Who watches the cyber watchmen?

Leaps in technologies hold great promise for contending with seemingly intractable cyber threats. Yet the spotlight on technological advances can dim the focus on the roles, competencies and training of people—often an over looked although very effective defence. We're seeing this start to change.

As cyber risks become increasingly prominent concerns in the C-suite and boardrooms across the globe, forward-leaning business leaders are rethinking cyber security practices and focussing on a nexus of innovative technologies that can reduce risks and improve performance.

"Boards should view cyber risks as an enterprise-wide risk management issue, not just an IT issue, and understand the potential legal impacts."
Bruce Hassall, PwC New Zealand's Chief Executive Officer

However new research we have done suggests both Australia and New Zealand are slightly behind the curve in the boardroom.

Click image to zoom Tap image to zoom

PwC's The Global State of Information Security® Survey 2016 looks at worldwide information security practices to understand how executives and industry leaders view current and future challenges related to cyber security.

Globally, 35 per cent of organisations said a chief information security executive delivers risk updates at least four times a year to the board. In Australia, this is true for 29 per cent of respondents and in New Zealand 21 per cent receive regular updates.

Board participation saw a double-digit lift worldwide (to 45 per cent). In Australia this increased to 40 per cent and in New Zealand to 37 per cent. Respondents said this deepening board involvement has helped improve cyber security practices in numerous ways.

Click image to zoom Tap image to zoom

So it may be no coincidence that, as more boards globally participate in cyber security budget discussions, they have boosted information security spending by 24 per cent over the last year gearing up to tackle the cyber security juggernaut head on.


Nevertheless New Zealand organisations in particular are falling behind the trends in cyber security spending with nearly 40 per cent of New Zealand respondents having no plans to adopt big data analytics to model for and identify information security incidents, compared with 11 per cent globally and 14 per cent in Australia.

Of those who adopted such methods globally, 61 per cent say it has improved understanding of external security threats and 49 per cent say it has improved understanding of internal threats.

Board participation opens up the lines of communication between the cyber security function and top executives and directors. With cyber incidents often leaving behind a broad swath of operational, reputational and financial damages, senior leaders have begun to address cyber security as a serious risk-oversight issue that has strategic, cross-functional, legal and financial implications.


Working towards a more coordinated approach will help to explore the big cyber security questions all organisations must ask themselves:

  • What is my exposure?
  • Where is my data?
  • Who has access?
  • Have I been breached?
  • How do I know?

Ideally, any organisation (big or small) should have a cyber-response plan and be ready to initiate it. However, we have found many organisations in New Zealand don't have one or they view a security breach as any other technology incident.

While this is expanding to include people and processes, cyber security must be recognised as an enterprise-wide priority requiring the active engagement of all internal stakeholders, from the business to risk and compliance, right up to the board of directors.


Guidelines from the Institute of Directors advise that boards should view cyber risks as an enterprise-wide risk management issue, not just an IT issue, and understand the potential legal impacts.

They should discuss cyber security risks and preparedness with management and consider cyber threats in the context of the organisation's overall tolerance for risk.

Boards across the world appear to be listening to this guidance and in New Zealand we're finding an enthusiastic interest from boards and executives for more education and information about their organisations' information security activities. A cyber incident is not a shark out there lurking in the deep rather, it's a risk that can be managed as an economic decision.

Advanced and enhanced information security practices will not only enable organisations to better defend against cyber threats but they can also help create competitive advantages and foster trust among customers and business partners.

This is particularly important in New Zealand, where we tend to be highly trusting.

There's no quick fix for effective cyber security - it's an ongoing trajectory towards a culture of security, coupled with the right mix of technologies, processes and people skills. Organisations which manage cyber risk well will unlock opportunities by using digital technologies and information assets with confidence.

Click image to zoom Tap image to zoom

Bruce Hassall is PwC New Zealand's Chief Executive Officer

To explore the survey findings by industry and region, visit:

The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.

editor's picks

15 Oct 2015

Cyberattacks: think 'when', not 'if'

Steve Glynn | Former Global Head of Information Security, ANZ

Against a background of accelerating technological change and disruptive business models, cyber security has become a key operational risk facing organisations of all sizes – especially those in financial services.

02 Jul 2015

Humans are the weakest link in the digital war

Guy Boyd | Head of Financial Crime, ANZ

There is no doubt digital is the future and customers want the convenience and speed it provides – not just in banking but many services. But the convenience and revolution of digital comes with the risk of cybercrime. This will be a digital war and humans remain the weakest link – meaning training and education are critical.

25 Sep 2015

Your leadership strategy needs to change

Martin Reeves | Senior Partner, The Boston Consulting Group & Director, Bruce Henderson Institute

It's no secret the pace of change today is head-spinningly fast. The stakes are higher than ever: one third of US public corporations will not survive the next five years. In the declining number of industries that remain stable and predictable, the classical approach to strategy and leadership taught in business schools still applies.