CYBER CONFIDENCE INDEX: ASIA PACIFIC
IT security professionals and teams have spent the past five years firmly in the spotlight. They are an area of the organisation that has attracted—and continues to attract—an increasing share of the IT budget. Regardless, security teams are still far short of the budget and talent they need to face the growing challenges of modern cybersecurity. The increase in resourcing is a testament to the understanding that boards, executives, and decision makers generally have of the role that cybersecurity plays in organisations today.
Much of the understanding comes from real experiences of attacks.
Our study shows 83% of organisations in the region have been breached by ransomware at least once in the past five years. It’s likely that the percentage is even higher, as organisations may be reluctant to discuss attacks—the study also shows that 20% of organisations won’t tell anyone if they get breached.
The breach numbers are a problem when you consider that boards and executives expect their investments in cybersecurity to afford them greater confidence to conduct business in a secure, undisrupted manner.
• How can IT security decision makers move the needle on security posture when the threat landscape is
changing faster than ever?
• How can IT security decision makers in the region become more confident in their organisation’s ability to detect and block threats so they can pass this confidence to executive committees, boards, and staff?
In this report, we start by analysing declarations of confidence by IT security decision makers. We then look at some of the factors that may undermine these declarations of confidence and finally discuss how to address any imbalance in order to create a more confident cybersecurity posture that reflects reality and justifies ongoing investments. It’s been a busy five years in cybersecurity in Asia Pacific. This is what IT security leaders intend to do next.
EXTRAHOP 2022 CYBER CONFIDENCE INDEX—ASIA PACIFIC
Contextualising Confidence
Confidence and cybersecurity aren’t mutually exclusive concepts, but inherent risks in the sector mean that expressions of confidence are often purposely muted.
Public displays of confidence in one’s cybersecurity posture can backfire, making firms a target for unwanted attention. Such expressions may also be tempered by the historical imbalance between attackers and defenders:
As much as defenders can try to de-risk and identify blind spots, new threats will always emerge that we can’t foresee—flaws in common protocols, or new exploit or vulnerability chains, for example—that undermine security and confidence.
Despite this, we’ve seen in similar, previous research overconfidence on the part of some IT security leaders as to their organisational readiness and ability to identify and repel threats. There’s an apparent gap between expressions of security confidence and the implications of security data—such as the surprising prevalence of insecure protocols and the frequency of successful attacks. It was with this in mind that we set out on a search for answers in the Asia Pacific region. What you have in your hands are the results of research spanning Australia, Singapore, and Japan. All three are significant regional markets but with very different business cultural characteristics that are reflected in the outcomes of this study. We present both a whole-of-region perspective, as well as a breakdown by country which will better highlight differences in
approaches being taken. On a whole-of-region basis, we find IT security leaders are largely pragmatic about the threats they face, and express confidence in their organisation’s ability to handle these threats accordingly. Only 39% have high confidence in
their organisation’s ability to prevent or mitigate cybersecurity threats. An equal percentage have a low level of confidence.
There are key regional differences, though: 52% of Singaporean IT security leaders have high confidence in their postures, compared to 43% in Australia and 23% in Japan. How each justifies its confidence level is a hot topic for further discussion.
As we’ve alluded to, confidence in cybersecurity is a fraught concept. Purely from a historical and risk perspective, it makes sense to keep confidence in check or understated.
Yet we also need to keep in mind the context of cybersecurity operations in the past five years and of cybersecurity’s increased internal profile and stature. Organisations have backed cybersecurity with increased investment, and for that, boards and executives expect a return on investment that—to a large extent—is expressed in confidence terms. Only 39% have high confidence in their organisation’s ability to prevent or mitigate cybersecurity threats.
EXTRAHOP 2022 CYBER CONFIDENCE INDEX—ASIA PACIFIC
Just under two-thirds (61%) of organisations expect cybersecurity budgets to increase in 2022. This is higher in Singapore (70%) and Australia (66%) but lower in Japan where 48% anticipate budget increases and 49% expect to
see stable budgets year-on-year. Across the board, very few expect cybersecurity budgets to decrease. While external messaging on security is often couched in terms of the inevitability of being targeted or attacked, boards and the C-Suite are increasingly accountable to these risks and need to be confident enough to sign off on them. To do so, they rely here on the confidence and assurances of their IT security leaders and teams. But having that accountability may increasingly drive boards and executive committees to undertake their own, separate, independent assurance and due diligence on whether internal confidence around cybersecurity is justified or overstated. The extent to which it is overstated may be difficult to determine given the technical nature of the security discipline.
However, this paper offers some guidance on incongruities: Instances where leaders express confidence even though the patterns and practices of their actions undermine that stance. Knowledge and awareness of these incongruities is useful because it helps to understand where to ask additional questions and really test the robustness of the expressions of confidence that boards and executives are receiving.
Where to Ask Questions
A major part of this study identifies shortfalls in best-practice approaches to IT security that may not be adequately
reflected in organisational confidence scores or in the very least undermine some of those scores.
To preface this, there are areas where security teams already perform well or where additional scrutiny may be
unwarranted.
How long does it take your team to respond to a critical vulnerability,either apply the patch or implement the solution?
Less than one day: 26%
One to three days: 39%
One week: 21%
One Month: 7%
More than one month: 1%
Don’t know: 7%
A positive in 2022 for most countries is that access controls and the potential for supply chain attacks appear to be well understood. Just over half (51%) of organisations allow third-party access to their networks and most of this cohort (86%) have considered the security aspects. This is highest in Singapore (96%) and Australia (87%) but lower in Japan (74%) where one in five haven’t assessed the security implications of such arrangements. In addition, most security teams are responsive to the discovery of vulnerabilities with 64% of teams able to enact mitigations or apply a patch (where available) within three days. However, that means 28% of instances take a week or more to mitigate against or patch. Breaking this down even further, 26% of teams respond in under a day, 39% take one to three days, 21% need a week, and 8% need a month or more. Benchmarking your own organisation’s
Click here to read more of the EXTRAHOP APAC cyber-confidence report