So it may be no coincidence that, as more boards globally participate in cyber security budget discussions, they have boosted information security spending by 24 per cent over the last year gearing up to tackle the cyber security juggernaut head on.
Nevertheless New Zealand organisations in particular are falling behind the trends in cyber security spending with nearly 40 per cent of New Zealand respondents having no plans to adopt big data analytics to model for and identify information security incidents, compared with 11 per cent globally and 14 per cent in Australia.
Of those who adopted such methods globally, 61 per cent say it has improved understanding of external security threats and 49 per cent say it has improved understanding of internal threats.
Board participation opens up the lines of communication between the cyber security function and top executives and directors. With cyber incidents often leaving behind a broad swath of operational, reputational and financial damages, senior leaders have begun to address cyber security as a serious risk-oversight issue that has strategic, cross-functional, legal and financial implications.
HOW DO WE MEASURE THE THREAT?
Working towards a more coordinated approach will help to explore the big cyber security questions all organisations must ask themselves:
- What is my exposure?
- Where is my data?
- Who has access?
- Have I been breached?
- How do I know?
Ideally, any organisation (big or small) should have a cyber-response plan and be ready to initiate it. However, we have found many organisations in New Zealand don't have one or they view a security breach as any other technology incident.
While this is expanding to include people and processes, cyber security must be recognised as an enterprise-wide priority requiring the active engagement of all internal stakeholders, from the business to risk and compliance, right up to the board of directors.
Guidelines from the Institute of Directors advise that boards should view cyber risks as an enterprise-wide risk management issue, not just an IT issue, and understand the potential legal impacts.
They should discuss cyber security risks and preparedness with management and consider cyber threats in the context of the organisation's overall tolerance for risk.
Boards across the world appear to be listening to this guidance and in New Zealand we're finding an enthusiastic interest from boards and executives for more education and information about their organisations' information security activities. A cyber incident is not a shark out there lurking in the deep rather, it's a risk that can be managed as an economic decision.
Advanced and enhanced information security practices will not only enable organisations to better defend against cyber threats but they can also help create competitive advantages and foster trust among customers and business partners.
This is particularly important in New Zealand, where we tend to be highly trusting.
There's no quick fix for effective cyber security - it's an ongoing trajectory towards a culture of security, coupled with the right mix of technologies, processes and people skills. Organisations which manage cyber risk well will unlock opportunities by using digital technologies and information assets with confidence.