Cybersecurity is just another form of risk to manage at a business and government agency level. And cyber awareness is growing.

But cyber maturity levels within companies and agencies, including spending on security products and services, varies significantly between agencies, companies and countries. Getting the most from your cybersecurity spending and strategy requires asking some key questions.

“There are three phases of cybersecurity maturity among government agencies and businesses,” said John Ellis, chief strategist of cybersecurity for Akamai, a global leader in content delivery and internet network services. “There’s the ‘panic scramble’, the ‘pit of despair’ and then there’s the approach that adopts a security framework as a core enabler.”

Ellis’ customer scope centres on Asia-Pacific and Japan. He was in Australia recently to address a gathering of Australian government agency leaders at a private breakfast meeting in Canberra (his full presentation can be viewed above).

With the recent cyber attack on the Bureau of Meteorology, many agency leaders should be asking which phase best describes their current cyber security status. The BoM hit, attributed to Chinese attackers, was a jolt to a sector that, until now, has been relatively immune from large-scale attacks like those experienced by the US government’s Office of Personnel Management.

The BoM breach, reported to cost “millions of dollars” to fix, is more problematic because the BoM’s systems and the data go beyond any simple definition of a “straight weather service”. The bureau’s chief executive, Robert Vertessy, describes BoM as a “broad-based environmental intelligence agency”. Its systems feed into many other government departments, including the Department of Defence.

Such is the nature of the increasing risk associated with cyber attacks. Both the number and type of those attacks increases exponentially as governments, like businesses, are becoming ever more reliant on the internet and mobile access to better service a broad range of constituents and stakeholders.

The internet was built for connectivity, not security. And as governments and businesses continue to embrace the digital era, so too have hackers — either state-sponsored or highly organised private actors — seeking to steal trade secrets and disrupt key services.

Each agency CEO is responsible for their data security and the typical approach has been to build in layers of security (antivirus programs to firewalls) to new and legacy systems. This adds cost and management complexity.

“Security is an all-of-agency exercise, but there is no common whole-of-government security architecture and spending varies between countries and industries,” said Ellis.

He says, on average, agencies spend about 2% of their total IT budget on security, far lower than the 8% mandated by the security-conscious Israeli government or the 10% mandated by Singapore. Tier one banks, by contrast, spend some 15% of their total IT budgets on cybersecurity.

Akamai’s business is about making the internet a reliable high-performance network for governments and businesses. Its global network, which has evolved in scale and sophistication since the birth of the commercial internet, carries around 30% of global web traffic each day — some 2 trillion transactions. The sheer scale of this produces massive amounts of data on many metrics related to broadband connectivity, mobile access, cloud security and media delivery. Its latest State of the Internet security report for the third quarter was released recently.

“With the media announcing some form of a breach almost every day, news about cyber attacks is at risk of becoming white noise,” said Ellis. “The frequency of these security incidents can tempt many government agencies and businesses to put the breaks on cloud adoption and, in some cases, the use of shared services is frowned upon. This creates a significant disadvantage for those organisations.”

As the BoM attack makes painfully clear, agency leaders are having to come to terms with a risk they have little real ability to quantify and equally are unable to reason through an appropriate mitigation strategy. According to Ellis, agency leaders and CIOs need to take a far more holistic view and see security as a business issue rather than a narrow technical problem.

“The best approach is to work toward building ‘resilience’,” he said, referring to the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions through a combination of technologies and clear management practices.

“If you want the ability to deliver services regardless of disruptive events, it starts with asking some tough questions. Are our security investments aligned with protecting what is important? How do we know our security investments are improving our security posture? How ready are we to respond to cybersecurity attacks (with minimal or no service disruption)?”