A comprehensive study conducted by Board Surveys has revealed that the sentiment among board directors regarding the active oversight of cyber risk is far from unanimous.
Disturbingly, only 60% of directors agree or strongly agree that their board is actively managing cyber risk, leaving a substantial portion uncertain or disengaged from this critical issue. Should more directors be worried about this looming threat? Let’s dive in.
What the data tells us
The data takes an even more alarming turn when examining directors’ responses based on age. Directors aged 55 and older seem more complacent, with 63% believing their board actively oversees cyber risk. In contrast, a mere 55% of directors under the age of 55 share this sentiment. This age-based divergence raises critical questions about the preparedness of boards, especially when addressing the dynamic and ever-evolving landscape of cyber threats.
What is particularly concerning is the level of comfort expressed by some older directors. The study reveals that only 7% of directors aged 55 and older disagree that their board is actively overseeing cyber risk. However, This sense of assurance sharply contrasts with the more sceptical perspective of 17% of directors under 55 who disagree with their older counterparts.
Notably, gender does not appear to be a significant factor in shaping perspectives on cyber risk. Male and female directors of similar age groups share similar views, highlighting the cross-cutting nature of the challenges posed by cyber threats.
The need for a unified approach to cybersecurity
The research, which draws insights from the views of nearly 1,000 directors from a diverse range of primarily Australian organisations, provides a comprehensive snapshot of the prevailing attitudes toward cyber risk management.
It is crucial to note that the research predates two major cyber attacks in Australia – the Optus data breach affecting over 2 million customers and the Medibank Private incident compromising the personal data of around 10 million customers. These breaches serve as potent reminders of the vulnerabilities that persist in our digital age and prompt us to question whether the revelations of such high-profile incidents will lead to a paradigm shift in how boards perceive and act upon cyber threats.
Complacency is no longer tenable
The prevailing attitude of retaining detailed personal information without comprehensive scrutiny of risks and benefits is well past its use-by date. Boards must engage in deeper thinking and apply extra rigour to ensure the robustness of their cyber risk management strategies.
Hard questions must be asked, and introspection is required at every decision-making level. Boards and executive teams must critically evaluate the necessity of retaining detailed personal information of former customers. What specific information is being stored, and why is it essential to keep it? An in-depth analysis of the risks and benefits of retaining such information must shed light on the potential vulnerabilities and exposures.
How information is stored also demands careful consideration. Are files containing sensitive data unnecessarily connected to the internet, increasing the risk of unauthorised access? Boards and executives need to scrutinise the connectivity of these files and ensure that stringent security measures exist to protect against cyber threats.
Crucially, the outcomes of this deep thinking and analysis should not be confined to the realms of management teams alone. Boards must actively seek transparency, asking whether the board has shared and sanctioned the conclusions and plans derived from this critical analysis. If not, boards should proactively request the necessary information, ensuring that every aspect of cyber risk management is subject to comprehensive scrutiny and feedback.
The digital and cyber security skills present on the board
In the face of evolving cyber threats, boards must assess whether they possess the requisite depth and breadth of digital expertise. If gaps are identified, external advice and assistance should be sought to fortify the board’s oversight capabilities concerning the organisation’s digital strategy and cyber security.
Boards and CEOs must also evaluate their organisation’s capability to lead technology and information strategy and operations. Without the right expertise, a significant risk exists to intellectual property, customer data, and other sensitive information. The imperative here is not merely compliance but ensuring the organisation is fortified against the ever-changing landscape of cyber threats.
The role of the board in governing and overseeing risk remains constant, but there is an urgent need for recognition that vulnerabilities and threats are dynamic. Management teams are responsible for articulating new and emerging risks, while boards must dedicate time and curiosity to actively engage with the changes requiring oversight.
Resources to help navigate the complexities of cyber risk management The Australian Institute of Company Directors (AICD) and the Cyber Security Co-operative Research Centre (CSCRC) have published five Cyber Security Governance Principles. These principles provide a comprehensive framework for organisations, emphasising roles and responsibilities, cyber strategy development, risk management integration, fostering a culture of cyber resilience, and preparing for significant cyber security incidents.
The Australian Cyber Security Centre’s Essential Eight, updated regularly since 2017, is a foundational benchmark for assessing an organisation’s cyber security maturity. Boards are encouraged to request rigorous analyses from their executive teams regarding compliance with these principles and maturity frameworks.
Context is paramount in the realm of cyber security. Organisations must understand their unique context and determine the appropriate level of cyber security maturity. What may be deemed high for a bank or insurer handling millions of transactions annually might not be necessary for other entities. Keeping things in context and seeing the big picture allows boards and executive teams to effectively tailor their cyber risk management approach.
Delve into the intricacies of your board’s operations
See how your board stacks up against the performance and effectiveness of over 400 other organisations across the 20 most critical areas for board excellence. Alternatively, you can request a customised proposal for a comprehensive review tailored specifically to your board’s unique dynamics and challenges. Learn more by speaking with the team at Board Surveys today.