Australian companies may be increasing their spend on cyber security but four out of five executives doubt they can keep throwing money at the problem indefinitely, according to an Accenture survey that confirmed “investing well” in cyber security delivers better financial and operational outcomes.

Fully 55 per cent of the more than 4,400 large-company executives, surveyed for Accenture’s recent State of Cyber security Resilience report, believe they are not effectively stopping cyber security attacks; finding and fixing breaches quickly; or reducing the impact of breaches – all of which are key reasons for increasing cyber security spend.

The highest-performing chief information security officers (CISOs) – dubbed ‘Cyber Champions’ – had all worked to build and maintain close relationships with the CEO, CFO, and board of directors, the report found, noting that “this proximity resulted in increased trust, autonomy, and the ability to tap into these relationships when defining the broader security strategy and ensuring alignment within the business.”

Cyber Champions, Accenture found, demonstrated several common best practices that suggested they “viewed cyber security in a fundamentally different way than those who reported diminished effectiveness and value from their cyber initiatives.”

The difference, noted Accenture APAC cyber defence lead Mark Sayer, is that the most successful companies view cyber attacks not as a risk, but an ongoing threat to their operations.

“They adopt a holistic approach to cyber security,” he said, “and all business operations, from head office to the supply chain, are aligned to support an active and vigilant approach to threat prevention.”

By staying on a more proactive footing, Accenture found, companies were able to reduce the cost of successful cyber attacks significantly.

Cyber Champions reported a cost per cyber attack that was 48 per cent lower – equivalent to $294,000 – than the next best-performing group in the survey, and 65 per cent lower than the third best-performing cohort.

When is enough cyber security, too much?

For all the potential benefits of an adaptive cyber security strategy, many respondents indicated that pouring ever larger amounts of money into cyber was becoming problematic.

Despite increased spending, the number of attempted breaches increased by 31 per cent over the previous year – to 270 per company, on average – fuelling concerns that it is simply not possible to outspend determined cybercriminals.

Fully 81 per cent of the Accenture survey respondents agreed that “staying ahead of attackers” is a constant battle and that the cost is becoming “unsustainable” – up from 69 per cent in the previous year’s survey.

Executives are starting to push back, according to a recent survey of 207 Australian IT decision makers – part of a global study by Sapio Research for security firm Trend Micro – in which 89 per cent said their businesses would be willing to compromise cyber security and allocate funding to digital transformation projects instead.

Recognising that their superiors were becoming increasingly concerned about what they see as excessive cyber security spending, fully 87 per cent had felt pressured to downplay the severity of cyber risks to their boards.

“Australian IT leaders are self-censoring in front of their boards for fear or appearing repetitive or too negative," Trend Micro ANZ vice president Ashley Watkins said in releasing the results, “but this will only perpetuate a vicious cycle where the C-suite remains ignorant of its true risk exposure.”

“We need to talk about risk in a way that frames cyber security as a fundamental driver of business growth – helping to bring together IT and business leaders who are both fighting for the same cause.”

Only 47 per cent of IT leaders believe their C-suite completely understands cyber security risks, Trend Micro found, with 28 per cent blaming executives for not trying hard enough and 19 per cent saying executives just don’t want to understand.

Accenture Security global lead Kelly Bissell agreed, noting that company’s analysis suggested that “organisations too often focus solely on business outcomes at the expense of cyber security, creating greater risk.

“While getting the right balance isn’t easy,” he said, “those who have a clear view of the threat landscape, and a strong alignment on business priorities and outcomes, achieve greater levels of cyber resilience.”