Lack of customer confidence affecting security strategies: report

New research from LogRhythm has revealed that while most security executives in Australia and New Zealand view their cybersecurity defence positively, four in 10 companies have lost deals due to customers’ lack of confidence in their strategy in the last 18 months.

81% of ANZ security executives rated their cybersecurity defence as good or excellent, yet 40% of companies faced customer confidence issues, prompting over three in every four companies to adjust their cybersecurity strategy. Of companies that have lost deals due to customer confidence issues, 71% indicated that it happened in the last 18 months. This highlights a disconnect between security executives and their customers on the effectiveness of their cybersecurity defence, suggesting gaps in meeting customer expectations for data protection.

LogRhythm’s ‘2024 State of the Security Team: Navigating Constant Change Research Report’ explores the insights of security professionals around external factors affecting security strategy, alongside reporting capabilities and overall security communication effectiveness within the business. The study presents findings from 1176 cybersecurity professionals and executives globally, including Singapore, Malaysia, Indonesia, Japan, India, Australia and New Zealand in the APAC region.

Adapting to the dynamic threat landscape

In response to the dynamic threat landscape, 76% of ANZ respondents highlighted that they have changed their company security strategy in the last 12 months. Use of AI for threat management and new security solutions was cited as the primary driver for change in Australia and New Zealand by 67% of respondents, with Indonesia leading this trend at 86%, the highest in APAC. Other reasons include changing regulations or compliance requirements (58%), new attack types (60%) and budget changes (35%).

Communication gap remains between security teams and non-security executives

The study also uncovered a rise in expectation for senior leaders to be accountable for security breaches, with 49% stating that cybersecurity leaders and CEOs should ultimately bear the responsibility for protecting against and responding to cyber incidents. The findings give credence that cybersecurity is now recognised as an integral component of business strategy and corporate governance, shifting away from its previous perception as a purely technical concern.

However, while executives are now expected to have greater responsibility over cybersecurity breaches, there remains a gap in communication between security teams and non-security executives. This disparity exists despite ANZ cybersecurity teams, indicating that 75% possess the right tools to easily communicate the current security status to key stakeholders across teams.

Specifically, 19% of ANZ respondents faced difficulties in conveying the importance of particular security measures to non-technical executives. Meanwhile, only half of respondents agreed that non-security executives understand the company’s regulatory obligations. This communication barrier can result in misunderstandings regarding the value of investments in cybersecurity, potentially impacting the organisation’s readiness and response capabilities.

Budgets are increasing, yet metrics to measure impact are lacking

As businesses strive to protect themselves from evolving threats, their investments in cybersecurity are mirroring this effort. 64% of ANZ respondents have noted an increase in their company’s cybersecurity budget in response to the changing threat landscape, lower than the global average of 76%. Furthermore, 75% expressed confidence in having the necessary resources — such as tools, personnel, expertise and budget — to safeguard their company from cyber attacks.

When assessing the impact of these investments, security teams that experienced challenges in explaining the need for a specific security solution to non-security stakeholders often fail to report on key operational metrics that determine the measurable impact of security investments and strategy adjustments. To this end, security reports mostly focused on critical data like breaches (69%), incidents (62%) and time to respond (56%). Other security operational metrics, such as time to detect (49%) and time to recover (23%) are featured less significantly in these reports.

Moreover, the majority of security teams are still relying on manual and time-intensive approaches to share security status information, including static reports (75%), meetings (84%) and emails (62%). This highlights a concern, given that to maintain effective communication, security teams need to be armed with improved case management metrics and advanced analytics to make informed decisions quickly.

“The current threat environment in Australia and New Zealand demands an enterprise-wide approach with C-suite executives working closely with cybersecurity professionals to calibrate the risks and make well-informed, strategic decisions, while allocating the necessary financial and technical resources to protect the organisation, its employees and customers,” said Matthew Lowe, ANZ Country Manager, LogRhythm. “This latest research reflects the ambitions of local enterprises to keep ahead of the threat actors’ pace while continuing to advance their digitisation efforts by ramping up their cybersecurity investments. However, the data also shows that business leaders face challenges in being able to measure and communicate the value and impact of cybersecurity investments, despite increasing budgets.

“Moving into the second half of the year, we encourage business leaders to enhance collaboration opportunities between security and non-security teams, and foster a shared learning of each team’s requirements and responsibilities to streamline and enhance overall operational efficiency across different departments. Greater investments in cybersecurity solutions can also be complemented by employing more automation technologies for everyday business activities such as reporting, which will free up valuable time to focus on higher-value work and result in more benefit to the enterprise overall.

Image credit: iStock.com/guvendemir