Four in ten ANZ firms lose deals over cybersecurity doubts

A recent survey by cybersecurity firm LogRhythm has uncovered significant concerns among businesses in Australia and New Zealand regarding their cybersecurity strategies. Four in ten companies in these regions have lost deals in the past 18 months due to customers' lack of confidence in their cybersecurity measures. Despite 81 percent of security executives rating their cybersecurity defences as good or excellent, the study reveals a considerable disconnect between internal perceptions and customer confidence.

The report, titled "2024 State of the Security Team: Navigating Constant Change," surveyed 1,176 cybersecurity professionals and executives globally, including a sizable sample from the Asia-Pacific region, which encompasses Singapore, Malaysia, Indonesia, Japan, India, Australia and New Zealand. The findings show that over three-quarters of companies in Australia and New Zealand have had to adjust their cybersecurity strategies in response to these confidence issues.

This strategy shift is driven by a dynamic threat landscape. Seventy-six percent of respondents in Australia and New Zealand reported changing their company’s security strategy within the last year. Notably, 67 percent stated that the introduction of artificial intelligence for threat management and new security solutions was a primary driver for this change. Other key factors included new attack types (60 percent), changing regulations or compliance requirements (58 percent), and alterations in budget (35 percent).

Another significant finding from the survey is the growing expectation for senior leaders to take responsibility for cybersecurity breaches. About 49 percent of respondents believe that cybersecurity leaders and chief executive officers should be held accountable for protecting against and responding to cyber incidents. This stance indicates a shift in recognising cybersecurity as a crucial component of business strategy and corporate governance, rather than merely a technical issue.

Despite the high expectations placed on executives, a communication gap persists between security teams and non-security executives. Although 75 percent of ANZ cybersecurity teams feel adequately equipped to communicate the current security status to key stakeholders, 19 percent still face difficulties in conveying the importance of certain security measures to non-technical executives. Interestingly, only half of the respondents agreed that non-security executives understand the company's regulatory obligations, which can lead to misunderstandings about the value of cybersecurity investments.

The survey also highlights a disparity in the allocation and communication of resources. While 64 percent of ANZ respondents reported an increase in their cybersecurity budget due to the evolving threat landscape, this figure is lower than the global average of 76 percent. Nevertheless, 75 percent expressed confidence in having the necessary tools, personnel, expertise, and budget to defend their organisations against cyberattacks.

Communication barriers further extend to the reporting of cybersecurity metrics. Most security reports focus on critical data such as breaches (69 percent), incidents (62 percent), and time to respond (56 percent), with less emphasis on other operational metrics like time to detect (49 percent) and time to recover (23 percent). Additionally, security teams continue to rely on manual and time-consuming methods for sharing security status information, including static reports (75 percent), meetings (84 percent), and emails (62 percent).

Matthew Lowe, ANZ Country Manager for LogRhythm, emphasised the need for an enterprise-wide approach to cybersecurity, with C-suite executives working closely with cybersecurity professionals to make informed, strategic decisions while allocating the necessary resources. He also pointed out the importance of enhancing collaboration between security and non-security teams, fostering a shared understanding of each team’s requirements, and utilising automation technologies to optimise reporting processes.