Australia’s mid market employs nearly a quarter of all Australians and is responsible for almost 40 percent of Australia’s business revenue. Their size means they can be nimble and agile and, in many cases, more easily innovate their products, systems and processes.

But as cyber security becomes a more prevalent problem, many mid market, private and family businesses1 are being left exposed and vulnerable to attacks. It comes down to a missing skill set – the Chief Information Security Officer (CISO). A CISO is an executive responsible for protecting a company’s intellectual property, proprietary data, and information assets. They are primarily focused on implementing and overseeing its cyber security program.

Finding someone to fill this role is a struggle for several reasons. The shortage of job-ready, let alone experienced cyber security workers is well documented, with Australia needing nearly 17,000 more qualified people by 2026[1] and insufficient growth to meet the medium-term shortfall.

This means the cyber security workforce can command a premium salary. In addition, a CISO usually requires a sizeable budget to implement programs of work, making them out of reach for businesses that lack the resources to attract and retain someone at this level.

CIO vs CISO – different roles with opposing objectives

It’s not uncommon for a mid market organisation to be without a CISO. Some employ a Chief Information Office (CIO) and may believe they can fix the security gap by incorporating security responsibilities within that role. But this can actually reduce the cyber maturity of an organisation.

A CIO’s objective is to enable the organisation to achieve progress through technological adoption. They focus on opportunities created by commercial models or digital transformation. They enlist service providers and vendors and provide leadership around information assets.

In comparison, a CISO’s objective is to secure the organisation's assets. They focus on risk, governance and compliance, aligning the cyber security strategy with the business strategy and providing strategic and operational leadership on cyber security.

Some organisations get creative, but in our experience, we have seen this lead to different problems:

  • Hiring a CISO who lacks the required skills because the organisation cannot easily vet candidates’ experience.
  • Employing one person to manage cyber security, resulting in a single point of failure.
  • Outsourcing specific areas to IT service providers who are not cyber specialists –leaving gaps in their security.
  • The business has no grasp of the risks or someone to drive security as a priority.
  • It is very difficult to find all the necessary cyber security skills in one or two employees, as it is a broad and complex area.

The cyber security ecosystem

Today’s mid market businesses play in a cyber ecosystem they’re not set up for. As digitisation and connection grow, so does the threat landscape. Additionally, new legislation and regulations bring a compliance burden not seen before.

For example, businesses that provide third-party services to, or are part of a critical infrastructure asset’s supply chain, may still need to engage with SOCI reforms. Most SMEs have limited capability to understand and ensure adherence to these and other frameworks such as Essential8, NIST, or ISO 27K, leaving them open to potential fines and penalties from regulators.

If the last few years have taught us anything, it’s that there is a lot more at risk than simply data and financial losses. Reputational damage, operational disruption and the physical health and safety of society are all very real possibilities.

Collaboration is key

KPMG’s Cyber trust insights 2022 survey showed almost half of the respondents believe collaboration on cyber security across the broader ecosystem can help organisations anticipate and recover from attacks. Over a third felt these partnerships provided better alignment and response to changing regulatory requirements and gave them access to the skills needed to meet new requirements.

Virtual CISO filling the gap for SMEs

One way to address the issues small-to-medium enterprises face is by engaging a virtual CISO. KPMG’s virtual CISO offering allows businesses to access a team of three to four specialists with expertise across all cyber security aspects, from governance, risk and compliance, to operational technology, architecture and cloud. Organisations can gain valuable resources and experience that are right-sized and flexible without hiring any FTEs.

A virtual CISO solution provides the support and guidance needed to increase cyber posture and advance cyber maturity. Partnering in the short, medium or long term will improve an organisation’s ability to identify, respond to, and recover from attacks and embed cyber security across the business. Plus, it supports auditor responses, articulating risk at an executive level and enabling leaders to make data-driven decisions.