Cyber Governance –what today’s leaders cannot afford to ignore.
You’d be forgiven for thinking the term “Cyber Governance” has as much spice as a mild burrito, but this is quickly becoming an area Boards and Leadership Teams must understand and address.
I’ll say it first and get it out there, we care deeply about this. Why? Maybe it’s because it feels like the ultimate battle between man and computer has begun and for once the IT nerd is the hero!
Either way, we want to get as much information in your hands so that you can answer some critical questions.
What is “Cyber Governance”?
Once upon a time, cyber and cyber risks were a problem for the IT geeks to manage.Breaches only occurred at the ‘big end of town’ and the rest of us were able to coast by unscathed with our “I’m too small to matter” mindset. Well, that is a story for the history books, welcome to the new age. Cyber Governance is a term for the growing expectations and compliance obligations on directors and their organisations to appropriately govern and manage IT environments and cyber risks. In short, you, yes you, are now legally responsible for how you approach your cyber environment and the precious data contained therein.
But we are not here to scare you, we are here to help you!
Cyber as an organisational risk
At a high level, cyber needs to be viewed as an organisational risk, meaning it gets the same care and attention as other business risks. This means bringing your cyber governance into the strategic planning process and understanding the following, in detail:
- This information you hold and its sensitivity
- What threats exist for that information and the risks they pose
- What is going to happen if those risks eventuate
- How your organisation will mitigate those risks
Thankfully, boards are critical thinking masters. The principles of this kind of thinking remain applicable, even if IT is not your bag (baby). Now is a good time to stop and remember, how do you eat an elephant? One bite at a time. To help you choose where to start, the AICD have identified six key pillars of cyber resilience:
- Data proliferation: Where is your data kept? Is it secure?
- Policy: Are your organisational policies relevant and implemented?
- Process: Do you have clear processes?Are they maintained and implemented?
- Technology: If you are still on Windows ‘97, we need to talk. You need to adequately resource your IT environment if you want to stay safe.
- People: Your people are your best defence! Don’t just invest in your tech, invest in your team.
- Culture & trust: Culture is king. There is no point talking cyber in your board room and not creating a cyber aware culture throughout your organisation. Be intentional.
What can you do today?
If you don’t have a magic wand, chances are you are not in your desired state yet and that is ok, below are some steps identified to help you walk this out.
Step 1: Define your policies, goals, strategies, investment, and performance targets for your organisation’s cyber capabilities and how those fit into your overarching strategic plan and compliance obligations. Once defined, make sure management have a plan to carryout your cyber plan!
Step 2: Take the time to work with your team to define and develop your cyber culture. It won’t happen by accident and with staff at varying levels of computer literacy (and care factor), taking the time to define what is in and what is out is essential.
Step 3: Resource investment is key. If we had a dollar for every time organisations wanted to mitigate their cyber risk without investment…well, we’d have a business unto itself! The reality is you need to be investing in your technology from a skills, asset, and culture perspective.And don’t forget, there is a huge return on investment to be had here. Consider efficiencies gained from system deduplication, password tools to help people login securely, application control systems so everyone has the same application which is automatically kept up to date, less downtime by being on current platforms, then of course, being ready when a malicious actor comes knocking.
Step 4: Monitor your environment. It isn’t enough to have a plan, you’ve got to execute the plan. Your IT provider can work to identify core KPIs that should indicate the health and security of your environment. If they can’t, we can help you.
Step 5: Develop your reporting. The flow of information from your organisation to management to the board needs to be open.How do we tackle this? We implement a single pane, real-time board report that pulls together multiple data points across your organisation. We collaborate to set acceptable parameters and then we make that information clear and accessible to the board. Using a traffic light system, at a glance, you can see where your organisation is tracking against its acceptable tolerances. Not to brag, but we did just make the finals of our local Business Awards for this innovation. The real win is seeing our partner organisations start to own their cyber posture and be empowered by knowing where things are really at.
Some resources that might help you dig a little deeper include:
ASIC: Cyber Resilience Good Practices: https://asic.gov.au/regulatory-resources/digital-transformation/cyber-resilience/cyber-resilience-good-practices/
A CEO’s Survival Guide to Information Technology by Bob Coppedge
World Economic Forum: Advancing Cyber Resilience. Principles and Tools for Boards: https://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf
AICD: Cyber Security Governance Framework: https://www.aicd.com.au/risk-management/framework/cyber-security/cyber-security-governance-principles.html