Australian CEOs are too overoptimistic for cybersecurity, out of touch on privacy

Only 6% of surveyed CEOs think their organisation has suffered a data breach in the last year, but 63% of their CISOs say they have, according to Unisys research. Big disconnect.
Written by Stilgherrian , Contributor
System Security Specialist Working at System Control Center. Room is Full of Screens Displaying Various Information.
Image: Getty Images/iStockphoto

Australian bosses have far more confidence in the cybersecurity of their organisations than their own cyberdefenders, according to newly-released research from Unisys.

"What the study found is pretty much a disconnect and lack of communication between the two very important roles of chief information security officer (CISO) and chief executive officer (CEO)," said Gergana Kiryakova, industry director for cyber security at Unisys Australia and New Zealand.

"We were expecting some sort of a disconnect, but we were definitely not expecting such a big disconnect," she told journalists in Sydney on Tuesday.

The report, Cybersecurity Standoff Australia [PDF], describes CEOs as "overconfident and out of the loop".

While 63% of surveyed CISOs said their organisation had suffered a data breach over the last 12 months, only 6% of the CEOs thought so.

Only 26% of CISOs said they could respond to cyber threats in real time, but 44% of CEOs thought that was possible. And while only 26% of CISOs thought their data collection policies were clear to consumers or citizens, 51% of CEOs thought they were.

While 69% of CISOs said that cybersecurity was part of their business plans, only 27% of CEOs thought so.

"How is it that they do actually not speak with other? There is definitely lack of communication between the two," Kiryakova said.

"The definition of 'cybersecurity' [and] 'data breach' probably [are] not the same for the two roles ... For a CISO, the metadata might represent a data breach, where for the CEO the metadata might not," she said.

Under this context, in 2017, the Australian government started work on a "cyber lexicon" to help it better engage in discussions of cybersecurity issues.

A two-hour roundtable at the Department of Prime Minister and Cabinet (PM&C) in Canberra tried to agree on definitions of "cyber attack" and how to count them, as well as "hack", "cyber terrorism" versus "cyber warfare" and "cyberwar", and so on.

See also: Why cybersecurity is a big problem for small businesses (TechRepublic)

That work seems to have sunk without trace, although the Australian Cyber Security Centre published Cyber Security Terminology, a glossary of words and abbreviations, earlier this month.

The Unisys research also showed a "clear disconnect" in awareness of what data is being collected and of privacy issues more generally.

Some 68% of the CEOs said over the last 10 years there had been no change in the volume or type of data collected by their organisation. Only 19% of CISOs agreed.

Only 11% of CEOs thought they collected customer or citizen financial data, whereas 57% of CISOs thought they did.

CEOs are twice as confident that their organisation adheres to the Australian Privacy Principles (APP). Although the figure is only 14%, only 7% of CISOs thought they were compliant.

"This is very low compared to what I would expect the CEO percentage to be in Australia," Kiryakova said.

More broadly, one-third of the surveyed CEOs still believe that cybersecurity is an IT issue (14%) or a compliance issue (18%).

Unisys surveyed 88 CEOs and 54 CISOs in September, from a mix of public and private sector organisations. For those organisations without a dedicated CISO, the employee with overall responsibility for cybersecurity was surveyed.

Small and medium enterprises (SMEs) comprised 90% of these organisations, matching their proportion in the Australian economy, using the Australian Bureau of Statistics (ABS) definition of an organisation with 200 employees or fewer.

Related Coverage

'Cyber social value' could save lives from cyber incompetence: Report

'Behind each death by computer error is a human mistake, usually caused by faults in management of the cyber ecosystem,' writes Professor Greg Austin.

AI to 'fundamentally shift' global balance of power

The focus of Australia's cyber diplomacy is expanding to include "grand strategy in technology", as well as engagement with technology firms and governments.

Schneier slams Australia's encryption laws and CyberCon speaker bans

Governments breaking encryption is bad, and 'will get worse once breaking encryption means people can die', says one of the world's leading security experts.

Government interference in Australia's premier cybersecurity conference is a worry

Two 'incongruent' speakers were dumped from Australia's CyberCon. And bizarrely, the media was barred from covering a session explaining a public consultation process.

ANU incident report on massive data breach is a must-read

The Australian National University has set a new standard for transparent data breach reporting. They didn't lose all 19 years of data, but they're no closer to understanding the attacker's motives.

Editorial standards