Skills shortage grips NZ critical organisations

By Dylan Bushell-Embling
Thursday, 01 November, 2018

More than half of New Zealand’s nationally significant organisations have a shortage of skilled security staff, and only 63% have a dedicated cybersecurity incident response plan.

These are among the findings of New Zealand’s Government Communications Cybersecurity Bureau’s first benchmark assessment (PDF) of the cyber resilience of 250 such organisations.

The report found that while 73% of organisations have increased their spending on cybersecurity, there has been a focus on tools and vulnerability assessment at the expense of hiring more people.

The assessment shows that only 45% of the organisations surveyed have invested in hiring more security staff in the past 12 months, while 54% have invested in IT staff training. By contrast, 70% have invested in new security tools, 61% in vulnerability assessments and 55% in security audits.

As a result, 52% of organisations report having insufficient skilled staff for their security requirements.

In addition, only 38% of organisations surveyed had some form of separation between their cybersecurity and general IT budgets, leaving cybersecurity budgets at risk of being cannibalised for non-security-related IT projects.

This lack of separation also extends to roles, with only 38% of organisations reporting having full-time IT security staff, and only 19% of organisations having a dedicated chief information security officer.

The increased spending on cybersecurity has also not necessarily translated to increased confidence in cybersecurity resilience. The assessment found that 41% of the nationally significant organisations are only mildly confident or not confident in their ability to detect an intrusion.

The report also shows that only 63% of the organisations have a dedicated cybersecurity incident response plan, and of these, 33% have not tested it in the past year.

“The survey is the first of its kind in New Zealand and provides a useful benchmark for cybersecurity resilience across New Zealand’s nationally significant organisations,” GCSB Director-General Andrew Hampton said.

“Overall it appears that digital transformation is outpacing investment in cybersecurity and as a result we found a range of resilience levels. While most organisations are heading in the right direction, more work needs to be done to improve cyber resilience across the board.

Meanwhile, the GCSB has updated the New Zealand Information Security Manual (NZISM) for government departments to include new controls and a section on power filters, as well as clarification around waivers and exceptions to the manual’s requirements.

Image credit: ©stock.adobe.com/au/robsonphoto

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.