become a reason to not allocate appropriate resourcing or commit to a regular cadence of upgrades of cybersecurity systems .
Home Affairs has also similarly received feedback ‘ that company boards will sometimes de-prioritize cybersecurity as a business risk ’ due to the inherent difficulty estimating ‘ the likelihood and consequence of a cyber incident and therefore the optimal level of cybersecurity investment .’
A more recent driver for executive and board-level buyin in Australia is the move to elevate and establish a higher degree of accountability for cybersecurity at the director and C-level .
We ’ ve seen elements of this incorporated into the banking executive accountability regime or BEAR , and with the CPS 234 prudential standard that targets resiliency against information security incidents in Australia ’ s regulated financial sector .
Still , maturity is a little way off . A recent review of CPS 234 found ‘ little evidence of boards actively reviewing and challenging the information that senior management has provided on cyber topics .’
“ The need for boards ’ on-going due diligence in the cyber area is greater than ever ,” the review states . “ Boards need to play a more active role in reviewing and challenging information reported by management on cyber-resilience ; ensuring their entities can recover from high-impact cyberattacks ( e . g . ransomware ); and ensuring information security controls are effective across the supply chain . Boards have a greater role to play .”
While finance-specific , this advice is likely to be applicable to boards across a number of different industry sectors .
How leaders are spending
Executives that accept their crucial role in cybersecurity – and in funding and resourcing it – may be interested to know how their forward-thinking peers are allocating attention and budget .
Network detection and response ( NDR ) technologies are increasingly used by enterprises to improve vulnerability scanning and patch management , to identify assets at high risk and to reduce the potential for delays to patching them . Just over one-third of Australian businesses already have NDR systems in place , and an additional 40 % say they intend to invest in such systems this year .
Our research also finds that 47 % of respondents plan to implement a social engineering strategy in 2022 ; 46 % plan to implement staff threat training , and the same proportion plan to improve the speed of threat identification ; and 40 % plan to increase or recruit dedicated internal security staff .
Cybersecurity does not stand still and neither do the leading teams . It is imperative that those teams remain properly resourced if cyber-risks are to be kept in check . p
46 INTELLIGENTCIO APAC www . intelligentcio . com