The Director Sentiment Index’ surveys reported that Australian directors consistently rank cyber security and data theft as the number one issue keeping them awake at night. To support company directors fulfil their duties of managing cyber security risks, the Australian Institute of Company Directors (AICD) has released the Cyber Security Governance Principles. These Principles provide clear guidance and a practical framework for organisations to build stronger cyber resilience.
I encourage all company directors and board members to read the published principles. In this blog, I will summarise the five guiding principles and add some additional insight based on my personal experiences working in the cyber security industry.
Principle 1: Set clear Roles and Responsibilities
Clearly defined roles and responsibilities assist directors in effectively overseeing cyber risk. The list below represents the key roles and responsibilities in a typical cyber security governance structure:
Board of Directors: The board has ultimate accountability to ensure that appropriate processes and delegations are in place to provide directors with comprehensive oversight of how cyber risks are governed, addressed and regularly reported.
Management: Cyber security is a shared enterprise risk for which the entire management team bears responsibility. Responsibilities should be documented, regularly reviewed and updated accordingly to reflect the changing expectations of management concerning their contribution to organisational cyber resilience. When appropriate, key performance indicators and incentives should be aligned with cyber resilience measures.
Internal audit: In some organisations, an internal audit team may exist to play a role in assuring the effectiveness of cyber security controls.
Whole Organisation: Fundamentally, all staff members and key partners share the responsibilities of enhancing the organisation’s cyber resilience. Using maps or other visual aids, as well as scenario testing and cyber security training workshops on critical cyber issues, may assist staff in better understanding where responsibility for cyber security sits across an organisation.
External Experts: External experts play a role in providing advice and assurance to directors, as well as identifying areas of improvement. However, directors must bear in mind that while they may periodically rely on the knowledge and counsel of external experts regarding cyber issues, doing so does not entirely relieve them of the responsibility for decision-making.
External Auditors: External auditors provide assessments of an organisation’s risk management controls and how they compare with international standard frameworks. The organisation’s board can use this information to assess their cyber risk maturity level and as a valuable benchmark against industry peers.
Insurance: Insurance provides protection in the event of losses from a critical cyber incident. In addition to financial compensation, insurance providers offer expert advice and assistance in the event of a significant cyber incident. The company board should carefully assess whether purchasing cyber insurance is suitable and cost-effective for their organisation as it can often be costly and subject to exclusions or limitations for particular cyber occurrences.
Principle 2: Develop, Implement and Evolve a Comprehensive cyber strategy
A cyber strategy is a plan for an organisation to enhance the security of its key digital assets, processes and people over time. In the long run, a comprehensive cyber strategy will assist businesses to be prepared for a cyber-security incident. Below is a list of critical components of an effective cyber strategy:
Identification of Key Digital Assets and Data (Crown Jewels): Important customer and employee-related data and the technical infrastructure supporting corporate operations are many organisations’ core digital assets.The loss or damage of this data or infrastructure can have a significant impact.
Data Governance Obligations: Company directors need to understand the extent of the customer and employee personal data being stored and fully comprehend the legislative and regulatory reasons for doing so. Company directors should be aware of the type of data being held, where it is kept, who has access to it, who is protecting it, how well it is protected, and why it is being held.
Internal Capability and Maturity: In addition to the current IT infrastructure and the internal control environment for cyber and business continuity planning, directors should have a thorough grasp of key personnel’s cyber competencies, their roles, and reporting lines. Through this process directors will be able to determine their company’s cyber security strengths and weaknesses and where improvements are needed.
Roadmap to enhancing capability: A cyber strategy often encompasses the steps an organisation will take over a certain period to enhance its cyber capabilities.
Key Third-Party Suppliers: Directors must understand the cyber security capabilities of key third-party suppliers who support or manage the organisation’s critical assets and data. Directors should be confident that the organisation has the appropriate internal capabilities and risk-management processes to appoint and monitor key external providers.
Ongoing evaluation and refinement: Periodic performance reviews assist in identifying opportunities for organisational evolution and improvement. Reviews can be scheduled regularly or on an ad-hoc basis due to evolving events or circumstances.
Principle 3: Embed cyber security in existing risk management practices
Cyber risk is an operational risk that can be managed by an organisation using its current risk management strategy. Cyber-risk appetite is the risk an organisation is willing to take in its digital activities to achieve its strategic objectives and business goals.
Hence, it’s recommended to use current risk frameworks as they are understood across the organisation and draw upon the expertise of key risk and compliance staff, reducing the likelihood that cyber risk remains the sole responsibility of IT or digital teams.
