Oversight, insight, foresight: The new role of boards in driving cyber resilience

In the past, there was a chasm between boards and cyber security staff working on the ground. Given the barrage of data breaches continuously making headlines, most boards are now well aware of the growing volume, complexity, and severity of cyber threats — and the need to stay vigilant. That’s why cyber security has been appearing more frequently on the agenda in board meetings.

However, as the threat landscape evolves and the potential of threat increases, many boards are still unsure about what role they should play in securing their organisations.

From the board to IT, cyber security is everyone’s responsibility

According to the ACSC, there were 67,500 cyber crimes targeting businesses and individuals reported last financial year in Australia, with estimated financial impact of more than $33 billion. The increase in volume of cyber crime reporting equates to one report of a cyber attack every 8 minutes compared to one every 10 minutes last financial year.

A cyber security incident is a whole-of-business problem that can have serious consequences across the board – including loss of intellectual property, financial loss, reputational damage, regulatory investigations and legal proceedings. Even personal directors’ liability is a future possibility.

For Australian boards and directors, it’s now a question of “when” rather than “if” their businesses are going to be targeted. Not addressing cyber security at a board level creates significant risk.

This was highlighted last year when corporate regulator ASIC updated its advisory on corporate governance and cyber security. The advisory advocated for greater awareness from boards on risks associated with attack” as well as ensuring appropriate safeguards are in place to protect against malicious activity.

For directors, there is a looming potential personal risk. Last year, in the United States, investors began court action against board members of an energy company after malicious code inserted into one of the company’s software updates left US government agencies and companies exposed.

VIEW ALL

Driving cyber resilience from the top: What boards need to do

In practical terms, what role do boards need to play in cyber security governance?

Capability is the starting point. Boards need directors that understand their organisation’s cyber risk, but also accept the responsibility of ensuring the risks are managed in the same way as other critical risks to the business and shareholders – they cannot assume that cyber issues are simply IT problems or “too unlikely”.

Last year, a report by EY found 60 per cent of Fortune 100 company directors included cyber security as an area of expertise sought on the board or cited in a director biography in 2020. That’s up from about half of boards the prior year, and about 40 per cent in 2018.

Of course, no one is expecting directors to implement security controls or review the security configuration of business systems and applications. But there are several ways directors can make sure the business has a strong security posture that receives the same stringent process as a financial balance sheet.

Creating a risk management framework

Beyond funding, creating a cyber risk management framework needs to be part of the board’s realm of responsibility.

There are several components that make a strong risk management framework, including:

• Identifying an organisation’s most critical assets.
• Establishing procedures to protect assets, detect threats, and respond to security incidents.
• Testing the procedures with employees and optimising where necessary.
• Developing a security governance strategy to manage risks across the entire organisation.

The framework should also clearly define cyber responsibilities across the organisation, from the board and management to operations and IT. Those with specific responsibilities then need the board’s support with leadership, policy sign off, and cyber resourcing.

Overseeing compliance with the framework

Boards can’t just establish a risk management framework, tell the workforce about it, and hope for the best. Once the framework is developed, it’s important to keep a close eye on compliance. An audit committee can help with this oversight.

However, given the complexity of cyber security, appointing security experts to the committee – or even setting up a cyber security subcommittee – would help the board understand the highly technical aspects of cyber security and what it means for the organisation, so they can make more informed decisions. The committee’s role should be to provide additional support, not bear the board’s entire responsibility.

Reviewing and revising the threat response plan

Reviewing an organisation’s threat response plan is equally as important for a board as auditing the quarterly financial results. The detailed plan should specify:

• Who’s responsible for making decisions following a security incident.
• The actions that need to be taken to recover from an incident.
• The procedures for notifying customers and the public of a data breach.
• The steps for engaging law enforcement, depending on the circumstances.
• A process for continuously evaluating the effectiveness of the threat response plan and revising accordingly.

The purpose of the plan is to ensure the organisation is fully prepared to respond quickly to a security event – stopping a threat from spreading across its network and minimising financial and data loss.

Preparing for the future of IT security

Some businesses still operate under a false sense of security, thinking they’re unlikely to be attacked because they have security controls and a competent IT team managing these controls. However, a “set it and forget it” approach to cyber security is not effective, especially with the threat landscape, attack surface, and security technology evolving fast.

Directors need to consider what the future of security could look like – and how their organisations can withstand tomorrow’s challenges.

In recent years, the industry has been moving towards a combination of approaches, known as “zero trust” and “secure access service edge” (SASE). As remote work opened the floodgates to ransomware and other threats during the pandemic, this trend has moved beyond the “hype” part of the curve to a mature, modern deployment model.

Organisations are increasingly recognising that network security infrastructure and identity management systems need to be combined. However, the long investment cycle of these technologies has been one factor throttling adoption. But new service-based models, flexible SaaS infrastructure, and increasing network capacity mean this will become part of every organisation’s technology roadmap in the next few years.

No matter what the future holds, good security comes from strong bones. That means having the right foundation in place – across people, processes, and platforms – so organisations are prepared for whatever’s coming next.

Manuel Salazar is the director of cyber services at Orro Group.