Published on the 06/07/2023 | Written by Heather Wright

Cybersecurity as a changemaker as NZ battles for Cert…

Cybersecurity is being used successfully by some organisations not just to protect their business, but as a differentiator to drive revenue growth, market share and improved customer satisfaction.

New research from Accenture shows that organisations who closely align their cybersecurity programs to business objectives are 18 percent more likely to achieve target revenue growth, increase market share and improve customer satisfaction, trust and employee productivity.

Those companies are also 26 percent more likely to lower the cost of breaches.

“Cyber transformers demonstrate that they are better equipped to drive successful business outcomes.”

The report, which covered 3,000 security and business executives globally, identifies ‘cyber transformers’ – the 30 percent of companies who embed key cybersecurity actions into their digital transformation efforts and apply strong operational practices across the organisation and reap the benefits.

In practical terms, they are companies that excel at integrating cybersecurity and risk management, have their cybersecurity operations and executive leadership in agreement on protection priorities, and consider cybersecurity risk to a great extent when evaluating overall enterprise risk. Seventy-three percent of the cyber transformers said they involved the cybersecurity team from the start of business planning.

In addition, they lean on cybersecurity-as-a-service in order to enhance operations and address talent shortages, and automation – 98 percent said they relied ‘heavily’ on automation versus just 57 percent of other respondents.

The cyber transformers were also more likely to incorporate their ecosystem or supply chain partners into their incident response plan and require them to meet strict cybersecurity standards.

Jacqui Kernot, Accenture ANZ security lead, says the accelerated adoption of digital technologies like generative AI, combined with complex regulations, geopolitical tensions and economic uncertainties, is testing organisations’ approach to managing cyber risk.

“In this rapidly changing environment, business leaders need to embed cybersecurity into the fabric of their digital core transformation efforts to become cyber resilient,” Kernot says.

“This is one of the key differentiating traits of cyber transformers, who demonstrate that they are better equipped to drive successful business outcomes.”

The report says digital transformations are nearly six times more likely to be effective if companies incorporate three key actions into their efforts:

• Require cybersecurity controls before all new business services and products are deployed
• Apply cybersecurity incrementally as each digital transformation milestone is achieved
• Appoint a cybersecurity representative as part of the core transformation team who orchestrates cybersecurity across all transformation initiatives.

On the flip side, the State of Cybersecurity Resilience 2023 report found that when it comes to embedding security controls, 18 percent of survey respondents deployed them after they’ve finalised their transformation effort – and only if vulnerabilities are detected. A further 48 percent implement security controls only for critical functions, balancing speed and risk management.

“By converting cybersecurity from an incident-driven reaction into part of the fabric of transformation efforts, organisations can not only boost cybersecurity resilience, but also position themselves to reinvent the whole enterprise and set a new performance frontier, safely,” Accenture says.

The report comes as ‘cybersecurity stocktake’ of Australia’s financial sector highlights weaknesses in supply chain security for the sector.

Prudential supervisor APRA says it has identified a range of common control gaps amongst the banks, insurers and superannuation trustees assessed so far, including supply chain security issues and limited internal audit reviews of information security controls.

“Early findings from an expansive APRA study on cyber resilience in financial services show there is a need to raise the bar,” APRA says, adding that it is rigorously targeting areas of non-compliance.

Many of the issues highlighted relate to the third party risk, with APRA noting that information assets managed by third parties are ‘not fully identified and classified and, in some cases, not identified at all’.

“Without proper identification and classification it can be difficult for entities to determine the appropriate information security controls to protect critical and sensitive data from unauthorised access or disclosure,” APRA notes.

And in other cybersecurity news this week, news the New Zealand’s government is considering folding cybersecurity agency Cert NZ into the Government Communications Security Bureau has prompted a call from some cybersecurity leaders to put a hold on the decision until a full and transparent review across all stakeholders can be conducted.

CISO Lens, an industry body for cybersecurity executives across Australia and New Zealand, held a meeting last week and says none of the attendees were in favour of the move, believing it will degrade the capability of Cert NZ.

CISO Lens is instead calling for a ‘Ministry for Cyber’.