Story image

GCSB report: NZ firms lack CISOs, human investment

01 Nov 2018

More than 80% of New Zealand’s nationally significant organisations don’t have a dedicated chief information security officer (CISO), with many opting to either include responsibilities in a broader role or simply go without a CISO altogether.

The Government Communication Security Bureau (GCSB) and National Cybersecurity Centre (NCSC) published the country’s first benchmark of how 250 of NZ’s nationally significant organisations stack up when it comes to cybersecurity.

Of those surveyed, 63% have a cybersecurity incident response plan, but 33% of those had not tested that plan in the last year.

Despite the lack of a CISO to guide the way, 73% of organisations increased their cybersecurity spending in the last year. 

Seventy percent of organisations had increased spending on new security tools, while 45% had increased spend on more IT security staff. Fifty-four percent increased spending on IT staff training.

While tools and vulnerability assessments are a central focus for spending, the benchmark says that these are coming with an even higher price – the cost of investment in people. 

Fifty-two percent of organisations said they do not have enough skilled staff to meet their security requirements. 

What’s more, cybersecurity spending isn’t necessarily resulting in more cyber-confident organisations. 41% of organisations are mildly confident or not confident in their ability to detect an intrusion.

Managed security service providers should also take note: Of the organisations who use MSP services, 36% say they have no mechanism to confirm whether their provider is delivering on the agreed level of security.

“Overall it appears that digital transformation is outpacing investment in cybersecurity and as a result we found a range of resilience levels,” says GCSB director—general Andrew Hampton.

“While most organisations are heading in the right direction, more work needs to be done to improve cyber resilience across the board.”

The benchmark report adds that there are four areas of good practice that can help organisations focus their efforts for the greatest effect.

They include:
•    Governance – Promoting cybersecurity at a senior leadership level to protect an organisation’s most important digital assets. 
•    Investment – Investing in cybersecurity to minimise risk and maximise returns. 
•    Readiness – Preparing the organisation to detect, respond, and recover from a cybersecurity incident. 
•    Supply Chain – Maintaining oversight and awareness of the cybersecurity risks in an organisation’s supply chain.

Each of the 250 organisations received its own individualised and commercially-sensitive report as part of the findings. The reports cover actions that the organisations can take to increase their cyber resilience.

Those actions include:
•    Establishing clear accountability for cybersecurity;
•    Regular reporting on cybersecurity, including near misses, to executives and directors;
•    Balancing strategic investment in assets and staff over vulnerability assessment;
•    Identification of critical information assets and risks to those assets;
•    Having a dedicated budget line for IT security;
•    Preparing and regularly testing a cybersecurity incident response plan, and
•    Ensuring third party vendors include specific cybersecurity service level agreements and the right to be audited on cybersecurity performance.

“Cybersecurity is a team sport and we all have to do our bit. In this interconnected world we are all just one click away from a potential threat,” Hampton concludes.

The GCSB and the NCSC are committed to working with less mature organisations to raise overall cybersecurity resilience.

New threat rears its head in new malware report
Check Point’s researchers view Speakup as a significant threat, as it can be used to download and spread any malware.
Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.