With everything we know about the threat landscape, Rohan Langdon, Vice President Australia and New Zealand ExtraHop, asks how is it that over half of organizations have not had their cyber infrastructure updated in over a year-and-a-half. He tells us: “A more recent driver for executive and board-level buy-in in Australia is the move to elevate and establish a higher degree of accountability for cybersecurity at the director and C-level.”
Time and speed are crucial attributes in threat detection and incident response. Yet CISOs and security teams in many organizations continue to face headwinds to securing appropriate funds and resourcing to maintain their performance against these attributes, and to secure the expanse of IT environments they monitor and oversee.
Behavioral researchers have previously tried to unpack the problem of leaders underinvesting in cybersecurity. They posited back in 2017 a series of reverse psychological and persuasive techniques they said could be employed to counter patterns of executive thinking that led to cybersecurity activities being shortchanged.
Five years on, and despite a rapidly evolved threat landscape where organizations of all sizes are routinely targeted and breached, there are still too many organizations that present as ‘weak links’ – that, even in mid-2022, are underfunded compared to their peers, use outdated tooling, live with unpatched systems and in some cases operate without dedicated security personnel. These organizations have security postures that would be considered outdated by today’s standards.
Recent research by ExtraHop shows exactly half of cybersecurity incidents in Australia are caused by having an outdated security posture. More than half (54%) of respondents last updated their cybersecurity infrastructure in 2020 or before and one-fifth of organizations have technology that has gone at least three years without being updated. Additionally, 76% state they are concerned about legacy systems being attacked.
The same study found more fundamental challenges at a smaller – though still significant – number of organizations. In particular, it found 6% of organizations in Australia do not have a dedicated internal team or external team. This may seem a low figure, but if applied to all organizations it is a very large number that lack basic cybersecurity protection. In addition, 18% of respondents weren’t clear on their role in a cyber incident or cyber emergency.
These are the kind of cybersecurity hygiene issues that would undoubtedly worry security practitioners within or associated with these organizations. Clearly there are still organizations that are not as well prepared as they could be, and where executives and boards still need to buy into cybersecurity as a discipline, posture and operational prerequisite.
Does executive accountability change this equation?
To be fair to CEOs and boards, cybersecurity has been on their risk radars for some time now. The importance of cybersecurity is constantly drilled into company executives, particularly those who ultimately sanction and fund this critical work and capability.
PwC Australia says it ‘has witnessed a material change since [2017-18] in cyber understanding and resilience at the board level.’ However, it also theorizes that cybersecurity’s longevity as a risk issue – the fact it remains a constant – weighs on executives’ attention. “There has been some fatigue around the issue,” a PwC representative said. “It’s been in the top three issues for CEOs and boards for a number of years.”
The flipside of that is that fatigue is also an issue for the frontline security practitioners that must meet cybersecurity threats day in and day out. It shouldn’t become a reason to not allocate appropriate resourcing or commit to a regular cadence of upgrades of cybersecurity systems.
Home Affairs has also similarly received feedback ‘that company boards will sometimes de-prioritize cybersecurity as a business risk’ due to the inherent difficulty estimating ‘the likelihood and consequence of a cyber incident and therefore the optimal level of cybersecurity investment.’
A more recent driver for executive and board-level buy-in in Australia is the move to elevate and establish a higher degree of accountability for cybersecurity at the director and C-level.
We’ve seen elements of this incorporated into the banking executive accountability regime or BEAR, and with the CPS 234 prudential standard that targets resiliency against information security incidents in Australia’s regulated financial sector.
Still, maturity is a little way off. A recent review of CPS 234 found ‘little evidence of boards actively reviewing and challenging the information that senior management has provided on cyber topics.’
“The need for boards’ on-going due diligence in the cyber area is greater than ever,” the review states. “Boards need to play a more active role in reviewing and challenging information reported by management on cyber-resilience; ensuring their entities can recover from high-impact cyberattacks (e.g. ransomware); and ensuring information security controls are effective across the supply chain. Boards have a greater role to play.”
While finance-specific, this advice is likely to be applicable to boards across a number of different industry sectors.
How leaders are spending
Executives that accept their crucial role in cybersecurity – and in funding and resourcing it – may be interested to know how their forward-thinking peers are allocating attention and budget.
Network detection and response (NDR) technologies are increasingly used by enterprises to improve vulnerability scanning and patch management, to identify assets at high risk and to reduce the potential for delays to patching them. Just over one-third of Australian businesses already have NDR systems in place, and an additional 40% say they intend to invest in such systems this year.
Our research also finds that 47% of respondents plan to implement a social engineering strategy in 2022; 46% plan to implement staff threat training, and the same proportion plan to improve the speed of threat identification; and 40% plan to increase or recruit dedicated internal security staff.
Cybersecurity does not stand still and neither do the leading teams. It is imperative that those teams remain properly resourced if cyber-risks are to be kept in check.