There is little doubt that cyber security conversations will be prevalent in Australian boardrooms in 2023.
Cyber security has been the talk of the corporate town for the past few weeks. Although we are yet to see if those incidents have erased the last remnants of cyber complacency in our corporate culture, there is little doubt that cyber security conversations will be prevalent in Australian boardrooms in 2023, further encouraged by tougher privacy laws and regulations. But productive cyber security discussions require the ability for security and business leaders to efficiently collaborate, which has historically been hit and miss.
Cyber criminals keep bypassing organisations’ defenses, and increasing their focus on Australia. Time is of the essence for business leaders and boards to make the right cyber security decisions, which the following trifecta can help achieve: CEOs and Chief Security Officers (CSOs or CISOs) presenting a united front, CISOs providing the relevant data points that will facilitate risk decision-making, and boards that display a reasonable amount of knowledge in cyber security matters and an understanding of the cyber risk faced by the organisation.
Establishing a CEO / CISO partnership
Not all security executives have regular contact with the CEO. Yet, the ability for CEOs and CISOs to present a united front will influence the board’s support and approval of security plans.
Company leaders should seek to establish a deeper and direct relationship with their cyber security leaders, with regular touchpoints that will help develop their savviness on the topic, and align on a solid strategy that they can present to the board as a team.
Cyber threats are evolving fast, and so should cyber security action plans. A collaborative CISO / CEO partnership fosters agility and responsiveness in adjusting strategies to the threat environment.
What boards need to see
Narratives designed to trigger fear-based decisions, or that are too technical typically fail to articulate the need for the priority action and a measured response. Boards only need to understand if the company’s assets are well protected, and which investments are necessary to both reduce risks, and ensure that for every dollar spent, the organisation will get maximum risk buy-down.
Convincing them will require less subjective, and more data-driven, quantified risk assessments that outline the value at risk for the company in various cyber incident scenarios, and plans for risk reduction, which cyber security leaders are best positioned to deliver. Showing the value at risk can be structured in different ways. For example, by measuring the total cost of a data breach or cyber attack for a given threat scenario.
This value should include:
- assets that could be stolen or destroyed,
- the revenue loss from a halt in operations,
- the cost of time and resources to mitigate the attack,
- associated communications and legal costs,
- damage on the company’s value and short-term revenue,
- potential customers / users’ compensation,
- potential government fines for non-compliance or failure to protect sensitive data,
- and the investments necessary for recovery.
The second phase is understanding the likelihood of each threat coming to fruition based on external and internal data, and the third phase is presenting a plan of action designed to minimise these risks. If the value at risk is much higher than the value of these investments, the ask should be justified.
Finally, boards will want to see the impact of cyber security investments, with regular reporting. Security leaders will need tools and data that enable them to measure cyber risk and convey this in a manner that is meaningful with respect to business impact.
Meeting security leaders in the middle
Cyber criminals are winning because they often team up. The same should happen within businesses. Cyber security is everyone’s problem, and in the current environment, it is essential board members and leadership teams collaborate to drive a security and risk minded culture across the organisation. This is more than just security training, and tone from the top, rewarding security champions, consequence management and role modeling all play a part in instilling a risk culture.
Cyber security board conversations and decisions are smoother when members come equipped with at least a basic understanding of cyber threats and associated risks. It is also in their best interest. After all, they can be held accountable for serious data breaches.
It can also help leadership teams better understand the applicability of cyber risk to their own business units, how it can be managed, and how they can help cascade best practices among their teams to avoid incidents linked to insider elements and human error.
To conclude, efficient governance, processes and collaboration are behind the best cyber security strategies, and it will be paramount for the business community to prioritise this aspect next year, because in the 21st century, some of the most dangerous criminals are online, and they’re coming after us.
David Fairman is Chief Information Officer and Chief Security Officer APAC at Netskope