were ” … quite terrified and lean back because it is something that they don’t understand.”
CEOs will need to take on more ownership of cybersecurity risks in the future. But CIOs and CISOs may need to work to make this happen. They’ll need to demand more of an audience with the CEO to progress best practice cybersecurity agendas within their organizations.
Kernot said there were a range of things that could support greater security awareness at the top. This could include giving CISOs a direct line to the CEO and board, rather than through a CIO, to ensure reporting of cybersecurity was being given the attention it now warrants.
Kernot recommends that IT leaders look at best practice approaches such as NIST maturity assessments or Australia’s Cyber Operational Resilience Intelligence-led Exercises Framework for financial institutions to establish what the gap was for their own organization.
This would enable CIOs and CISOs to become clear on the uplift they needed from their CEO. If the CEO then decides not to fund it, at least it would be clear IT leaders knew there was a problem and tried to mitigate it, rather than being blamed for it, Kernot said.
“If you are not clear what you need, your budget and what the risks are if you don’t get it, then you risk being a part of the problem,” said Kernot. “You need to be proactive in your recommendations around what needs to happen. You need to be clear what is needed to get the job done.”
Security professionals should minimize jargon — such as talking about “attack surface management” — and communicate in terms CEOs and boards understand. This would include terms such as managing risks, reducing costs, streamlining and increasing visibility in the event of a crisis.
SEE: Big spending on security may not be enough for Australian and New Zealand Enterprises.
Kernot said this shift was about understanding complexity and helping CEOs manage it without overcomplicating it.
“It’s really thinking about what the CEO is considering and what their job is to manage and how you fit your work into what they manage,” said Kernot.
According to Kernot, CIOs aiming to communicate better with CEOs should distill their message down to statements such as:
CISOs will find interested allies in boards, Kernot said, who were now “absolutely worrying” about cybersecurity. The Australian Securities and Investments Commission has recently warned it would go after boards; regulations such as CPS 234 for APRA-regulated entities place information security responsibility on boards.
“I haven’t met a board director not worrying about this and their personal liability, and they are doing their own homework,” said Kernot. “As an IT professional, you have the opportunity to direct and lead their thinking and get the business to where it needs to be.”
Kernot said IT leaders who were not spending time in front of the board and CEO in this environment were missing an opportunity.
“They are all worrying, and you are either helping them feel more comfortable or letting them freak out about it in your absence,” said Kernot.
Cybersecurity simulations are one of the most effective and cost effective ways of increasing board- and executive-level engagement in cybersecurity. Kernot said organizations who do them are likely to get better at funding uplifts in cyber budgets as they get people “really interested.”
“Cyber security simulations are uncomfortable. They get you out of your comfort zone,” said Kernot. “What you want to do is make sure that the board of directors leave feeling uncomfortable and worried, thinking about how to manage that risk in the future.”
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays
Australian CEOs Struggling to Face Cyber Risk Realities
Your email has been sent
TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.
This is a comprehensive list of the best AI art generators. Explore the advanced technology that transforms imagination into stunning artworks.
Find the perfect payroll service for your business without breaking the bank. Discover the top cheap payroll services, features, pricing and pros and cons.
Is NordVPN worth it? How much does it cost and is it safe to use? Read our NordVPN review to learn about pricing, features, security, and more.
Free project management software provides flexibility for managing projects without paying a cent. Check out our list of the top free project management tools.
Australian and New Zealand enterprises in the public cloud are facing pressure to optimize cloud strategies due to a growth in usage and expected future demand, including for artificial intelligence use cases.
There are millions of mobile applications available for download at present and this figure is only going to climb higher. Just as business and consumer needs continue to expand, so do the capabilities and advantages mobile devices provide their users. The purpose of this policy from TechRepublic Premium is to provide guidelines for developing mobile …
Get the web’s best business technology news, tutorials, reviews, trends, and analysis—in your inbox. Let’s start with the basics.
* – indicates required fields
Lost your password? Request a new password
Please enter your email adress. You will receive an email message with instructions on how to reset your password.
Check your email for a password reset link. If you didn’t receive an email don’t forgot to check your spam folder, otherwise contact support.
This will help us provide you with customized content.
Thanks for signing up! Keep an eye out for a confirmation email from our team. To ensure any newsletters you subscribed to hit your inbox, make sure to add newsletters@nl.technologyadvice.com to your contacts list.

source

 

Enterprise Guardian (EnGuard) specializes in HIPAA Compliant Email for the Healthcare Industry.
HIPAA Compliant Email, Telehealth & Cloud Made Easy.

 

GET THE LATEST UPDATES, OFFERS, INFORMATION & MORE