Directors do not need to understand all the intricacies of cybersecurity, but they do need to understand the business impacts as well as the level of risks they are willing to accept. And that is where they should direct their research and their questions, says Thomas Fikentscher, Regional Director ANZ, CyberArk.
When boards are asking their risk managers questions about the procedures, the policies, the training and the capabilities put in place to manage cyber security for the organisation, Fikentscher argues, they should also interrogate those managers about what the implications are if and when the defences fail.
“What is the business impact of a failure? How might it be mitigated? Do we have the resources to address this issue immediately ourselves, or would we need external help? How long would that take and what would it cost?”
Fikentscher’s perspective is echoed by directors and advisors we spoke to. They agreed that, while there is growing literacy at board level around cybersecurity, significant gaps remain.
Thomas Fikentscher, regional director, ANZ, CyberArk
And the rapid acceleration of digital transformation driven by the COVID disruption which has increased competition for talented, technically literate directors means getting knowledgeable talent to join the board has become harder.
Those we spoke to about this issue say their peers mostly understand now that cyber is an absolute top-tier imminent risk, with one calling it a “lie awake in bed issue if you’ve ever been attacked.”
They acknowledge that cybersecurity is a highly technical and specialised field, beyond the scope of most directors’ experience and expertise. However, they say the role of the director is to ensure that their company is well prepared, has the right procedures in place and a high-quality leadership team that can respond quickly and effectively and that necessarily requires some level of understanding.
We asked a range of directors with experience in many industries to tell us how they view cybersecurity as a risk, and how they focus their questions. We then asked what steps can be taken to better understand the answers they are given, to ensure those answers are accurate and true.
The immediate advice is to accept that a cyber attack will hit you when you least expect it, and will probably occur in a way that you aren’t expecting. It is also important to recognise that the instigators of cyber attacks are typically sophisticated and well-organised criminals running lucrative businesses.
“We are all being kept on our toes trying to understand the nature of the risks, and how one should respond,” says Roger Sharp, the new Chair of financial services company Iress, in addition to his role as Chair of Webjet.
Sharp is also the former Global Head of Technology at ABN AMRO Bank and CEO of ABN AMRO Asia Pacific Securities, giving him a unique blend of business and technological experience.
“Boards need to ensure there are appropriate risk procedures in place, with a focus on risk management, prevention, and cure,” says Sharp.
On risk management, he says, “Cyber should be near or at the top of your risk — or audit and risk — agenda. You need to get management and the board together to talk about cyber risk at a regular cadence.”
Prevention, meanwhile, requires vigilance and investment, and companies should test both the physical and online environments.
“For example, is physical security well-established so that people cannot walk into your office and start using your computers? Are your employees trained not to pick up random flash drives and use them? Is there an up-to-date procedures manual? What cybersecurity software and services are you using?”
Gerd Schenkel, chair of Credit Clear, the founder of uBank and a former Chief Digital Officer for Telstra, cautions that it is important to recognise that there cannot be 100 percent protection from cyber risks — no matter how much you spend.
“Long-tail risks are inherently hard to manage — same as earthquakes, major fires and floods. They are unlikely, but possible, and have serious consequences.”
Instead, he advises the way to approach cybersecurity is to focus on the frameworks you can put in place, the culture you create, and ongoing conversations about cybersecurity.
“I would have a cyber risk standing item for each board meeting, invite the technical experts regularly, listen well, and don’t rely solely on vendors or consultants. There has to be some in-house expertise to provide the board with unbiased, long-term advice.”
Like Sharp, Schenkel stresses the importance of having solid response processes and capabilities in place to respond when something does happen.
“These need to be tested regularly — for example business continuity processes.”
According to Schenkel, “It’s impossible to foresee everything, but it helps to keep it front of mind.”
And as to the cure, Thomas Fikentscher offers key questions that directors should assure themselves they can answer in the event of a major breach.
- Are the accountabilities clear. Is there a defined process that identifies who does what when an incursion happens?
- Have you confirmed that the business has escalation procedures in place and that these are up to date?
- Do you have external advisors you can engage immediately when you are attacked? Does the company’s commercial relationship with them guarantee timely access?
- Does your business have a war room environment ready to go when you are attacked? And do you understand what it can and can not do?
- Who is the public face of the business when you need to communicate the breach?
- What is the company’s philosophy about paying a ransom if you are hit by a ransomware attack. What determines the decision to fight or pay?
- Does the company have cyber insurance? And do you understand the terms of coverage?
Learn more about these issues at out Translating cyber risk into business impact for Boards panel lunch. Sydney readers register here and Melbourne readers register here. Places are limited.
*The lunch is open to senior executives, risk managers, board members. No IT Vendor or consultants, thanks