Aussie security leaders call for more cyber visibility
A study published by Tenable, Inc. has revealed that 94% of Australian security leaders have been asked by top executives to report on their organisation’s level of exposure to a specific threat or publicised vulnerability. However, 70% are only somewhat confident in their ability to report on their level of security or risk when asked.
Coinciding with Australia’s Cyber Security Strategy 2020, this study indicates that business leaders of critical infrastructure and systems of national importance may be subject to regulatory penalties if they don’t equip security teams with the right tools to measure and communicate cyber risks.
The self-reported data is drawn from the Australian instalment of ‘The Rise of the Business-Aligned Security Executive’. The commissioned study of 105 businesses and cybersecurity leaders in Australia found that 92% of Australian organisations experienced a business-impacting cyber attack in the past 12 months.
Additionally, 73% of those attacks involved operational technology (OT) assets. Some of the attacks came in the form of fraud (45%), COVID-19 phishing incidents (44%), data breaches (43%), ransomware (39%) and software vulnerabilities.
The study also found that 67% of business leaders said their security counterparts are only “somewhat effective” in communicating threats that post the greatest risk to the organisation. This finding, coupled with the rise of business-impacting cyber attacks, questions the level of visibility organisations have into their most critical assets to make risk reduction decisions.
Scott McKinnel, ANZ Country Manager for Tenable, said it’s encouraging that many Australian business leaders are prioritising cybersecurity as a critical business function.
“In order for executives to make appropriate risk-informed decisions, security leaders must be able to communicate cyber risk in business terms. Failure to do so will surely result in further business-impacting attacks with the possibility of impending regulatory penalties,” McKinnel said.
The study highlights areas of improvement for security leaders to effectively communicate cyber risk to executives. This includes holistic visibility of business-critical assets. Only six out of 10 security leaders reported that they have “high or complete” visibility into their organisations’ IoT and operational technology (OT), while only 30% have visibility over third-party vendors. As a result, few security leaders have a holistic understanding of their organisations’ modern attack surface.
Security metrics that speak to business risk; four out of 10 Australian security leaders say they work with business stakeholders to align cost, performance and risk reduction objectives with business needs. Fewer than 50% state they use contextual threat metrics to measure their organisations’ cyber risk.
Predictive business risk context for incoming threats; 40% of Australian security leaders aren’t confident that they have the technology, processes or data to predict cybersecurity threats. This could be due to a lack of automation technologies since three out of 10 security leaders say their organisations still manually review spreadsheets to track cybersecurity performance.
The research highlights that a lack of visibility is undermining security leaders’ ability to analyse and combat cyber risks, while most security and business leaders aren’t working together to align security and business performance metrics.
“To effectively manage an organisation’s strategic approach to cyber risk, Australian security leaders should be using risk metrics, cost and performance indicators — the language executives understand,” McKinnel said.
The ACSC's Annual Cyber Threat Report found that cyber threats reported to the agency grew...
Two-thirds of IT security professionals in Australia reported an increase in both their...
Automated bots now account for nearly two-thirds of internet traffic, and are used for a variety...