The arms race scenario emerges from the results of the latest Global Information Security Survey conducted by CIO and CSO magazines in conjunction with PwC (PricewaterhouseCoopers).
“New models of information security strategies and practices are needed to be better prepared,” says Colin Slater, security and technology partner at PwC New Zealand.
This also means realising that safeguarding everything to the same threat level is no longer possible, he says. “Businesses need to identify and prioritise what’s most important to them and focus their resources on protecting that.”
The survey, now on its 11th year, interviewed more than 9600 business, security and IT executives – with 49 respondents from New Zealand.
We need to find the optimal point between being afraid to adopt new technologies that will increase our competitive positions, and seriously addressing security implications
The latest survey found the number of security incidents detected in the past 12 months has increased by 25 per cent over last year, while the average financial costs of incidents are up 18 per cent.
Security investment is strong - average security budgets have increased 85 per cent over last year, and at 4.3 per cent. Asia Pacific reports the highest IS budget as a per cent of overall IT spending.
Respondents are optimistic on future information security spend, with 60 per cent stating their security budget will increase over the next 12 months. However, average financial losses due to security incidents are up 28 per cent over last year. Insiders, particularly current or former employees, are still the top source of security incidents. While many believe nation-states cause the most threats, only 4 per cent of respondents cited them, whereas 32 per cent pinpoint hackers as a source of outsider security incidents.
The top three obstacles to improving security are insufficient funding, business strategy alignment with security, and lack of leadership from the CEO or board.
“New Zealand businesses should pay heed to these global findings. We may be geographically isolated, but in this online and digitally connected world we’re just as vulnerable to threats as businesses in the US, UK, Australia or China,” says Slater.
“We can’t afford to be naive to the risks we face as the costs and complexities of responding to attacks continue to rise.”
It is not all bad news, says Slater. “It’s great that there is a focus on security and privacy, which has been pushed by the public sector.”
Slater says the Government CIO has been instrumental in raising awareness of information security issues, following a raft of privacy and security breaches in government agencies. “You talk to anyone who's running mobile or online services, they're getting asked different questions by their users now than they used to.”
What is key, however, is “actually putting in place putting long term remedies”.
“Technology and how we use it is constantly evolving. We need to find the optimal point between being afraid to adopt new technologies that will increase our competitive positions, and seriously addressing security implications,” says Slater.
Security agents
Slater says security awareness training should not be seen as a “bit of a nice to have”.
“Your people are your most effective deterrent and your most effective control,” he says. “I actually think it's the most important thing that you can do.”
He says enterprises can tailor the training to meet their business culture. When this is done, he says, “You have just multiplied your change agents and your security agents out in your workforce. And that is a really effective strategy.”
A staggering 55 per cent of respondents either did not know or did nothing in relation to the launch of a customer facing mobile application.
“It's a concept that's really, really such a basic thing to do, but the ROI on it is so high,” says Richard Tims, director, risk and control solutions at PwC NZ.
So how can CIOs get the executive management buy in for information security?
Getting executive support and endorsement is about context and consistency, says Slater. For CIOs he works with, “their biggest challenge is filtering their security privacy risks into a consistent view that’s digestible by senior management and the execs.
“So how do you dashboard your risk and threat profile? The really successful ones are the ones that articulate risks really clearly and have a plan to manage them,” says Slater.
The missing security piece
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.