Having conversations about Cyber and IT in the Boardroom

With the ever-changing landscape of technology, it brings with it a lot of new language to the table, which makes it seem complicated and one of those technically detailed conversations. It doesn’t have to be. 

It doesn’t have to be. 

The frequency we are hearing terms such as cyber and cyber-security reported in the news is growing – even as recently as last week with the NSW Education department being hit by a cyber-attack. The Australian Institute of Criminology has released a report putting the total economic cost of cyber-crime across Australia at $3.5 billion in 2019, including $1.9 billion lost by individual victims. 

With the depth and breadth of technology needed to run and work within an organisation increasing and the ongoing maintenance of the technology that this entails, the risk the IT infrastructure poses to the organisation is also escalating. 

As a Board director, you’re empowered to question the risks of any aspect of an organisation and with that comes the need to educate yourself to understand those risks and your organisation's preparedness to respond to those risks. It’s also worth noting that the Federal Government is working on new cyber-security standards that include corporate governance, first floated in the 2020 Cyber Security Strategy, which may hold directors personally responsible for cyber-attacks.  Addressing cyber and IT infrastructure risk should be no different to addressing finance or stakeholder engagement risk for example. 

It’s important that Board directors identify these risks as organisational risks and not just an IT problem, as taking this approach will encourage your peers, stakeholders and employees to take the same approach. 

In our research into cyber-security, Techradar recently reported that up to 99 per cent of cyber-attacks require human interaction to execute.  This is why it is so important to bring all levels of the organisation along on the cyber and IT infrastructure conversation. 

So, how do you have the conversation? 

The CEO is a lynchpin in the conversation, bringing information to the board and acting as a leader for the organisation's attitude to this topic. A great place to start is to have a strategic plan for cyber and IT Infrastructure for the organisation in place and that plan should be a regular part of the Board’s agenda and papers. 

What questions should be raised at a Board meeting?

The Australian Cyber Security Centre has published a prioritised list of mitigation strategies to assist organisations in protecting their systems, called the Essential Eight. A great question off the back of those strategies is “how do we stack up?” 

It doesn’t have to be that detailed though, as suggested in the book The Secure Board, some great questions are: 

• Do we know who has access to our critical information assets and how is this monitored and managed? 
• What happens in the event a key supplier is compromised? 
• In our security team, how many people are focussed on the security of technology, and how many are focussed on the behaviours of our people? 
• Are we doing everything we can for our customers to protect their data that we hold? 

The most important thing though, is that the cyber and IT infrastructure conversation at the Board room level starts straight away before an incident occurs. The acceptance of these risks as organisational risks needs to be guided from the top, to then filter down through the whole organisation. 

If you’d like to hear more from experts in the field, watch our recent webinar Cyber Security for Boards where Fi Mercer chats with Anna Leibel and Claire Pales about how it’s no longer a question of if you need to know about cyber-security but when you’re going to learn. 

This article takes inspiration from Anna and Claire’s book, The Secure Board, which is a fantastic starting point for assuring your board is addressing and understanding the cyber risk in your organisation.