Should Australian CISOs be wary of creeping confidence?
With the elevated risk and upheaval of the pandemic now firmly in the rearview mirror, many of Australia’s businesses feel they are getting back to “business as usual.” This perceived return to the “norm” has brought about a change in attitude among security leaders.
So much so that the recent 2023 Voice of the CISO report, Proofpoint’s global survey of 1,600 CISOs, found that just 53% of those in Australia feel at risk of experiencing a material cyber attack in the next 12 months. This figure is considerably lower than in recent years, with 68% and 72% sharing the same sentiment in 2022 and 2021, respectively.
Further underlining this newfound optimism is the similar finding that just 56% of Australian CISOs believe their organisation is now unprepared to cope with a targeted cyber attack, a decrease of 21% since 2022.
While the nation’s CISOs may be correct in their assessment that the world of cybersecurity is somewhat less tumultuous than in previous years, any complacency is almost certainly misplaced.
Another year of high-profile ransomware attacks has brought about national emergencies and widespread devastation among some of Australia’s largest businesses. At the same time, economic uncertainty has taken its toll on the cybersecurity budgets required to keep pace with an evolving threat landscape.
New ways of working accelerated by COVID-19, from growing remote workforces to flexible working and high staff turnover, are also causing increasing headaches for CISOs across the country. So, rather than relax into the post-pandemic “new normal,” Australia’s security leaders must ensure they remain vigilant and prepared to defend against another set of challenges that have arisen in its wake.
The people paradox
A particularly intriguing area of misplaced confidence among Australian CISOs concerns that all-important line of defence, our people. Despite remaining pivotal to the success of most cyber attacks, fewer security leaders, just 53%, view human error as their organisation’s biggest cyber vulnerability. That’s down from 76% last year.
At first glance, it’s tempting to put this apparent faith in users down to increased security awareness during the disruption caused by the pandemic. However, another finding quickly eliminates this school of thought. Rather worryingly, while most Australian CISOs do not see people as their top risk factor, only a little over half (53%) believe that employees understand their role in protecting their organisation from cyber threats.
Several more findings undermine the view that human risk is not the most pressing issue facing Australian businesses, too. When asked to assess the most significant threats faced in 2023, CISOs called out cloud account compromise and ransomware, both of which frequently rely on user involvement.
To compound matters, most CISOs admit that the loss of sensitive data is exacerbated by employee turnover. The rising cost of living and a greater focus on work-life balance has contributed to one in three Australian workers switching jobs in the last two years – and when staff leave, data often leaves with them.
Over two-thirds (69%) of Australian security leaders reported dealing with a material loss of sensitive data in the past 12 months. Of those, 70% agreed that employees leaving the organisation contributed to the loss.
Feeling the strain
Employees walking out the door with company data, whether carelessly or maliciously, is not the only pressing concern for Australian CISOs. This year, many more report being strapped for resources, with 47% saying the recent squeeze on the economy has negatively impacted their cybersecurity budget.
This is perhaps one of the reasons why so many feel out of step with their fellow board members. Just 47% of CISOs say they see eye to eye with the rest of the C-suite on cybersecurity issues – a slight decrease on 2022 (58%) but up from 47% in 2021.
These fractured relationships, shrinking budgets and mounting pressure are leading many to feel that the role of CISO is unsustainable in the current environment. Approaching two-thirds (58%) say they feel unreasonable job expectations, with half reporting burnout in the past 12 months and 54% expressing concern about their exposure to personal liability.
The modern CISO may have good reason to fear the latter. In a landmark ruling last year, Uber’s former chief security officer was found guilty and sentenced to probation in the U.S. for his role in a major data breach. Meanwhile, here in Australia, a recent discussion paper issued by the Department of Home Affairs raised the possibility that “a voluntary standard could be considered by a court when determining whether failures relating to the oversight of cyber risk constitutes a breach of directors’ duties.”
Building a defence fit for today – and tomorrow
It is, of course, understandable that Australia’s CISOs are feeling a little more confident in their security posture from the other side of the most challenging years in living memory. Most organisations now have greater faith in their ability to secure remote and hybrid setups and more trust in their people to work in these environments.
However, this confidence must not lead to complacency. We face many more threats, from record levels of staff turnover, shrinking budgets and increasingly tenacious cyber criminals with access to more tools and time-tested techniques than ever before.
We can all breathe a sigh of relief that cybersecurity has returned to something approaching normal. But the onus is now on CISOs to join the dots between human risk and employee awareness, strengthen bonds with the board, and ensure they have the resources to defend against the threats they still face every single day.