5 Cyber Security Governance Principles for Australian Businesses

The Director Sentiment Index’ surveys reported that Australian directors consistently rank cyber security and data theft as the number one issue keeping them awake at night. To support company directors fulfil their duties of managing cyber security risks, the Australian Institute of Company Directors (AICD) has released the Cyber Security Governance Principles. These Principles provide clear guidance and a practical framework for organisations to build stronger cyber resilience.

I encourage all company directors and board members to read the published principles. In this blog, I will summarise the five guiding principles and add some additional insight based on my personal experiences working in the cyber security industry.

Principle 1: Set clear Roles and Responsibilities

Clearly defined roles and responsibilities assist directors in effectively overseeing cyber risk. The list below represents the key roles and responsibilities in a typical cyber security governance structure:

Board of Directors: The board has ultimate accountability to ensure that appropriate processes and delegations are in place to provide directors with comprehensive oversight of how cyber risks are governed, addressed and regularly reported. 

Management: Cyber security is a shared enterprise risk for which the entire management team bears responsibility. Responsibilities should be documented, regularly reviewed and updated accordingly to reflect the changing expectations of management concerning their contribution to organisational cyber resilience. When appropriate, key performance indicators and incentives should be aligned with cyber resilience measures. 

Internal audit: In some organisations, an internal audit team may exist to play a role in assuring  the effectiveness of cyber security controls. 

Whole Organisation: Fundamentally, all staff members and key partners share the responsibilities of enhancing the organisation’s cyber resilience. Using maps or other visual aids, as well as scenario testing and cyber security training workshops on critical cyber issues, may assist staff in better understanding where responsibility for cyber security sits across an organisation.

External Experts: External experts play a role in providing advice and assurance to directors, as well as identifying areas of improvement. However, directors must bear in mind that while they may periodically rely on the knowledge and counsel of external experts regarding cyber issues, doing so does not entirely relieve them of the responsibility for decision-making.

External Auditors: External auditors provide assessments of an organisation’s risk management controls and how they compare with international standard frameworks. The organisation’s board can use this information to assess their cyber risk maturity level and as a valuable benchmark against industry peers. 

Insurance: Insurance provides protection in the event of losses from a critical cyber incident. In addition to financial compensation, insurance providers offer expert advice and assistance in the event of a significant cyber incident. The company board should carefully assess whether purchasing cyber insurance is suitable and cost-effective for their organisation as it can often be costly and subject to exclusions or limitations for particular cyber occurrences.

Principle 2: Develop, Implement and Evolve a Comprehensive cyber strategy

A cyber strategy is a plan for an organisation to enhance the security of its key digital assets, processes and people over time. In the long run, a comprehensive cyber strategy will assist businesses to be prepared for a cyber-security incident. Below is a list of critical components of an effective cyber strategy:

Identification of Key Digital Assets and Data (Crown Jewels): Important customer and employee-related data and the technical infrastructure supporting corporate operations are many organisations’ core digital assets.The loss or damage of this data or infrastructure can have a significant impact. 

Data Governance Obligations: Company directors need to understand the extent of the customer and employee personal data being stored and fully comprehend the legislative and regulatory reasons for doing so. Company directors should be aware of the type of data being held, where it is kept, who has access to it, who is protecting it, how well it is protected, and why it is being held.

Internal Capability and Maturity: In addition to the current IT infrastructure and the internal control environment for cyber and business continuity planning, directors should have a thorough grasp of key personnel’s cyber competencies, their roles, and reporting lines. Through this process directors will be able to determine their company’s cyber security strengths and weaknesses and where improvements are needed.

Roadmap to enhancing capability: A cyber strategy often encompasses the steps an organisation will take over a certain period to enhance its cyber capabilities. 

Key Third-Party Suppliers: Directors must understand the cyber security capabilities of key third-party suppliers who support or manage the organisation’s critical assets and data. Directors should be confident that the organisation has the appropriate internal capabilities and risk-management processes to appoint and monitor key external providers. 

Ongoing evaluation and refinement: Periodic performance reviews assist in identifying opportunities for organisational evolution and improvement. Reviews can be scheduled regularly or on an ad-hoc basis due to evolving events or circumstances.

Principle 3: Embed cyber security in existing risk management practices

Cyber risk is an operational risk that can be managed by an organisation using its current risk management strategy. Cyber-risk appetite is the risk an organisation is willing to take in its digital activities to achieve its strategic objectives and business goals.

Hence, it’s recommended to use current risk frameworks as they are understood across the organisation and draw upon the expertise of key risk and compliance staff, reducing the likelihood that cyber risk remains the sole responsibility of IT or digital teams.

To ensure that the organisation is operating within its approved appetite for cyber risk, the following actions should be carried out:

Risk Assessment: It is central to sound risk governance that directors understand what cyber risks exist.

Developing and overseeing controls: Directors should be aware of the controls in place to reduce or mitigate the risks identified in the risk assessment and how those controls perform.

Measuring and evaluating internal controls: Management should provide directors with periodic and consistent reports on the effectiveness of risk controls. Furthermore, as the cyber threat environment is dynamic and constantly evolving, directors should regularly reflect on the cyber risk controls of the organisation and whether the cyber risk appetite remains appropriate. This should be carried out annually, and external auditors should be used where necessary. Directors should determine whether notable cyber occurrences that have a negative impact on other organisations warrant a review of risk controls.

Principle 4: Promote a culture of cyber resilience

There are three areas that should be addressed to promote a culture of cyber resilience:

Creating a cyber security mindset from the top down

A genuine culture of cyber resilience is a crucial and often overlooked cyber control. The board has a central role in promoting and demonstrating a cyber security mindset. Directors can request the following initiatives from managers to enhance staff members’ cyber resilience:

  • Use common and accessible language when talking about cyber security
  • Being open and honest about cyber risks to the organisation
  • Reward conduct such as transparency and early reporting of cyber breaches or attempted breaches such as phishing

Skills and Training

In addition to the cyber security policies it is important to conduct ongoing security awareness training and phishing simulation campaigns to reinforce sound cyber hygiene practices and an overall culture of cyber resilience. 

Key personnel with greater exposure to key digital assets should receive more in-depth external training that provides technical “deep dives” where appropriate.

While all company directors ne