Cybersecurity funding to surge this financial year: Adapt
Following a year-on-year survey of 181 Australian Chief Information Security Officers (CISOs) representing many of Australia’s most influential organisations responsible for over 20% of Australia’s GDP, local technology research and advisory organisation, Adapt has released the results of its forward-looking 2023 Security Edge survey, which outlines the top priorities for cybersecurity leaders across the 2023-2024 financial year.
Archie Reed, Research Director at Adapt, notes the fast-growing rates of cyber funding come as little surprise given the slew of high-profile data breaches. “The responsibility for effective cybersecurity has always been a shared duty of leadership teams, but it wasn’t always high on their agendas. Now, companies are willing to go to greater lengths to remain secure, with many using a collaborative approach spanning all departments in the hopes of keeping secure. This involves the CIO, CISO, and risk officers coming together to build solutions addressing their unique combination of physical, supply chain, and information security risks.”
81% of CISOs consider compliance with regulations a top business priority over the next 12 months. It has fallen from 84% in the previous 12 months.
While Reed says compliance with fast-evolving cyber regulations is a good start, companies should be mindful that servicing compliance doesn’t mean their organisation is appropriately secure. “Regulators are working fast to set standards by which most businesses can follow, but executives should be mindful that they serve as minimum requirements, rather than a checklist for bulletproof security in 2023. Becoming resilient and secure is a collective responsibility that requires executive collaboration going well beyond compliance.”
Behind “preventing brand damage” (93% of respondents, up from 91%), “ensuring data privacy” (88%, down from 95%), and “securing end-users” (84%, down from 90%), cybersecurity leaders are being driven by the potential of customer loss resulting from the impact of a breach.
Reed believes retaining customers through security is vital. “Fast-evolving cyber adversaries and legislative requirements mean it's crucial to adopt resilience measures prioritising data privacy and end user security, making a business more likely to be trusted by customers, and therefore more commercially successful compared to its peers.”
When asked about the most significant factors preventing the implementation of security initiatives, 57% of CISOs cited a lack of budget (up from 30% in 2022), making it the most quoted inhibitor of security initiatives. It ranked in front of "too many manual processes" (53%, down from 51%), a lack of in-house security skills (52%), and rapidly evolving security threats (48%).
However, the perception of funding as a shortfall has reduced significantly since 2021, when ADAPT revealed 82% of CISOs considered a lack of funding a barrier to security initiatives.
Over the next twelve months, 65% of CISOs expect an increase to their security budgets (down from 77%), while 30% don’t expect any change (up from 14%), and 20% expect a budget increase of more than 20%.
Reed stresses the importance of budget allocation. “It’s not always about spending more, but about spending more wisely. As companies already struggle with a complex technology stack, it’s important they adopt a strategic approach to security investments, focusing on “right-sourcing” rather than just increasing budgets for more technology, which might not guarantee greater security.”
Cybersecurity awareness training is the number one investment priority among CISOs in 2023, with 44% of respondents expecting to invest this year. However, rates of cybersecurity awareness training generally remain low, with 45% of organisations undertaking company-wide security awareness training twice a year or less.
Reed believes it is leaving businesses exposed. “Leadership must foster a culture that includes cyber-awareness and responsibility. While data shows that more cybersecurity funding is being forecast, beyond covering increased costs, companies are mistaken if they think they can ‘buy’ security without first cultivating a cyber-aware workforce. Business leaders must use their influence to drive better cybersecurity hygiene among their teams or risk more breaches,” he concludes.