The delicate balance between priority and performance in cybersecurity

by Christopher Smith, Executive Director, Business Technology Services, Telstra

Normally, security teams spend their days busily defending their organisation against vulnerabilities and malicious actors.

But the scale of the security threat against business is leading organisations to reconsider their traditional role. And desperate times often lead to desperate measures.

Komodo, a crypto platform, recently took that trend to a drastic conclusion. Upon discovering a vulnerability in their infrastructure, the team took the decision to hack their own system before an attacker could do the same thing. By hacking themselves, the company saved more than 8 million of its coins (valued at around $1.60 each).

While their quick thinking mitigated losses in this instance, looking at the wider security outlook underlines the job our industry have to do. 

The Australian organisational security landscape

To better understand the challenges modern organisations face, it’s important to have a strong snapshot of the modern security landscape.

The ubiquity of cyber-threats in the Australian corporate sector is alarming. Telstra’s 2019 Security Report revealed almost two thirds of all businesses in Australia (65 per cent) were interrupted by a breach in the past 12 months.

And even a figure that high may be optimistic. Our research found that 89 per cent of businesses in Australia suggested they have likely had some breaches go undetected.

In large part this is due to having to deal with a much broader security landscape when managing cyber and electronic security. As more and more devices become connected, the security footprint grows wider. The proliferation of new technologies can improve end-to-end visibility and management of risks but alternatively they create new threats.

It’s an issue most businesses actively recognise.

More than half of companies (57 per cent) pointed to their electronic security devices and systems as presenting a ‘high’ to ‘very high’ cyber security risk to their organisations. Globally, companies pointed to the impact of new technologies as among their top two security challenges, alongside the ability to detect and respond to incidents.

The new normal 

Yet, simply recognising the need for increased security is not necessarily addressing the issue.

New Telstra research, titled Disruptive Decision-Making, found that the decisions organisations are making when implementing their digital transformation progams are having a significant effect on their ability to secure their businesses.

In fact, the research found that organisations around the world – including Australia – showed a significant gap between the prioritisation of security and their actual performance on those priorities.

When we asked Australian businesses to rate their top digital transformation priorities, ‘protecting digital assets from cyber threats’ ranked first above all 17 other criteria.

Yet, their actual performance when protecting digital assets ranked among the lowest – 16th out of 17. Only making their organisation more agile saw worse results.

Similarly, Australian organisations ranked ‘protecting, detecting and responding in real-time to events’ as their sixth most important digital transformation priority – ahead of outcomes like improving employee effectiveness and improving customer engagement. Yet performance was once again considered weak, ranking 15th out of all 17 priorities.

The reality is companies everywhere are recognising the importance of cyber security but are struggling to manage it effectively.

Helping hand

The gap between priority and performance is made more significant when we look at the scale of investment.

The Telstra Security Report found 84 per cent of Australian organisations are now spending up to 20 per cent of their overall IT budget on security. That figure is set to increase, with 60 per cent reporting their budget will increase as part of the overall ICT budget.

So, how can companies reduce the performance gap to improve their security outcomes?

Our decision-making research found that Australian organisations are relying heavily on their understanding of technology when they make digital transformation decisions. Yet, digitally mature companies who are delivering successful outcomes are instead focusing on people, partnerships and processes – rather than technology alone.

In fact, taking advantage of external expertise to create an appropriate security and risk environment is critical to aligning technology with people, processes and partnerships.

Security awareness program are one solution, if handled effectively. A traditional approach may be to overwhelm employees with information in lengthy policy documents and annual assessments, but this can be ineffective at driving engagement and awareness.

Understanding the needs and motivations of your employee base is a critical first step. Every employee is unique and awareness programs must be tailored to suit the needs of the specific audience they are addressing.

Awareness and confidence

Taking a wider view of security to incorporate people, processes and partnerships as well as technology is a key first step toward reducing the performance gap when it comes to security.

But ultimately, there is no cheat sheet to effective security – rather small steps every organisation can focus on, including security awareness programmes and similar foundational activities.

As we see more threats via more connected devices and more motivated malicious actors, companies need to stay vigilant to ensure that their businesses are securely managed, for the long haul.