Having conversations about Cyber and IT in the Boardroom

Jul 14, 2021

With the ever-changing landscape of technology, it brings with it a lot of new language to the table, which makes it seem complicated and one of those technically detailed conversations.

It doesn’t have to be.

The frequency we are hearing terms such as cyber and cyber-security reported in the news is growing – even as recently as last week with the NSW Education department being hit by a cyber-attack. The Australian Institute of Criminology has released a report putting the total economic cost of cyber-crime across Australia at $3.5 billion in 2019, including $1.9 billion lost by individual victims.

With the depth and breadth of technology needed to run and work within an organisation increasing and the ongoing maintenance of the technology that this entails, the risk the IT infrastructure poses to the organisation is also escalating.

As a Board director, you’re empowered to question the risks of any aspect of an organisation and with that comes the need to educate yourself to understand those risks and your organisation’s preparedness to respond to those risks. It’s also worth noting that the Federal Government is working on new cyber-security standards that include corporate governance, first floated in the 2020 Cyber Security Strategy, which may hold directors personally responsible for cyber-attacks.  Addressing cyber and IT infrastructure risk should be no different to addressing finance or stakeholder engagement risk for example.

It’s important that Board directors identify these risks as organisational risks and not just an IT problem, as taking this approach will encourage your peers, stakeholders and employees to take the same approach.

In our research into cyber-security, Techradar recently reported that up to 99 per cent of cyber-attacks require human interaction to execute.  This is why it is so important to bring all levels of the organisation along on the cyber and IT infrastructure conversation.

So, how do you have the conversation?
The CEO is a lynchpin in the conversation, bringing information to the board and acting as a leader for the organisation’s attitude to this topic. A great place to start is to have a strategic plan for cyber and IT Infrastructure for the organisation in place and that plan should be a regular part of the Board’s agenda and papers.

What questions should be raised at a Board meeting?
The Australian Cyber Security Centre has published a prioritised list of mitigation strategies to assist organisations in protecting their systems, called the Essential Eight. A great question off the back of those strategies is “how do we stack up?”

It doesn’t have to be that detailed though, as suggested in the book The Secure Board, some great questions are:

  • Do we know who has access to our critical information assets and how is this monitored and managed?
  • What happens in the event a key supplier is compromised?
  • In our security team, how many people are focussed on the security of technology, and how many are focussed on the behaviours of our people?
  • Are we doing everything we can for our customers to protect their data that we hold?

The most important thing though, is that the cyber and IT infrastructure conversation at the Board room level starts straight away before an incident occurs. The acceptance of these risks as organisational risks needs to be guided from the top, to then filter down through the whole organisation.

If you’d like to hear more from experts in the field, watch our recent webinar Cyber Security for Boards where Fi Mercer chats with Anna Leibel and Claire Pales about how it’s no longer a question of if you need to know about cyber-security but when you’re going to learn.

This article takes inspiration from Anna and Claire’s book, The Secure Board, which is a fantastic starting point for assuring your board is addressing and understanding the cyber risk in your organisation.



Top 5 Governance Risks 2021

Top 5 Governance Risks 2021

Top 5 Governance Risks 2021 GovernWith's CEO and Founder Fi Mercer shared the top risks from our Board Governance Evaluation and Director Development and Skills Matrix, as discovered by our Governance Data Insights Whitepaper with data from 2018 to 2021. You can use...

Introducing our 2021 Governance Data Insights Whitepaper

Introducing our 2021 Governance Data Insights Whitepaper

GovernWith is about to publish our Governance Data Insights Whitepaper for 2021, covering the Top 5 Governance Risks identified in 2021 from our Governance Review and Development Programs. Each year, as part of our commitment to our governance community, we publish our findings to increase the awareness of issues in governance and help provide Board and Councils with guidance on how they can improve and assurance that they are not alone in their governance struggles, whether they undertake their evaluations with us or not.

Where to Start? Bringing Climate Change to the Board

Where to Start? Bringing Climate Change to the Board

GovernWith’s CEO and Founder Fi Mercer was joined by Climatologist and Speaker Neil Plummer, to delve into how we can untangle the issues surrounding Climate Change and bring tangible risks and opportunities to the boardroom table. A huge contemporary risk for Boards and Directors to tackle, Fi and Neil unpacked Climate Change, how it relates to the Board and top tips to get started.