Australian and Aotearoa New Zealand organizations know they’re rapidly hurtling towards a security precipice and are willing to invest to try to save themselves from tipping over. New research from Gartner shows that security is becoming one of the most lucrative areas of IT in both countries.
There’s a lot to grapple with, from AI to rapid shifts in regulation, and Australian organizations need to do it while skills are in short supply. This “perfect storm” may well mean that despite the willingness to invest, Australian and New Zealand organizations might still struggle to cope with the evolving threat landscape.
Jump to:
IT security market in Australia and New Zealand
According to Gartner, security spending in Australia is projected to grow by 11.5% to a total of AU $7.74 billion (US $4.95 billion) in 2024 (Figure A). In New Zealand, the increase is slightly lower, at 11%, but that will bring New Zealand close to just shy of NZ $1 billion (US $600 million) for the first time.
Figure A
For both countries, this is slightly less than the growth in global spending, which is forecast to increase by 14.3%, but it’s also greater than the projected overall increase in spending within the country, with Garter forecasting growth of 7.8% in 2024.
The four factors driving global security spending
This commitment to security is coming at the expense of other business priorities, at a time where organizations are looking for ways to limit spending. A survey of CEOs found that recruitment and growth are slipping as business priorities, even while cybersecurity solidifies as a core objective. According to Gartner, cloud spending is being driven by four particular trends.
Ongoing move towards cloud services
More companies are moving their data and applications to the cloud, including more critical applications and datasets. This is leading to a new suite of security challenges that require additional resources to address.
At the least, organizations now need to invest in cloud-specific security solutions, such as cloud access security brokers software and cloud workload protection platforms and ensure they have the technical expertise to properly implement and manage policy.
SEE: Take advantage of this cloud data storage policy from TechRepublic Premium.
Another factor that catches many out is the need for 24/7 security in the cloud. Many organizations look to the cloud for productivity benefits, but that also means they’ll need to enhance their security operations center team and ensure they’re able to respond to alerts and other flag triggers at all times of day.
Continuous hybrid workforce
While there is a push to get people back into an office together, remote work itself isn’t going away. Most expectations are now that people will have hybrid work experiences, where they’ll spend some time in an office and other times work remotely.
This means that the security risks decentralized IT environments face are now permanent. To address these challenges, businesses need to invest in improving solutions around endpoint detection and response and managed detection and response.
They also need to invest in zero-trust security solutions, as perimeter-based security will no longer be enough. The problem with zero trust is that, if it’s managed poorly, the user experience becomes so compromised it starts to impact everything from productivity to staff morale, so some level of investment needs to be put into getting zero trust right.
Rapid emergence and use of generative AI
While generative AI has many benefits, it also poses significant security risks, and as the newest of the trends, this one is going to cause organizations headaches they haven’t conceived yet in the years to come.
SEE: Discover how Australian enterprises are staying ahead of the risks of generative AI.
What we’ve already seen is that cyber criminals use generative AI to create fake images or videos for phishing attacks or other malicious purposes. Moreover, criminals are using AI to improve the quality of their code and work faster. With the support of AI, the flood of attacks that are coming in — one victim every 37 seconds — is going to escalate dramatically.
AI is also the solution to the problem, with algorithms able to detect and isolate suspicious activity in real time, but AI has a steep learning curve many organizations aren’t ready to embrace in full.
Evolving regulatory environment
There’s a rapidly shifting regulatory environment, particularly in Australia, that’s going to drive a lot of investment in security solutions. Australia’s newest announcement, a “six cyber shields” approach to cybersecurity, is going to require some substantial investment in the private sector to keep pace.
The six cyber shields approach is the latest step as the government continues to take strides across its broader three areas of action: setting clear cybersecurity expectations, increasing transparency and disclosure and protecting consumer rights. It’s also still considering greater use of cybersecurity standards for corporate governance, personal information and smart devices and actively seeking consultation from the private sector.
The sum of all of this is that Australian organizations need to prepare for what is likely to be many more far-reaching shifts in cyber regulation in the years ahead.
But will the security spending be enough?
If the investment that organizations are putting into cybersecurity is focused on developing and implementing innovative solutions to scaling problems, then it may well be enough. If, however, it’s an effort to play “catch up,” then organizations are likely to experience escalating pain, as the threat landscape rapidly moves beyond the current scope.
As associate professor in the School of Engineering at RMIT University, Mark Gregory noted in a column at InnovationAus, Australian businesses and industry continue to “lag international best practice.”
Australia also has a skills shortage that is reaching catastrophic levels, and so, as Gregory writes, the next wave of cyber crime is going to be “devastating.”
The reality is that, as a society, we’re just not ready for an era where AI can perfectly clone people’s voices, making it easy to scam businesses into thinking they’re talking to a victim, rather than the criminal. Organizations continue to assume that two-factor authentication, dates of birth and mother’s maiden names are enough to protect their customers.
And as we saw from the Optus, Medibank Private and Latitude data breaches, the Australian government is rapidly running out of patience for organizations that make it too easy for criminals to access customer data.
Australian organizations are taking this seriously, and the double-digit increase in spending on security demonstrates that. The fact that the bulk of the spending will go to “services” also shows that organizations realize they need expertise on this.
The missing piece is the innovation. As cyber criminals become more creative and dynamic in their approach, so too will the cybersecurity defences. Cybersecurity professionals are going to be challenged to think outside of the box in a way that they’ve never been challenged to in the past, in what has been traditionally seen as a rigid side of IT.