Adrian Van Hest –
New Zealand organisations have far less confidence in their own information security activities (as well as their suppliers) than they did last year.
While confidence has dropped, it’s likely a more accurate picture of real versus perceived risk.
Last year, 83% of New Zealand respondents were confident or somewhat confident that their organisations’ information security activities were effective, compared to 65% this year.
The drop in confidence is even wider in the security activities of New Zealand organisations’ partners and suppliers; last year 82% of New Zealand respondents were ‘very’ or ‘somewhat confident,’ compared to 57% this year.
As more organisations adopt risk frameworks, they are gaining a better understanding of their risks and what they need to do to manage them.
In recent years, the survey data in New Zealand has shown that high confidence doesn’t necessarily match the actual measures taken to secure information.
The reason for this, at least anecdotally, is that some organisations say that no one has told them something is wrong so they choose to believe there is no issue.
Another reason is many New Zealand organisations trust their suppliers and believe that they will simply do the right thing when needed despite the absence of or even the specific exclusion of security obligations from contractual agreements.
When called upon to conduct breach assessments in New Zealand, we have identified a significant issue about 90% of the time. What is alarming is that our data indicates that two-thirds of breach notifications now come from outside of the organisation. The reality is that until you have invested time in understanding your current state and that this critical information is driving your security activity, you can never truly know.
To have an effective strategy, organisations must understand which assets are most important to them, and then focus resources on dynamically protecting them by being in a position to detect, respond and recover when there is an incident. The organisations that want to maintain trust and stay competitive are those using a targeted information security approach.
There is no magic bullet for effective cyber security.
It is a journey towards a culture of security, not a solution in and of itself. It is a path that starts with the right mix of technologies, processes and people skills.
The organisations that will flourish in tomorrow’s interconnected world are those which recognise that good cyber security is good business; and by managing their risks, they can use digital technologies and their information assets to realise opportunity with confidence.
Note: PricewaterhouseCoopers’ Global State of Information Security Survey is a study of worldwide information security practices to understand how executives and industry leaders view current and future challenges related to cyber security. In essence, it shines the spotlight on what organisations are doing and plan to do when it comes to managing the real business risk associated with their information systems and data.
Adrian van Hest is a Partner at PricewaterhouseCoopers and Leader of the Firm’s National Cyber Practice. His speciality is IT Risk and Security, Project Governance, Strategy and Innovation. He has a successful record of developing and managing rapid growth businesses. He lives in Wellington. The above article is an extract of a recently released PwC Survey titled, ‘Insights of the Annual Global State of Information Security.