Cyber Governance is now a critical focus as a dramatic increase in cyber crime and growing corporate accountability for related loss means the battle to protect a company’s digital assets is about to become an intensely personal one for Australia’s corporate custodians. Manuel Salazar from Orro explores.

In the past, there was a chasm between boards and cyber security staff working on the ground. Given the barrage of data breaches continuously making headlines, most boards are now well aware of the growing volume, complexity, and severity of cyber threats — and the need to stay vigilant. That’s why Cyber Governance has been appearing more frequently on the agenda in board meetings.

However, as the threat landscape evolves and the potential of threat increases, many boards are still unsure about what role they should play in securing their organisations. From the board to IT, achieving true Cyber Governance is everyone’s responsibility.

Driving Cyber Governance from the Top: What Boards Need to Do

According to the ACSC, there were 67,500 cyber crimes targeting businesses and individuals reported last financial year in Australia, with estimated financial impact of more than $33 billion. The increase in volume of cyber crime reporting equates to one report of a cyber attack every 8 minutes compared to one every 10 minutes last financial year. This scale of threat confirms that Cyber Governance is no longer just a technical checkbox, but a survival necessity.

A cyber security incident is a whole-of-business problem that can have serious consequences across the board – including loss of intellectual property, financial loss, reputational damage, regulatory investigations and legal proceedings. Even personal directors’ liability is a future possibility, making Cyber Governance a personal priority for corporate leaders.

For Australian boards and directors, it’s now a question of “when” rather than “if” their businesses are going to be targeted. Not addressing Cyber Governance at a strategic level creates significant risk. This was highlighted last year when corporate regulator ASIC updated its advisory on Cyber Governance and corporate security. The advisory advocated for greater awareness from boards on risks associated with attack” as well as ensuring appropriate safeguards are in place to protect against malicious activity.

For directors, there is a looming potential personal risk. Last year, in the United States, investors began court action against board members of an energy company after malicious code inserted into one of the company’s software updates left US government agencies and companies exposed. These legal precedents underscore why Cyber Governance must be integrated into modern fiduciary duties.

Capability is the starting point. Boards need directors that understand their organisation’s cyber risk, but also accept the responsibility of ensuring Cyber Governance is managed in the same way as other critical risks to the business and shareholders – they cannot assume that cyber issues are simply IT problems or “too unlikely”.

Last year, a report by EY found 60 per cent of Fortune 100 company directors included cyber security as an area of expertise sought on the board or cited in a director biography in 2020. That’s up from about half of boards the prior year, and about 40 per cent in 2018. This shift demonstrates a global trend toward prioritising Cyber Governance as a core competency for modern leadership teams.

Of course, no one is expecting directors to implement security controls or review the security configuration of business systems and applications. But there are several ways directors can make sure the business has a strong security posture that receives the same stringent process as a financial balance sheet. This is the cornerstone of effective Cyber Governance.

Establishing a Framework for Cyber Governance

Beyond funding, creating a cyber risk management framework needs to be part of the board’s realm of responsibility. There are several components that make a strong risk management framework, including:

• Identifying an organisation’s most critical assets.
• Establishing procedures to protect assets, detect threats, and respond to security incidents.
• Testing the procedures with employees and optimising where necessary.
• Developing a security governance strategy to manage Cyber Governance across the entire organisation.

The framework should also clearly define responsibilities from the board and management to operations and IT. Those with specific responsibilities then need the board’s support with leadership, policy sign off, and Cyber Governance resourcing.

Overseeing Compliance with the Framework

Boards can’t just establish a framework and hope for the best. Once developed, it’s important to keep a close eye on compliance. An audit committee can help with this oversight, ensuring that Cyber Governance remains a measurable objective.

However, given the complexity of cyber security, appointing security experts to the committee – or even setting up a cyber security subcommittee – would help the board understand the highly technical aspects and what it means for the organisation. The committee’s role should be to provide additional support to further strengthen Cyber Governance, not bear the board’s entire responsibility.

Reviewing and Revising the Threat Response Plan

Reviewing an organisation’s threat response plan is equally as important for a board as auditing the quarterly financial results. The detailed plan should specify:

• Who’s responsible for making decisions following a security incident.
• The actions that need to be taken to recover from an incident.
• The procedures for notifying customers and the public of a data breach.
• The steps for engaging law enforcement, depending on the circumstances.
• A process for continuously evaluating the effectiveness of the threat response plan to maintain Cyber Governance.

The purpose of the plan is to ensure the organisation is fully prepared to respond quickly to a security event – stopping a threat from spreading across its network and minimising financial and data loss. Building effective Cyber Governance requires a strategic balance of three key elements: Oversight, Insight, and Foresight.

Oversight: Ensuring Accountability

Oversight is the baseline. It involves ensuring that the right frameworks are in place, that compliance requirements are met, and that there is a clear chain of accountability for security incidents. This creates the foundational layer of Cyber Governance.

Insight: Understanding the Present Posture

Insight goes deeper than compliance. It requires boards to have a clear, data-driven understanding of the organisation’s current security maturity and where the most significant risks lie within the business operations. Without insight, Cyber Governance remains reactive rather than strategic.

Foresight: Anticipating the Future

Foresight is the most advanced stage. It is about looking ahead to emerging threats, such as AI-driven attacks or quantum risks, and ensuring the organisation is building the resilience needed to adapt to a changing digital environment. True Cyber Governance depends on the ability to anticipate and mitigate future disruption.

Preparing for the Future of Cyber Governance

Some businesses still operate under a false sense of security, thinking they’re unlikely to be attacked because they have security controls and a competent IT team managing these controls. However, a “set it and forget it” approach to cyber security is not effective, especially with the threat landscape, attack surface, and security technology evolving fast. Continuous adaptation is necessary for Cyber Governance.

Directors need to consider what the future of security could look like – and how their organisations can withstand tomorrow’s challenges. In recent years, the industry has been moving towards a combination of approaches, known as “zero trust” and “secure access service edge” (SASE). As remote work opened the floodgates to ransomware and other threats during the pandemic, this trend has moved beyond the “hype” part of the curve to a mature, modern deployment model, bolstering Cyber Governance across distributed workforces.

Organisations are increasingly recognising that network security infrastructure and identity management systems need to be combined. New service-based models, flexible SaaS infrastructure, and increasing network capacity mean this will become part of every organisation’s technology roadmap in the next few years. No matter what the future holds, good Cyber Governance comes from strong bones. That means having the right foundation in place – across people, processes, and platforms – so organisations are prepared for whatever’s coming next.

by Manuel Salazar – Director of Cyber Services, Orro

Originally published in Cybersecurity Connect.

Find out more about how we help at Orro Cyber Security and Risk Management.