BAE Systems research reveals a disconnect between the Australian C-Suite and IT department in defending against cyber attacks


IT decision makers and business leaders think the other is responsible in the event of a cyber attack
C-Suite and IT decision makers don’t believe their company has all the skills necessary to deal with a cyber-attack
More than half of Australian respondents see cyber defence as the biggest threat to their business

baelogoNew research by cyber defence experts, BAE Systems, reveals a surprising disconnect between Australian boardroom executives and IT Decision Makers’ (ITDMs) in tackling cyber threats, with boardrooms and IT leaders pointing the finger at each other when it comes to taking responsibility for a successful attack.

The research found that over half of the C-Suite says their IT teams and staff more broadly are responsible in the event of a breach, whereas over two thirds of ITDMs think senior management and leaders should shoulder the blame.

The majority of Australian C-Suites and ITDMs are united in their pessimism when it comes to the likelihood of a cyber-attack on their organisation, and yet only half plan to increase time and resources spent on cyber security in the coming year.

Alex Taverner, Asia-Pacific head of commercial cyber services at BAE Systems, said:

“Our findings make it clear that boardrooms and IT teams recognise the risks, but also highlights the disparity of opinion between both groups when it comes to these threats and provides an opportunity for malicious actors to exploit.

“With the threats constantly evolving, successful cyber-attacks regularly making headline news, and a growing compliance burden such as the new data breach notification laws, organisations need to ensure the boardroom and IT teams are working in unison to narrow gaps in understanding, intelligence and responsibility to build a robust defence.”

Key findings from BAE Systems research include:

  1. Australian business decision makers are the most pessimistic globally, with 73 per cent of C-Suites and 77 per cent of ITDMs thinking a serious attack on their organisations was only a matter of time. This compares to 57 per cent of C-Suites globally.
  2. The Australian C-Suite are the most confident globally their business is well-equipped to prevent an attack, at 97 per cent, versus 84 per cent globally.
  3. Yet 57 per cent of C-Suite executives view cyber security as the most significant challenge their business is facing, 73 per cent believe they’ll be attacked in the next year and over three quarters aren’t confident they have all the necessary skills in place to deal with a successful attack.
  4. Australia is the only market where C-Suites estimate the cost of a serious, successful cyber-attack to be higher than ITDMs – at AUD $35.63 million, revealing a stark difference in their perception of the potential financial impact. So while ITDMs feel less well-equipped to prevent an attack than their leaders, they are also perhaps not looking at the potential cost of the breach from a whole of business point of view; including reputational damage, loss of customers and customer trust, and potential legal ramifications.
  5. More than three times as many C-Suite executives than ITDMs think that human error will enable a cyber attack (83 per cent versus 24 per cent), demonstrating Australian C-Suite respondents have far less faith in their people than the IT team. More ITDMs think an attack would likely be through attackers breaching their network from outside (39 per cent).

Michael Shepherd, BAE Systems Applied Intelligence ANZ Regional Managing Director, said:

“Businesses are concerned about the cyber skills shortage, so it comes as no surprise that Australian respondents weren’t at all confident in their ability to deal with a cyber attack.

“Under a quarter of Australian C-Suite executives believe they have all the skills necessary to deal with an attack and perhaps most alarmingly, only seven per cent of IT decision makers, those closer to the coal face, think this is the case.

“Leaders are looking for skills in threat detection, incident response and risk management; this is very informative for legislators and policy-makers, and industry in general, as we continue to develop a roadmap for future cyber capability and capacity building.”

The full report can be found at: