Cybersecurity strategies should be one of the key corporate initiatives, owing to the operational and reputational damage that could occur if they are not in place, says virtual systems company VMware regional director Matthew Kibby.
Although such strategies should garner sufficient support from all board members, this is not always the case, he adds.
The VMware global survey, conducted in January and February involving 11 000 senior executives, analysed the different perceptions among the executives responsible for cybersecurity and those who are not part of cybersecurity.
“The results revealed an interesting disconnection between the corporate leaders and their differing perceptions of danger and threats, when compared with budget priorities,” he highlights.
About 30% of the senior executives surveyed believe that their firm could be attacked within nine days, while only 12% of CEs believe this to be the case.
Meanwhile, information technology (IT) research company Worldwide Worx surveyed 103 local IT decision-makers in companies that have more than 500 employees.
Worldwide Worx CEO Arthur Goldstuck notes that one out of ten respondents in South Africa feels that his or her company is very vulnerable to cyberattacks, not because the company’s defences are weak but because they are major targets.
“About 49% of IT decision-makers in South African organisations believe that their organisations are vulnerable to cyberattacks.”
The local survey analysed companies’ business priorities, compared with their IT and security priorities, which found that protecting the business is as important as growing the business.
“This highlights the need to close the gap between cybersecurity teams and those not involved in cybersecurity,” he notes.
About 2% of large organisations in South Africa will never realise that they have been the victim of a cyberattack and about 20% have compromised abilities to detect attacks, identifying attacks only within 12 to 24 hours or more.
However, the survey also highlights that 79% of corporations will typically detect cyberattacks within an hour, which is on a par with the expectations of effective cybersecurity. This indicates that large South African organisations are generally well defended and vigilant.
“Despite the disconnection between the perceptions of cybersecurity executives and noncybersecurity executives, cyber- protection in most large organisations is fairly robust. What is needed is a shift from the ad hoc approach to a more consistent focus and funding.”
This might already be the case in several large organisations, but is not yet common among large organisations in South Africa. The survey found that 16% to 18% of companies are decreasing cybersecurity funding, which typically indicate lower board-level priority. However, these decreases might be a result of more cost- effective solutions and, therefore, in line with decreases in other formal operational budget items.
However, the survey does indicate some specific areas of disconnection between board oversight and operational requirements. It finds that cybersecurity IT decision-makers identified outdated software and systems as vulnerable, but lacked the budget to renew these systems.
“The gap between the acknowledged importance of cybersecurity and the budgetary support for it must be reduced and closed to enable cybersecurity executives to perform their business-critical functions as effectively as other executives in the organisation,” concludes Goldstuck.