Hand of businessman using malware alert cybersecurity interface with triangular warning icon on touch screen over blue background.
Image: ImageFlow/Adobe Stock

Fear and the more technical aspects of cybersecurity are still stopping Australian CEOs from engaging more deeply with cybersecurity risks, despite a string of high-profile cyberattacks that have hit Australian brands, including Optus and Medibank and millions of their customers.

New research from consulting firm Accenture found that only one in five (19%) of Australian CEOs are currently dedicating board meetings to discussing cybersecurity issues, while 34% think cybersecurity isn’t a strategic matter and requires episodic rather than ongoing attention.

The results indicate that, despite a rise in data breach costs in Australia and a fast-changing threat landscape, including a potential escalation of social engineering attacks due to generative AI, local CEOs are not taking an “always on” approach to assessing and mitigating cyber risk.

IT leaders can play a role in increasing cyber risk engagement by talking in a language CEOs understand, engaging with boards of directors worried about their own liability and being clear on what best practices and investment levels they should target in their organizations.

CEOs still not taking ownership of cyber security risks

Accenture’s Australian findings, drawn from a survey of 1,000 CEOs in large companies around the globe for its The Cyber-Resilient CEO report, found that 91% of CEOs still believe cybersecurity is a technical function that’s the responsibility of the CISO or CIO, not theirs.

Only one-third (28%) of Australian CEOs strongly agreed they had deep knowledge of the evolving cyberthreat landscape they were facing. At the same time, 93% lacked confidence in their organization’s ability to prevent or mitigate future cyberattacks.

SEE: Is rapid data recovery the best hope Australia has against ransomware?

Jacqui Kernot profile photo.
Jacqui Kernot, security director for Australia and New Zealand at Accenture

Accenture Security Director for Australia and New Zealand Jacqui Kernot told TechRepublic that despite the risks and costs associated with being a victim of a cyberattack, cybersecurity was still not being given the level of attention it should be at the CEO level.

“It is quite frightening that even after all the noise in the press, the really visible breaches, we still haven’t had that leaning in and uplift from our CEO population,” Kernot said. “My view is we really need to think about why that hasn’t shifted so much and how to empower our CEOs.”

IT security still a ‘black art’ for CEOs

The IT security function has become a “black art” that was full of mystery and fear for outsiders, including nontechnical CEOs, Kernot said. CEOs not engaging with cyber risks were just like people taking their PC to a technical expert to get it fixed, rather than fixing it themselves.

The technical nature of security and the language of security experts could overcomplicate building awareness around cybersecurity, Kernot said. That said, a new generation of digital natives who understand tech are helping to build cultural change and could help engage CEOs.

CEOs not leaning into security fears

Recent high-profile breaches and expanding regulation and penalties had put the majority of CEOs into a “mild form of panic,” Kernot said. She said no CEO wanted to be on TV managing a data breach, and there was recognition of how such an event could impact share prices.

SEE: What can IT leaders do about the rising data breach costs in Australia?

Discomfort was causing some CEOs to lean in and increase their cybersecurity knowledge. However, Kernot said that, as demonstrated by the survey results, there were many who were ” … quite terrified and lean back because it is something that they don’t understand.”

IT leaders can boost CEO and board security awareness

CEOs will need to take on more ownership of cybersecurity risks in the future. But CIOs and CISOs may need to work to make this happen. They’ll need to demand more of an audience with the CEO to progress best practice cybersecurity agendas within their organizations.

Kernot said there were a range of things that could support greater security awareness at the top. This could include giving CISOs a direct line to the CEO and board, rather than through a CIO, to ensure reporting of cybersecurity was being given the attention it now warrants.

Understand and address cyber security gaps

Kernot recommends that IT leaders look at best practice approaches such as NIST maturity assessments or Australia’s Cyber Operational Resilience Intelligence-led Exercises Framework for financial institutions to establish what the gap was for their own organization.

This would enable CIOs and CISOs to become clear on the uplift they needed from their CEO. If the CEO then decides not to fund it, at least it would be clear IT leaders knew there was a problem and tried to mitigate it, rather than being blamed for it, Kernot said.

“If you are not clear what you need, your budget and what the risks are if you don’t get it, then you risk being a part of the problem,” said Kernot. “You need to be proactive in your recommendations around what needs to happen. You need to be clear what is needed to get the job done.”

Talk in the language of CEOs, not security jargon

Security professionals should minimize jargon — such as talking about “attack surface management” — and communicate in terms CEOs and boards understand. This would include terms such as managing risks, reducing costs, streamlining and increasing visibility in the event of a crisis.

SEE: Big spending on security may not be enough for Australian and New Zealand Enterprises.

Kernot said this shift was about understanding complexity and helping CEOs manage it without overcomplicating it.

“It’s really thinking about what the CEO is considering and what their job is to manage and how you fit your work into what they manage,” said Kernot.

Appeal to boards of directors as well as CEOs

CISOs will find interested allies in boards, Kernot said, who were now “absolutely worrying” about cybersecurity. The Australian Securities and Investments Commission has recently warned it would go after boards; regulations such as CPS 234 for APRA-regulated entities place information security responsibility on boards.

“I haven’t met a board director not worrying about this and their personal liability, and they are doing their own homework,” said Kernot. “As an IT professional, you have the opportunity to direct and lead their thinking and get the business to where it needs to be.”

Kernot said IT leaders who were not spending time in front of the board and CEO in this environment were missing an opportunity.

“They are all worrying, and you are either helping them feel more comfortable or letting them freak out about it in your absence,” said Kernot.

Run cyber simulations to boost risk engagement

Cybersecurity simulations are one of the most effective and cost effective ways of increasing board- and executive-level engagement in cybersecurity. Kernot said organizations who do them are likely to get better at funding uplifts in cyber budgets as they get people “really interested.”

“Cyber security simulations are uncomfortable. They get you out of your comfort zone,” said Kernot. “What you want to do is make sure that the board of directors leave feeling uncomfortable and worried, thinking about how to manage that risk in the future.”

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays