Uncertainty in Supplier Cybersecurity Strategies Undercuts Deals – Report

New LogRhythm research suggests that 81% of security executives in Australia and New Zealand view their cybersecurity defence positively. However, four in ten companies have lost deals due to customers’ lack of confidence in their strategy in the last 18 months.
LogRhythm’s report, 2024 State of the Security Team: Navigating Constant Change Research Report, released this week, explores the insights of security professionals around external factors affecting security strategy, alongside reporting capabilities and overall security communication effectiveness within the business. The study relied on findings from 1,176 cybersecurity professionals and executives globally, including Singapore, Malaysia, Indonesia, Japan, India, Australia, and New Zealand.
While most security executives in Australia and New Zealand (ANZ) rated their cybersecurity defence as good or excellent, 40% faced customer confidence issues, prompting over three in every four companies to adjust their cybersecurity strategy. Of companies that have lost deals due to customer confidence issues, 71% indicated that it happened in the last 18 months. This highlights a disconnect between security executives and their customers on the effectiveness of their cybersecurity defence, suggesting gaps in meeting customer expectations for data protection.
In response to the dynamic threat landscape, 76% of ANZ respondents highlighted that they have changed their company security strategy in the last 12 months. The use of AI for threat management and new security solutions was cited as the primary driver for change in Australia and New Zealand by 67% of respondents. Indonesia led this trend at 86%, the highest in the Asia-Pacific region. Other reasons include changing regulations or compliance requirements (58%), new attack types (60%), and budget changes (35%).
The study also uncovered a rise in expectations that senior leaders be accountable for security breaches, with 49% stating that cybersecurity leaders and CEOs should ultimately be responsible for protecting against and responding to cyber incidents. The findings support the widespread view that cybersecurity is now recognised as an integral component of business strategy and corporate governance, shifting away from its previous perception as a purely technical concern.
However, while executives are now expected to have greater responsibility over cybersecurity breaches, there remains a gap in communication between security teams and non-security executives. This disparity exists despite 75% of ANZ cybersecurity teams indicating that they possess the right tools to easily communicate the current security status to key stakeholders across teams.
Specifically, 19% of ANZ respondents said they faced difficulties in conveying the importance of particular security measures to non-technical executives. Meanwhile, only half of respondents agreed that non-security executives understand the company’s regulatory obligations. This communication barrier can result in misunderstandings regarding the value of investments in cybersecurity, potentially impacting the organisation’s readiness and response capabilities.
As businesses move to protect themselves from evolving threats, their investments in cybersecurity are mirroring this effort. 64% of ANZ respondents have noted an increase in their company’s cybersecurity budget in response to the changing threat landscape, lower than the global average of 76%. Furthermore, 75% expressed confidence in having the necessary resources, such as tools, personnel, expertise, and budget, to safeguard their company from cyberattacks.
When assessing the impact of these investments, security teams who experienced challenges in explaining the need for a specific security solution to non-security stakeholders often fail to report on key operational metrics that determine the measurable impact of security investments and strategy adjustments. To this end, security reports mostly focused on critical data like breaches (69%), incidents (62%), and time to respond (56%). Other security operational metrics, such as time to detect (49%) and time to recover (23%) are featured less significantly in these reports.
Moreover, the majority of security teams are still relying on manual and time-intensive approaches to share security status information, including static reports (75%), meetings (84%), and emails (62%). This highlights a concern, given that to maintain effective communication, security teams need to be armed with improved case management metrics and advanced analytics to make informed decisions quickly.
“The current threat environment in Australia and New Zealand demands an enterprise-wide approach with C-suite executives working closely with cybersecurity professionals to calibrate the risks and make well-informed, strategic decisions while allocating the necessary financial and technical resources to protect the organisation, its employees and customers,” said LogRhythm’s ANZ Country Manager Matthew Lowe.
“This latest research reflects the ambitions of local enterprises to keep ahead of the threat actors’ pace while continuing to advance their digitisation efforts by ramping up their cybersecurity investments.  However, the data also shows that business leaders face challenges in measuring and communicating the value and impact of cybersecurity investments, despite increasing budgets.”
“Moving into the second half of the year, we encourage business leaders to enhance collaboration opportunities between security and non-security teams and foster a shared learning of each team’s requirements and responsibilities to streamline and enhance overall operational efficiency across different departments. Greater investments in cybersecurity solutions can also be complemented by employing more automation technologies for everyday business activities such as reporting, which will free up valuable time to focus on higher-value work and result in more benefit to the enterprise overall.”
You can read the full report here.