To ensure that the organisation is operating within its approved appetite for cyber risk, the following actions should be carried out:
Risk Assessment: It is central to sound risk governance that directors understand what cyber risks exist.
Developing and overseeing controls: Directors should be aware of the controls in place to reduce or mitigate the risks identified in the risk assessment and how those controls perform.
Measuring and evaluating internal controls: Management should provide directors with periodic and consistent reports on the effectiveness of risk controls. Furthermore, as the cyber threat environment is dynamic and constantly evolving, directors should regularly reflect on the cyber risk controls of the organisation and whether the cyber risk appetite remains appropriate. This should be carried out annually, and external auditors should be used where necessary. Directors should determine whether notable cyber occurrences that have a negative impact on other organisations warrant a review of risk controls.
Principle 4: Promote a culture of cyber resilience
There are three areas that should be addressed to promote a culture of cyber resilience:
Creating a cyber security mindset from the top down
A genuine culture of cyber resilience is a crucial and often overlooked cyber control. The board has a central role in promoting and demonstrating a cyber security mindset. Directors can request the following initiatives from managers to enhance staff members’ cyber resilience:
- Use common and accessible language when talking about cyber security
- Being open and honest about cyber risks to the organisation
- Reward conduct such as transparency and early reporting of cyber breaches or attempted breaches such as phishing
Skills and Training
In addition to the cyber security policies it is important to conduct ongoing security awareness training and phishing simulation campaigns to reinforce sound cyber hygiene practices and an overall culture of cyber resilience.
Key personnel with greater exposure to key digital assets should receive more in-depth external training that provides technical “deep dives” where appropriate.
While all company directors need to enhance their cyber literacy, in organisations where cyber security risk is highly material or tied to an ambitious strategic agenda, having a director with expertise in digital and cyber security is valuable.
Directors should evaluate whether their organisation contributes to formal intelligence exchanges, such as threat information, and whether this network provides timely updates on emerging threats.
Management should also be encouraged to contribute to collaborative industry forums that share information about effective risk control, which may assist in cyber incident recovery.
Principle 5: Plan for a significant cyber security incident
A cyber incident response plan is vital in ensuring an organisation is well-placed to respond effectively to a cyber incident.
Key elements of a Response Plan include responsibilities, resources, triage and immediate response, containment and eradication, communication and recovery. All components of the Response Plan need to be understood and approved by the Directors.
The Response Plan should be reviewed regularly and updated according to changes in environmental factors (e.g. emerging threats), organisational structure and changes to the organisation’s critical digital assets (or ‘crown jewels’).
Simulation exercises and testing, facilitated by a third-party, are key tools in preparing directors and the broader organisation to respond effectively to a significant cyber incident as well as assessing and improving the plan.
- Compliance with an industry standard is just one part of a cyber strategy. It doesn’t equate to security and should not be misunderstood as placing an organisation in a sound position to defend against attacks or respond to a cyber incident.
- Regular reporting should be presented to provide rich information about the internal and external threat environments and insight into how controls, processes and the organisation’s staff are contributing to the organisation’s cyber resilience.
- The development of management’s cyber capabilities is critical, alongside director education to support their oversight function. Every director should be responsible for enhancing their own skills and knowledge of cyber security.
- It is best practice for larger organisations to employ an independent third-party to conduct auditing and as such, for the report to be presented to the board unfiltered by management.
- For larger organisations, benchmarking against recognised maturity models and standards frameworks is beneficial.
- For all organisations, the ACSC’s Strategies to Mitigate Cyber Security Incidents provides a comprehensive resource for operationally focused cyber-risk controls, including several practical steps smaller organisations can take to mitigate cyber risks.
- Organisations are encouraged to participate in the ACSC Partnership Program and Joint Cyber Security Centres.
- The Australian Cyber Security Centre (ACSC) has comprehensive resources on terminology and key concepts that will help directors remain informed of the language used in cyber security.
While everyone is responsible for ensuring the right actions are taken to protect Australian organisations, company directors have a critical role to play. The principles highlight what every organisation’s directors should do, from small businesses and not-for-profit organisations to large enterprises, to protect their stakeholders, operations, profit and reputation.
Skillfield is an Australian based IT services consultancy company empowering businesses to excel in the digital era. Across our two main practices of Cyber Security & Data Services, our talented and committed professionals provide smart and simplified solutions to complex cyber security and big data challenges.