SYDNEY, October 8, 2024 – Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global cybersecurity leader, today published research revealing that global organisations lack sufficient resources and leadership buy-in to measure and mitigate risk across their digital attack surface.

To read the full report, please visit: https://www.trendmicro.com/explore/amea-thecisocredibilitygap/2774-v1-en-rpt

Srujan Talakokkula, Managing Director, ANZ Commercial at Trend Micro: “This study reveals Australia has a lack of clear leadership on cybersecurity, which can have a paralysing effect on an organisation—leading to reactive, piecemeal and erratic decision making. One of the most concerning aspects is the lack of accountability from business leadership, and a lot of that comes down to collaboration and communication across the business. Companies need CISOs to clearly communicate in terms of business risk to engage their boards. Ideally, they should have a single source of truth across the attack surface from which to share updates with the board, continually monitor risk, and automatically remediate issues for enhanced cyber-resilience.”

Trend polled 100 Australian IT leaders responsible for cybersecurity in small, medium and large organisations to better understand their attitudes toward attack surface risk management (ASRM).

The top three gaps in cyber-resilience revealed by Australian respondents were:

• Sufficient staffing for 24x7x365 cybersecurity coverage – which just 37% have
• Attack surface management techniques to measure the risk of the attack surface (used by 37%)
• Using proven regulatory and other frameworks like the NIST Cybersecurity Framework (only 38%)

The failure of a majority of global companies to achieve these cybersecurity basics could be traced back to a lack of leadership and accountability at the top of the organisation. 37% of respondents claimed that their leadership doesn’t consider cybersecurity to be their responsibility.

When asked who does or should hold responsibility for mitigating business risk, respondents returned a variety of answers, indicating a lack of clarity on reporting lines. Nearly a third (32%) said the buck stops with organisational IT teams.

This lack of clear direction on cybersecurity strategy may be why half (47%) of global respondents complained that their organisation’s attitude to cyber risk is inconsistent and varies from month to month.

The leadership required to remediate these issues is not present in many organisations. Nearly all (94%) of those surveyed have concerns about their attack surface. One third (33%) are worried about having a way of discovering, assessing and mitigating high-risk areas, and nearly a quarter (22%) aren’t able to work from a single source of truth.