Areas receiving increased investment include cloud security and automation technologies to combat complexity and to simplify and speed up response times in security ecosystems, improve visibility into networks, and support collaboration between networking, endpoint and security teams.
That complexity can be seen in the finding that 90% of Australian organisations use between one and 20 security vendors. The remaining 10% use more than 20 vendors.
Keeping up to date with security patches is still an issue, despite being a concern for more than a decade.
59% of Australian respondents reported incidents caused by unpatched vulnerabilities. That compares unfavourably with the global average (46%), and even more poorly with the US (40%) and European (36%) experience.
JLL CISO for Asia Pacific Mark Smink said the industry needs a better way of notifying customers that patches are available, and also to make the patching process more seamless. The need to avoid downtime and incompatibilities are barriers to prompt patching, he said.
The University of Queensland deputy director of information technology services David Stockdale suggested that IT's traditional "availability mindset" is changing, and there is a growing realisation that the security of services is also important. A culture change is underway, allowing availability and security to be considered together.
More Australian respondents reported "cyber fatigue" (58%) than other countries and regions such as the US (37%) and EMEAR (38%).
One way to avoid this is to take the user's perspective into account, Stockdale suggested. For example, Cisco's Duo access security product has been readily accepted by users, he said.
Automation is seen as a way to address security issues, but it is not clear whether Australia is a leader or a laggard.
74% of Australian respondents plan to increase security automation, compared to 82% in APJC as a whole, and 93% in India and 91% in China. Cisco did not indicate the current levels of automation in different countries, so it is possible that more local organisations are already putting automation to work.
Automation is a necessary part of responding to the security challenge, said Stockdale, as it handles many routine tasks, freeing staff to deal with the more difficult aspects.
But there is an expectation that vendors will deliver automation and integration, Smink said, rather than leaving it to each organisation.
Australia is a laggard when it comes to the adoption of multi-factor authentication (MFA), an area led by the US, China, Italy, India, Germany and the UK.
That said, The University of Queensland has applied MFA to all services, including VPNs, Stockdale observed. "We need to understand a lot more about the person" in order to determine the resources they should be able to access.
Among the good news: 86% of Australian respondents reported high levels of collaboration between their security and network teams.
“As organisations are faced with accelerating digital transformation due to unprecedented external factors, the need for agile security, simplification and automation is now a necessity," said Cisco ANZ director of cyber security Steve Moros.
"CISOs have been adopting disparate security technologies to reduce exposure against malicious actors and threats which has created substantial complexity and operational challenges in managing their security environment. The question is, have cyber investments helped organisations decrease the time it takes to detect and remediate?”
He added “Today’s IT setups and accelerated digitisation means that companies can no longer get by with siloed security solutions pieced together over time. In the current environment, what organisations need is a simplified and systemic approach to security in which solutions can act as a team, learn, listen and responds as a coordinated unit.
"Taking a platform approach, such as Cisco’s SecureX, can help simplify an organisation’s approach to cybersecurity. SecureX delivers unified visibility across users' entire security infrastructure, including network, endpoints, cloud, and applications, to help accelerate threat response and realise desired outcomes in today's fast-changing world."
Moros mentioned the usual "people, process, technology" mantra, but Stockdale suggested it should be "people, people, people, then process."
"Security is everyone's responsibility," he explained.
The report follows a survey of 2,800 security professionals from 13 countries.