Published on the 23/11/2021 | Written by Heather Wright
Intelligent risk-based decisions needed on what to protect…
“You’ve got to know when to hold ‘em; know when to fold ‘em” could be an apt mantra for cybersecurity executives, with Deloitte laying bare the notion of being able to secure all data and instead warning executives to decide what’s critical and what isn’t.
“Absolute security is an unrealistic nirvana,” says Simon Owen, Deloitte global clients and industries leader, in the Deloitte 2021 Future of Cyber report.
Seventy-two percent of the nearly 600 global C-level executives surveyed for the report said their organisations experienced between one and 10 cyber incidents and breaches in the past year.
“No company has the resources to fix all cyber issues, and not all fixes are equally important.”
In Australia the ACSC received more than 67,500 cybercrime reports in the year to July – that’s one report every eight minutes. The latest report from Cert NZ, meanwhile, shows there were more than 1,350 cyber security incidents responded to by the agency in Q2.
Unsurprisingly, the Deloitte report notes the impact of digital transformation as a factor in the increase in cyberattacks, with 69 percent of global leaders – consistent across all geographies – saying they’ve noted a significant increase in attacks.
But that increased threat isn’t deterring them from continuing to invest in digital transformation and cloud migrations. In fact, 94 percent of CFOs surveyed said they’re looking to move their financial systems or ERP to the cloud.
That transformation, along with the dramatic expansion of remote work in the face of Covid-19, has dramatically increased the attack surfaces.
Ian Blatchford, Deloitte Australia cyber leader, says now, more than ever, responsibility needs to shift upwards.
“Organisations that don’t incorporate cybersecurity into every aspect of their businesses increase their vulnerability to attack, so it’s critical to have visibility to manage that risk, balance proactive and reactive responses and to fully empower the CISO,” Blatchford says.
But that doesn’t mean you can secure everything.
“Leadership must make intelligent risk-based decisions on what to protect, and what assets are less important,” Owen says.
Those decisions need to be made swiftly, he warns, with continual reassessment as environments inside and outside the organisation changes.
It’s a view echoed by NZTech chief executive Graeme Muller, who says no company has the resources to fix all cyber issues, and not all fixes are equally important.
“It is only by starting to identify activities that are important to a business, and understanding how attacks could disrupt them, that once could start to prioritise the process of risk mitigation,” Muller says.
“We’re at a crossroad where cyber resilience has become a defining mandate of our time, to anticipate future threats, withstand, recover from cyber attacks and adapt to future digital shocks.”
The Deloitte report also highlights a ‘clear plurality’ with 41 percent of CIOs and CISOs saying that transformation and gaining visibility across increasingly complex hybrid ecosystems is the greatest challenge they face.
And the key to better risk mitigation, resilience and customer trust? A cyber-conversant board, an empowered CISO, a Zero trust mindset and data responsibility, the report says.
“It is vital that boards assess cyber risk in terms they can understand. They need to be able to compare cyber threats to risks they are experienced at handling. Analysing cyber risk profiles should be as familiar as grasping the health of their balance sheet,” the report says.
Matthew Holt, Deloitte Cyber global cyber strategy and transformation leader, says the main objective for C-suite and board members must be gaining a full understanding of the actual risk that digital transformation is exposing their companies to, as well as having the levers to manage that risk on a level playing field with all other types of risk.
So how are CISOs planning their cyber budgets? According to the report, budget is spread evenly across various cyber programs.
Across the globe greater attention is being given to threat intelligence, detection and monitoring, cyber transformation and data security, with investment in scaled cyber solutions in/for the cloud, cyber/technical resilience and artificial intelligence driven threat assessment and identification.
Collective global spending has now reached $145 billion a year and is predicted to exceed $1 trillion by 2035, according to the World Economic Forum.