Story image

GCSB report: NZ firms lack CISOs, human investment

01 Nov 2018

More than 80% of New Zealand’s nationally significant organisations don’t have a dedicated chief information security officer (CISO), with many opting to either include responsibilities in a broader role or simply go without a CISO altogether.

The Government Communication Security Bureau (GCSB) and National Cybersecurity Centre (NCSC) published the country’s first benchmark of how 250 of NZ’s nationally significant organisations stack up when it comes to cybersecurity.

Of those surveyed, 63% have a cybersecurity incident response plan, but 33% of those had not tested that plan in the last year.

Despite the lack of a CISO to guide the way, 73% of organisations increased their cybersecurity spending in the last year. 

Seventy percent of organisations had increased spending on new security tools, while 45% had increased spend on more IT security staff. Fifty-four percent increased spending on IT staff training.

While tools and vulnerability assessments are a central focus for spending, the benchmark says that these are coming with an even higher price – the cost of investment in people. 

Fifty-two percent of organisations said they do not have enough skilled staff to meet their security requirements. 

What’s more, cybersecurity spending isn’t necessarily resulting in more cyber-confident organisations. 41% of organisations are mildly confident or not confident in their ability to detect an intrusion.

Managed security service providers should also take note: Of the organisations who use MSP services, 36% say they have no mechanism to confirm whether their provider is delivering on the agreed level of security.

“Overall it appears that digital transformation is outpacing investment in cybersecurity and as a result we found a range of resilience levels,” says GCSB director—general Andrew Hampton.

“While most organisations are heading in the right direction, more work needs to be done to improve cyber resilience across the board.”

The benchmark report adds that there are four areas of good practice that can help organisations focus their efforts for the greatest effect.

They include: •    Governance – Promoting cybersecurity at a senior leadership level to protect an organisation’s most important digital assets.  •    Investment – Investing in cybersecurity to minimise risk and maximise returns.  •    Readiness – Preparing the organisation to detect, respond, and recover from a cybersecurity incident.  •    Supply Chain – Maintaining oversight and awareness of the cybersecurity risks in an organisation’s supply chain.

Each of the 250 organisations received its own individualised and commercially-sensitive report as part of the findings. The reports cover actions that the organisations can take to increase their cyber resilience.

Those actions include: •    Establishing clear accountability for cybersecurity; •    Regular reporting on cybersecurity, including near misses, to executives and directors; •    Balancing strategic investment in assets and staff over vulnerability assessment; •    Identification of critical information assets and risks to those assets; •    Having a dedicated budget line for IT security; •    Preparing and regularly testing a cybersecurity incident response plan, and •    Ensuring third party vendors include specific cybersecurity service level agreements and the right to be audited on cybersecurity performance.

“Cybersecurity is a team sport and we all have to do our bit. In this interconnected world we are all just one click away from a potential threat,” Hampton concludes.

The GCSB and the NCSC are committed to working with less mature organisations to raise overall cybersecurity resilience.

Better data management: Whose job is it?
An Experian executive’s practical advice on how to structure data-management roles within a modern business environment.
Platform9 and Intersect partner to bring unified cloud to A/NZ
“For Intersect, Platform9 represents the single most strategic solution to a set of challenges we see expanding across the board."
Meet the future of women in IT
Emily Sopers has just won Kordia’s first ever Women in Technology Scholarship, which was established to address gender imbalance in the information and communications technology (ICT) sector.
Web design programmers do an about face – again!
Google is aggressively pushing speed in the mobile environment as a critical ranking factor, and many eb design teams struggling to reach 80%+ speed scores on Google speed tests with gorgeous – but heavy - WordPress templates and themes.
Digital spending to hit US$1.2 trillion by 2022
A recent study by Zinnov shows that IoT spend reached US$201 billion in 2018 while outsourcing service providers generated $40 billion in revenue.
'Iwi Algorithm' can grow Aotearoa's mana
Ngāti Whātua Ōrākei innovation officer Te Aroha Grace says AI can help to combine the values from different cultures to help grow Aotearoa’s mana and brand – and AI is not just for commercial gain.
Dropbox brings in-country document hosting to A/NZ & Japan
Dropbox Business users in New Zealand, Australia, and Japan will be able to store their Dropbox files in-country, beginning in the second half of 2019.
Why 'right to repair' legislation could be a new lease on life for broken devices
“These companies are profiting at the expense of our environment and our pocketbooks as we become a throw-away society that discards over 6 million tonnes of electronics every year.”