Navigating Cyber Risks with Governance.
Cyber attacks are becoming increasingly complex and multifaceted, and there are growing expectations for boards and organisations to better equip themselves to manage and mitigate cyber risks.
In a recent article by the Australian Institute of Company Directors, they emphasise that “Boards must recognise the constantly evolving threat landscape and take proactive measures to mitigate risks effectively.“
Cybersecurity can seem complex and difficult to understand. It’s often unclear where to begin, especially if there is a lack of technical or technological experience on a board. However, there are straightforward ways to break down cyber risks into manageable components that are simpler to address.
I’m sharing my top five pieces of advice on how boards can gain better oversight and governance of cybersecurity:
1. Cyber is just another set of risks.
Cybersecurity is simply another set of risks that need to be managed. The best approach to managing cybersecurity is the same as managing any other risk, such as Work, Health & Safety risk, Financial risk or Environmental risk.
Leverage the risk management expertise and experience already present within your board and your organisation. This means:
- Using your existing risk management framework and risk appetite statement.
- Rating and classifying cybersecurity risks in the same way you rate other risks.
- Prioritising cybersecurity risks along with all other risks facing your organisation.
- Incorporating cyber into your existing risk reporting.
Using your existing governance and oversight frameworks will allow you to keep it simple and make management easier.
2. It’s about people as much as technology
People are crucial in mitigating cybersecurity risk. Cybersecurity can be likened to Work, Health and Safety. Just as safety measures and awareness and training are essential for physical safety, similar measures are required for cybersecurity. It’s important to ensure your people perform the right behaviours and don’t share sensitive data, or absentmindedly click on a phishing link.
Ensure your people are cyber aware, and this goes beyond a single round of annual training:
- Use phishing simulations, and reward those who identify, or raise cyber risks.
- Make training relevant to individuals, relating it to their personal lives to increase engagement and application of practices at work.
- Gamify cyber training, to make it fun, engaging and competitive.
3. Keep it on the agenda
What you talk about and act on will drive the culture of the organisation. Make sure cybersecurity is on the agenda. Have discussions about cybersecurity regularly both in and out of the boardroom.
- Invite experts (internal or external) to share their cyber security experiences and knowledge.
- Discuss it along with all other risks in your board meetings.
- Talk about it during site visits and staff meetings.
- Ensure it’s part of the CEOs performance metrics.
4. Testing, testing, testing
Nothing will prepare your organisation more for a cyber crisis than testing. Conduct table top exercises regularly to simulate a cyber crisis or attacks. Ensure both the board and management are familiar with different scenarios and their impacts.
Also, ensure there is ongoing testing and assurance of systems and defences.
In addition to preparing you for potential crisis, regular testing increases awareness and understanding across the organisation, highlighting the importance of cyber security.
5. This isn’t going to end soon
Cybersecurity isn’t losing momentum; it’s not a passing trend or a project with an end date.
Cybersecurity is maturing, and regulations and legislation are increasing. The requirements for cybersecurity are only going to grow. The Privacy Act is being reformed. The Government recently launched the 2023-2030 Cyber Security Strategy, setting out the Australian Government’s vision to be a world leader in cybersecurity by 2030. Australia is one of the few countries with a Minister for Cyber Security.
It’s crucial to embed cybersecurity into the organisation for the long term, ensuring your management team has sufficient resources with appropriate skills and capabilities to manage and mitigate cyber risks.
In conclusion
Cybersecurity is an ongoing concern requiring continuous attention and investment. With the right strategies and a proactive approach, boards can equip themselves to govern and oversee cyber risks effectively.
Please connect to learn more.
Nightingale Cybersecurity 