As cyber risks become increasingly prominent concerns in the C-suite and boardrooms across the globe, forward-leaning business leaders are rethinking cyber security practices and focussing on a nexus of innovative technologies that can reduce risks and improve performance.
"Boards should view cyber risks as an enterprise-wide risk management issue, not just an IT issue, and understand the potential legal impacts."
Bruce Hassall, PwC New Zealand's Chief Executive Officer
However new research we have done suggests both Australia and New Zealand are slightly behind the curve in the boardroom.
PwC's The Global State of Information Security® Survey 2016 looks at worldwide information security practices to understand how executives and industry leaders view current and future challenges related to cyber security.
Globally, 35 per cent of organisations said a chief information security executive delivers risk updates at least four times a year to the board. In Australia, this is true for 29 per cent of respondents and in New Zealand 21 per cent receive regular updates.
Board participation saw a double-digit lift worldwide (to 45 per cent). In Australia this increased to 40 per cent and in New Zealand to 37 per cent. Respondents said this deepening board involvement has helped improve cyber security practices in numerous ways.
So it may be no coincidence that, as more boards globally participate in cyber security budget discussions, they have boosted information security spending by 24 per cent over the last year gearing up to tackle the cyber security juggernaut head on.
Nevertheless New Zealand organisations in particular are falling behind the trends in cyber security spending with nearly 40 per cent of New Zealand respondents having no plans to adopt big data analytics to model for and identify information security incidents, compared with 11 per cent globally and 14 per cent in Australia.
Of those who adopted such methods globally, 61 per cent say it has improved understanding of external security threats and 49 per cent say it has improved understanding of internal threats.
Board participation opens up the lines of communication between the cyber security function and top executives and directors. With cyber incidents often leaving behind a broad swath of operational, reputational and financial damages, senior leaders have begun to address cyber security as a serious risk-oversight issue that has strategic, cross-functional, legal and financial implications.
Working towards a more coordinated approach will help to explore the big cyber security questions all organisations must ask themselves:
Ideally, any organisation (big or small) should have a cyber-response plan and be ready to initiate it. However, we have found many organisations in New Zealand don't have one or they view a security breach as any other technology incident.
While this is expanding to include people and processes, cyber security must be recognised as an enterprise-wide priority requiring the active engagement of all internal stakeholders, from the business to risk and compliance, right up to the board of directors.
Guidelines from the Institute of Directors advise that boards should view cyber risks as an enterprise-wide risk management issue, not just an IT issue, and understand the potential legal impacts.
They should discuss cyber security risks and preparedness with management and consider cyber threats in the context of the organisation's overall tolerance for risk.
Boards across the world appear to be listening to this guidance and in New Zealand we're finding an enthusiastic interest from boards and executives for more education and information about their organisations' information security activities. A cyber incident is not a shark out there lurking in the deep rather, it's a risk that can be managed as an economic decision.
Advanced and enhanced information security practices will not only enable organisations to better defend against cyber threats but they can also help create competitive advantages and foster trust among customers and business partners.
This is particularly important in New Zealand, where we tend to be highly trusting.
There's no quick fix for effective cyber security - it's an ongoing trajectory towards a culture of security, coupled with the right mix of technologies, processes and people skills. Organisations which manage cyber risk well will unlock opportunities by using digital technologies and information assets with confidence.
Bruce Hassall is PwC New Zealand's Chief Executive Officer
To explore the survey findings by industry and region, visit: www.pwc.com/gsiss
The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.
15 Oct 2015
02 Jul 2015
25 Sep 2015