More than 80% of New Zealand’s nationally significant organisations don’t have a dedicated chief information security officer (CISO), with many opting to either include responsibilities in a broader role or simply go without a CISO altogether.
The Government Communication Security Bureau (GCSB) and National Cybersecurity Centre (NCSC) published the country’s first benchmark of how 250 of NZ’s nationally significant organisations stack up when it comes to cybersecurity.
Of those surveyed, 63% have a cybersecurity incident response plan, but 33% of those had not tested that plan in the last year.
Despite the lack of a CISO to guide the way, 73% of organisations increased their cybersecurity spending in the last year.
Seventy percent of organisations had increased spending on new security tools, while 45% had increased spend on more IT security staff. Fifty-four percent increased spending on IT staff training.
While tools and vulnerability assessments are a central focus for spending, the benchmark says that these are coming with an even higher price – the cost of investment in people.
Fifty-two percent of organisations said they do not have enough skilled staff to meet their security requirements.
What’s more, cybersecurity spending isn’t necessarily resulting in more cyber-confident organisations. 41% of organisations are mildly confident or not confident in their ability to detect an intrusion.
Managed security service providers should also take note: Of the organisations who use MSP services, 36% say they have no mechanism to confirm whether their provider is delivering on the agreed level of security.
“Overall it appears that digital transformation is outpacing investment in cybersecurity and as a result we found a range of resilience levels,” says GCSB director—general Andrew Hampton.
“While most organisations are heading in the right direction, more work needs to be done to improve cyber resilience across the board.”
The benchmark report adds that there are four areas of good practice that can help organisations focus their efforts for the greatest effect.
• Governance – Promoting cybersecurity at a senior leadership level to protect an organisation’s most important digital assets.
• Investment – Investing in cybersecurity to minimise risk and maximise returns.
• Readiness – Preparing the organisation to detect, respond, and recover from a cybersecurity incident.
• Supply Chain – Maintaining oversight and awareness of the cybersecurity risks in an organisation’s supply chain.
Each of the 250 organisations received its own individualised and commercially-sensitive report as part of the findings. The reports cover actions that the organisations can take to increase their cyber resilience.
Those actions include:
• Establishing clear accountability for cybersecurity;
• Regular reporting on cybersecurity, including near misses, to executives and directors;
• Balancing strategic investment in assets and staff over vulnerability assessment;
• Identification of critical information assets and risks to those assets;
• Having a dedicated budget line for IT security;
• Preparing and regularly testing a cybersecurity incident response plan, and
• Ensuring third party vendors include specific cybersecurity service level agreements and the right to be audited on cybersecurity performance.
“Cybersecurity is a team sport and we all have to do our bit. In this interconnected world we are all just one click away from a potential threat,” Hampton concludes.
The GCSB and the NCSC are committed to working with less mature organisations to raise overall cybersecurity resilience.