Security leaders struggling to report risk as increased regulations loom
Australian business leaders are preparing for incoming cyber regulation, but security executives are having difficulties quantifying risk levels.
Tenable has published a new study that reveals 94 percent of Australian security leaders report they have been asked by top executives to report on their organisation’s level of exposure to a specific threat or publicised vulnerability, yet only 70 percent are ‘somewhat confident’ at best in their ability to report on their level of security or risk when asked.
With the introduction of Australia’s Cyber Security Strategy 2020, business leaders of critical infrastructure and systems of national importance may be subject to potential regulatory penalties if they don’t equip security teams with the right tools to measure and communicate cyber risks. This represents, says a Tenable media release, a “clarion call for business and security leaders in Australia to align on cyber imperatives”.
Despite increased focus and investment in cybersecurity, the study found that 92 percent of Australian organisations experienced a business-impacting cyber attack in the past 12 months.
Seventy-three percent of these attacks involved operational technology (OT) assets. Where did the attacks come from? According to the study:
- fraud (45 percent)
- COVID-19 phishing (44 percent)
- data breaches (43 percent)
- ransomware (39 percent), and
- software vulnerabilities (36 percent).
Sixty-seven percent of business leaders report that their security counterparts are, at best, only ‘somewhat effective’ in communicating threats that pose the greatest risk to the organisation. This finding – paired with the high volume of cyber attacks impacting businesses – calls into question the level of visibility organisations have into their critical assets to make decisions and reduce risk.
The study highlights three areas of improvement that should help security leaders more effectively communicate cyber risk: holistic visibility of business-critical assets, security metrics that speak to business risk and predictive business risk context for incoming threats.
“Crucially, this research highlights that a lack of visibility is undermining security leaders’ ability to analyse and combat cyber risks, while most security and business leaders aren’t working together to align security and business performance metrics,” says Scott McKinnel, ANZ country manager at Tenable. “To effectively manage an organisation’s strategic approach to cyber risk, Australian security leaders should be using risk metrics, cost and performance indicators – the language executives understand,” he says.
The research was commissioned by Tenable and performed by Forrester Consulting, which conducted an online survey of 416 security and 425 business executives, across a number of countries including Australia, in April.