Almost every single piece of research into the importance of cybersecurity has found that it is one of the most critical risks boards must manage. Little wonder that Gartner says that 40% of boards will have a dedicated cybersecurity committee overseen by a qualified board member by 2025, up from fewer than one in ten boards today.
Boards need to manage cyber risk just as they manage financial, reputational, regulatory and other risks. In those contexts boards define, either formally or tacitly, what level of risk they are prepared to accept for each area they manage. This defines the long-term strategy and resource allocation they are prepared to commit to in order to mitigate those risks.
Cybersecurity is no different. It is central to the prosperity and resilience of the organisation. The impact of a cybersecurity incident can be far reaching and impact business operations, customers, suppliers and the broader community. There are compliance issues to consider, such as mandatory breach notification rules as well as obligations to ASIC to report any matter that can materially affect share price.
Yet, Australian boards are languishing behind their international peers. The rapid acceleration of digital transformation efforts catalysed by the COVID-19 pandemic has not been met with a commensurate increase in board expertise in cybersecurity. While businesses become increasingly dependent on digital technologies and tools, cybersecurity awareness at the board level has barely moved.
What will it take for Gartner’s prediction that almost half of boards will have a dedicated cybersecurity committee overseen by a qualified board member to come true? There’s no single silver bullet to make this happen. It will take time – but we suspect more time than Gartner suggests.
All board members must update their view of corporate risk and accept that cyber risk and resilience is not something that can be delegated to a technical team or ignored. This doesn’t mean board members need to become technical experts. But it means they need to understand what risks they face and put in place strategies to mitigate them.
Education is key. Boards need to improve their understanding of the cyber threat landscape. This doesn’t mean learning the intricacies of the latest attack method employed by some gang in a far-off country. But knowing the impact of threats and cyber-attacks on the business is important.
CISOs and other technical experts need to change their language and bring boards on the journey towards greater understanding of cybersecurity. Instead of presenting security issues in terms of impacts on system and data, translate them into the board’s language of risk and costs. This will help bring boards up to speed and see the value of creating a cybersecurity committee and involving the CISO.
Perhaps one of the biggest incentives that could accelerate the push towards greater cybersecurity involvement at board level could come from regulators. The federal government has already flexed its regulatory muscles through the National Data Breach notification scheme and there is a further suggestion that a scheme to report ransomware attacks could be coming. If regulators require boards to take ultimate responsibility for cyber, it could accelerate the shift towards more dedicated cyber board committees, greater board involvement and increased board confidence in the management of cyber risk.
Gartner’s research is right insofar as there is a need for boards to have a greater involvement in corporate cybersecurity and resilience. But the journey towards that goal won’t be achieved without a shift in attitude, culture, funding and, potentially, increased intervention by regulators.