7 questions Directors should ask about cyber & data security
Day Two of the AICD Australian Governance Summit 2023 held last week included an essential session on Cyber Security. Presented by Rachael Falk MAICD, Hamish Hansford, Jane Lute and Mike Trovato, the session asked "Does Your Board have the Right Safeguards in Place" and while some companies certainly do, there is work to be done by most boards.
The session gave me some key takeaways:
Cyberframeworks:
The session highlighted a couple of useful papers that all directors should be aware of;
The 2023-2030 Australian Cyber Security Discussion Paper is focused on cyber security policy and initiatives addressing a secure economy and thriving cyber ecosystem, secure and resilient critical infrastructure, and a sovereign and assured capability to counter cyber threats.
The AICD Cyber Security Governance Principles that focus on setting clear roles and responsibilities around cyber for directors with strategies and risk management practices that promote a culture of cyber resilience and help with planning in the event of a cyber incident.
How should a board approach cyber based on these papers?
The papers provide a framework upon which security managers, CISOs, CEOs, and COOs can have the right conversation with the board. The end goal should be being able to make an attestation to cyber policies within your company. The panel agreed that principles need to be more than voluntary as being vague about standards or the role of the board is not helpful for customers, staff or the community.
7 Questions you should be asking about your cyber and data posture
The session gave directors lots of practical guidance on what questions to ask. Here are seven suggestions, remarks, and questions:
Make yourself familiar with the above discussion papers as well as cyber risk obligations that can be found at https://www.aisa.org.au/.
Understand that cyber and data security governance is ongoing. Director risk requirements are similar to financial and regulatory risks, except as an enterprise risk cyber is more dynamic.
Applying cyber principles to your company is also all about context and directors should use the principles as a means of thinking through and pointing to potential blind spots. Focus on where your risk lies, your controls and how you are going to effectively manage and mitigate that risk.
Regularly review cyber risks with your board with a strong emphasis on exercising and testing. A crisis is no time to come together for the first time and try to figure out 'do we know what's going on', 'who else needs to know', or 'are we talking about it effectively'. Rehearse!
Make sure your organisation is undertaking third-party intrusion drills to ensure you are not marking your own cyber homework. Get a reputable company to do it and they will tell you where your risks are and do this on a regular basis. Test, test again, get the results of those tests and improve on your processes.
If you are a services company and you have customers when having these conversations you should be thinking about your customers as critical assets. Take the approach of keeping your customers safe, keeping your staff safe, and keeping the community safe.
It's an all-of-company effort and should not just be left with the CIO/CISO. Do your scenario planning to start building out what are the very bleak scenarios that you need to think about so that you can rehearse your response in recovery.
90% of the threats that any organisation is encountering are being encountered by other organisations as well. The risks are not novel and there is a lot that is already known. It's about being prepared.
Questions you should be asking about your data:
The panel noted that cyber and data security are converging. When you think about things like personal records of customers, driver’s licenses and passports if your company holds them, what is the public expectation about the response to a data breach? You don't want to be having those discussions in the middle of an incident so it's about upfront planning. Some questions to think about in relation to customer data;
What information are we collecting and why?
What are we doing with it?
With who are we sharing it?
How are we protecting it?
How is it anonymised?
What are the uses it can reasonably have?
How is it being destroyed?
How long are we holding it?
The role of government in relation to data breaches
The government play a vital role in getting information and building a threat picture but you cannot rely on any signals intelligence agency or cyber security agency to be doing the work for you. What they can do is build a threat picture informing what's happening, who is attacking our companies and informing what we as directors can do about it. In the case of the Medibank and Optus breaches, it was highlighted that the Australian Signals Directorate and the ASCS played active roles but also that these bodies do have finite resources. Your organisation is primarily responsible for protecting its assets and you need to ensure proper resources are applied to cyber and protecting your customers. You also don't want the arm of government stretching into the boardroom.
Not just about the technical
Often when you hear the word cyber and cyber attack you focus on the technical response to an incident. It's important to think much more broadly to say ‘what are the cascading consequences for customers, for society and institutional connections to government?’ You don't want to be having those discussions in the middle of a cyber incident so it's about upfront planning. It helps to replace the word cyber with safety breach or bomb threat and you get the kind of picture of the response that is required.
I'll be attending the AISA Australian Cyber Conference in Canberra in a couple of weeks and look forward to gaining further insights into the current state of cybersecurity and the latest industry trends. Connect with me if you plan on being there.
