“[They] accept that the likelihood of an attack happening will remain high despite the investment in preventative controls and that the most effective way to treat that residual risk is to reduce the impact by improving the organisation’s ability to recover,” he says.
Undertaking a “bare-metal” rebuild without being able to count on lights, phones or computer networks is not for the faint-hearted.
“It is somewhat of a lost art, given how resilient to faults technology systems have become over the past few decades,” Sayer says.
While risk mitigation is behind a lot of this activity, regulation is also motivating it.
In response to a surge in ransomware attacks, the government fast-tracked through Parliament regulatory amendments allowing it to assume control of critical infrastructure if a cyberattack threatens national security.
It is also introducing security obligations to new sectors – including banking and finance, communications, data storage and processing, defence, education and research, food and grocery, health, space, and transport. Dell is one of those companies captured by the expanded scope.
In the landscape beyond critical infrastructure entities, the government is debating whether existing provisions in corporations, consumer and privacy law are sufficient to deal with cyber threats.
Industry is lobbying for more guidance over a prescriptive approach.
“The pathway forward is not to impose new regulation or change existing legislation around consumer law and corporations law to specifically include cybersecurity,” Andy Penn, Telstra chief executive and chair of the federal government’s Cybersecurity Industry Advisory Committee, says.
“But developing voluntary standards of best practice will be helpful and inform whether directors’ duties have been properly discharged,” he says.
Even if it successfully side-steps prescriptive new rules, big business will not be afforded a leisurely adoption period. The threat is simply too great.
“We’re seeing directors becoming more aware of cybersecurity risks and more concerned about their liability if their respective organisations aren’t doing what’s considered a ‘reasonable’ job of protecting customer, supplier, employee data and business operations,” Sayer says.
Salter says Australia is not alone with regards to this onslaught of cyber regulation. “You can see that shift happening right across the globe. Japan, for example, has changed and evolved all of their guidelines and regulatory landscape,” he says.
This is creating intense competition for staff. Sayer says cyber salaries are going up at an alarming rate alongside unprecedented levels of spending on cybersecurity.
“I am worried that this is not sustainable in the longer term,” he says.
Sayer predicts the new regulations will trigger an increase in investment on cybersecurity, up to 20 per cent of information technology budgets.
“Ultimately the business must divert it away from other strategic investment opportunities that could improve performance and customer satisfaction,” Sayer says.
However, based on previous experience with Sarbanes-Oxley and other regulations, he says this is likely to be a one-off transformational investment for companies to implement controls to get them compliant. After that, he expects security budgets to normalise at current levels of between 8 and 15 per cent of an organisation’s overall IT spend.
In broaching this issue with boards, chief information security officers are pitching at the wrong level.
“There’s a disconnect between what CISOs value in terms of cybersecurity and what the board is looking for,” Sayer says. “The board needs to govern cybersecurity risk as a material risk and most security organisations aren’t positioned to support this.”
He says providing the board with metrics such as the number of malware infections blocked with antivirus, the number of port scans blocked at the firewall, or the number of outstanding critical security vulnerabilities that haven’t been patched, might look impressive, but it is not something directors can make decisions on.
“CISOs need to provide a better suite of data points with insights and context that allow the board to decide whether the cyber risk is within appetite, and that the appetite settings are appropriate for the business. We’re seeing a lot of larger organisations undertaking this shift from metrics to governance for their boards,” Sayer says.
Salter says simulation exercises are uncovering unexpected savings for large entities.
“Most organisations are collecting and managing more data than they need to,” he says.
“If I’m operating to a legacy policy that says I need to keep data for seven years but in reality I only need to keep it for 30 or 90 days, that makes a big difference to how many copies of data I retain and also significantly reduces my surface area of attack.”
Salter says organisations further up the maturity curve are embarking on more advanced data management practices that allow them to focus on things that have the greatest impact.
This presents an opportunity to innovate and think differently about how to solve cybersecurity problems, according to Sayer.
“We’re in a state in our industry at the moment where people are buying the fanciest, all-singing and all-dancing solutionm when a simpler and cheaper solution would do the job,” he says.
“Near-term, businesses are going to start looking for more economical and sustainable ways to deliver cybersecurity risk management. This will mean simplifying and consolidating security platforms, reducing labour costs, outsourcing, and better risk management practices to ensure that limited resources are more effectively applied to activities that deliver the greatest return,” he says.