Australian CSOs expecting more IT-security budget than they're likely to get

Business leaders have different security priorities, less concerned about cyber attacks than IT-security executives

Many Australian IT leaders mistakenly believe they will see IT-security budgets increasing over the next two years but executives have other thoughts on the issue, according to recent research that found the misalignment of expectations is stronger in Australia than in other countries in the Asia-Pacific region.

Fully 27 percent of IT-security executives in the global study of 1100 senior executives predicted a major increase in their security budget over the next two years, but only 13 percent of the C-suite respondents saw similar growth on the horizon.

This, despite broad agreement that the risk of cyberattacks is increasing – a statement agreed to by 16 percent of C-suite respondents and 18 percent of IT-security executives. The research work – conducted by the Economist Intelligence Unit on behalf of VMware – found that despite IT executives' growing concerns cybersecurity is only the ninth most-important strategic priority for Australia's C-suite executives.

Although Australia's C-suite and security leaders were largely aligned around the importance of protecting the company's reputation, regulated data and customer information, the business leaders were far less clear on the importance of cybersecurity policy in achieving these goals.

Just 5 percent of those executives said protecting against cyber-attacks was a priority, compared with 28 percent of IT executives. Australian business leaders were more concerned with issues such as acquiring new customers (14 percent vs 6 percent) and growing internationally (16 percent vs 8 percent). “The C-suite's priorities are clear,” the report's authors note. “Their primary single concern is to safeguard the reputation and brand of the firm.

In contrast, security executives are focused on the data and the software.... Lack of commitment [to security] can have direct implications for firms' security posture, by limiting funding and diminishing the impetus for organisational change.” Businesses face ongoing compromises of businesses across all industry sectors, with fraudulent mobile apps, espionage-minded hackers, and ever-changing and increasingly-malicious ransomware adding to recognised threats such as security risks that permeate critical infrastructure.

Despite these multitudinous threats, the EIU findings suggest that business executives still downplay the threat of cybersecurity incidents: far fewer C-suite respondents agreed that their company was likely to experience a serious cyber-breach within 90 days (12 percent vs 31 percent of IT-security executives), one year (23 percent vs 40 percent), three years (25 percent vs 38 percent), and five years (27 percent vs 39 percent). While they recognise security as an abstract threat, it appears that business executives are still falling back into their comfort zones, focusing on business growth even as security advisors are recommending that businesses get more proactive about tracking down cybercriminals and acting to protect themselves online.

The Australian results were below global benchmarks, with 35 percent of global IT executives citing protection against cyber-attacks as their #1 priority and acquiring new customers, at 14 percent, given more than twice the priority that it is amongst Australian IT executives. Some 13 percent of global IT executives also prioritised ensuring regulatory compliance while 9 percent saw it as crucial to launch new products and services.

Those findings were echoed when C-suite executives and IT leaders were asked what was the single most important asset in the company that needed to be protected from cyber-attacks. IT-security leaders nominated regulated data (25 percent), customer information (20 percent), the company's reputation with customers (16 percent) and the company's applications and services (14 percent).

C-suite respondents, on the other hand, were more concerned about protecting the company's reputation with customers (25 percent), private internal communications (14 percent), strategic plans and initiatives (12 percent), regulated data (12 percent), and customer information (10 percent). “Total information security is an impractical goal,” the report concludes, “so companies need to prioritise their more valuable or vulnerable assets.

Unfortunately, this study reveals that the C-suite and security leadership are not in sync on what needs to be protected the most.”

Join the CSO newsletter!

Error: Please check your email address.

Tags IT security careersIT LeadersC-SuiteIT SecurityIT security budgetIT security spendingVMwarecyber securityc-suite perspectives

More about Economist Intelligence UnitEIU

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place