Spending smarter, not more on cybersecurity resilience
Cybersecurity budgets in Australia are rising fast. But according to new research by Accenture, the key to cybersecurity success lies not just in total spend – but also how wisely budgets are spent. Mark Sayer, APAC Cyber Defence Lead at Accenture, explains why.
Cybersecurity budgets in Australia are up. Accenture new report, State of Cybersecurity Resilience, revealed that 84% of companies are spending more money to combat cyber threats, and 20% have expanded their budget by more than 10%.
While most organisations today invest hard work and real money to protect their organisation, our experience shows only a handful of control failures can undo it. And because 76% of respondents said staying ahead of threats is a battle they can't afford long term, effective – not just expensive – security investment is key.
Good cybersecurity resilience can often be seen as a blocker. However, the research found some security leaders are working closely with their businesses to strike a workable balance – we call these organisations ‘Cyber Champions’.
Although Cyber Champions demonstrate strong security resilience, they’re not necessarily the companies that spend the most. The secret is that, when compared to other organisations, Cyber Champions view cybersecurity in a fundamentally different way – more as a risk of doing business as opposed to a compliance issue.
Closer together
The alternate view started when the CISO was made a critical part of the business conversation, not a departmental buried deep within the technology practice. Those that did it best had a closer relationship with the CFO, CEO and board. They were more trusted and had more autonomy.
Only 19% of Cyber Champions said their cybersecurity expenditure had to be approved from higher up than their direct reporting line. Those closer relationships help align the security strategy to the broader business goals.
On the other hand, companies that took a more traditional approach, with stricter security mandates but weaker alignment with business strategies, didn't perform quite as well as Cyber Champions when it came to the number and impact of cyber incidents, despite often investing more.
Our research also found that understanding and perceptions about organisational cyber resilience tended to differ between cybersecurity executives and non-cybersecurity executives. Cybersecurity executives felt that they had a much better handle on security threats than their non-security executive counterparts. Conversely, the non-security executives felt that security was better funded than the security executives.
This disparity suggests a lack of shared understanding about the security mission across the leadership spectrum and further supports the idea that security leaders can be more effective when they are more closely aligned with their business.
Establishing a company as a ‘Security Champion’ is certainly not a simple undertaking, but the results speak for themselves. Companies that do cybersecurity well take a holistic view, aligning security at every point along with the transaction with customers, suppliers and beyond. Simply spending more on cybersecurity will be like throwing good money after bad. There’s no evidence that you will get a better result, and it's not sustainable in the long term.
As the threat landscape continues to deteriorate and the cybersecurity industry matures, security leaders need to evolve beyond IT operations and take a seat at the table with the business leadership.
Like a CFO, CEO or CIO, security leaders need to be clear on their business objectives; they need to educate their business, listen carefully to their colleagues and establish a security strategy based on business outcomes, not the latest technology widgets or following what everyone else is doing.
Proven results
According to our research, Cyber Champions stopped more attacks, found and fixed breaches faster and experienced less damaging impacts. Those at the top of their game spent an average of $294,000 less per cyberattack – around half what the next best performers did.
Cybersecurity resilience requires continued investment, that much is certain. But the Cyber Champions of our industry show us that wiser investment and a closer working relationship with business leaders can deliver better outcomes, more cost-effectively, than taking a compliance-led or policy-based approach.