RSM Australia was proud to recently sponsor a Boardroom Hypothetical around a major cyber incident.
The Board was made up of Lindsay Tanner, Graeme Samuel and Chaired by Sue O’Connor - three very accomplished directors. The importance of having a strong Chairperson was highlighted given the key issues and director risk areas of focus that can arise in dealing with cyber security matters - both in crisis and as a business-as-usual consideration.
Directors will quite rightly bring to the meeting issues from their perspective. However, sometimes, these issues may gather momentum in discussions and overwhelm the other key and threshold issues being discussed and addressed by the Board. As with any other material matter that the Board deals with, it is imperative that Chairperson harnesses and gives focus to the different perspectives around the table but not at the cost of the central issues to the business. We often see cyber issues and discussions being brought back to the Chair as vocal and passionate directors prosecute their concerns and focuses.
The Chairperson must be able to identify these shifts and exert influence to ensure the discussion stays on the issue and risks.
Our experience is that Boards can more effectively deal with cyber issues and matters, despite their unfamiliar territory, when it is not distracted by the technical jargon and hype, but treats it like any other business issue that is managed and mitigated by people, process and technology.
It’s just business ...
There is no doubt that cyber security is a clear and present danger to business. However, it is no different a risk to the many other challenges that the Board and executive management team deal with.
So what makes this current business risk so attention capturing for the media and the Board? More importantly, what are the key questions and points of focus that the Board should hone in on?
Below, RSM Australia has reflected on the key questions that warrant discussion and answers in the boardroom.
1. What is the corporate approach to cyber security?
Information technology departments and groups have been tasked to ensure everything works properly, without interruption and to do so quietly in the background without attracting attention. Cyber security is drawing attention to IT and the Board should be clear on how the enterprise is responding to the cyber risk, not on a risk by risk basis, but holistically.
2. Is anyone in charge of cyber security and who do they report to?
Effective governance is critical in responding to cyber risks in the current dynamic environment. A key consideration is to ensure that someone is responsible for cyber security and can report to executive management or the Board directly.
3. What are the greatest risks and how are they managed?
Are they avoided, managed, transferred or insured against? Identify how key risks have been identified and whether risk treatment plans have been adopted that are effective, commercial and realistic.
4. What are the most critical systems and data in the organisation and how are they protected?
Knowing where the “crown jewels” are is important so that the security architecture and processes can hone in on these areas to provide a high degree of confidence in regards to their security.
5. Are the systems and data susceptible to cyber incidents clearly identified and known?
A cyber risk assessment should be able to identify where there exists a “clear and present” danger to systems and data.
6. What are the programs in place to address cyber security - from strategy to tactics?
The Board should have visibility of the plans and processes in place at a high level to address and respond to both strategic and tactical approaches to dealing with current and future cyber risks to the organisation.
7. How should the Board members be involved and where do they come into play?
The Board should determine its role in dealing with this issue including oversight and reporting.
8. How does the organisation learn from cyber incidents that have occurred in organisations in the same sector?
Does the organisation share its learning and experiences with other industry and sector organisations? Participating in collaborative processes, similar to how the banking industry has responded to this challenge, can be beneficial to all involved.
9. What technology has been invested in for security management and when was it last evaluated and reported on?
The investment in technology and security solutions can be significant and appropriate asset and investment appraisal processes should be followed to ensure a value for money outcome can be substantiated commensurate with the risk profile.
10. Does the organisation use a credible and well known cyber security framework?
With different options available, a measured and carefully contemplated selection of the best fit framework should be made. It’s an important process because selecting the wrong framework or approach can be costly and time consuming.
11. What operational metrics are reported and monitored?
The following questions should be considered when assessing your organisation’s cyber security reporting and monitoring.
- How quickly are incidents identified and responded to?
- What are the results from testing of the organisation’s security measures?
- Are all sites and business units tested?
- What is the effectiveness of our user security awareness campaigns?
- Have all key metrics been considered, identified and included in a reporting process?
- Has the Board determined the most appropriate metrics to be reported to it?
12. How should the Board members be involved and where do they come into play?
The Board needs to be actively involved until such time as when these risks are being managed as a “business-asusual” activity. There may be a need for Board up-skilling and benefit on having someone work with the Board to bridge any knowledge gaps, if not provide useful translation of matters where the information coming to the Board is excessively technical and lacking commercial focus.
13. Has the organisation comprehensively and independently tested its cyber resilience and security?
Like any other area that the Board requires comfort on, there is a need to identify and determine those elements of cyber security which should be subjected to independent testing and reporting to the Board. The requirement is no different to the other areas of an organisation where the Board seeks assurance, such as the performance of internal audits over key operational and financial areas.
14. Is the organisational workforce, recognised to be one of the weakest links, given sufficient attention?
The following questions should be considered when assessing your workforce’ cyber security preparedness.
- How are employees trained and assessed on cyber security?
- Are cyber security policies developed and implemented?
- How do these policies integrate with other relevant organisational policies?
- Have they been independently reviewed?
- When were they last updated?
At RSM we can help you stay on top of alerts and ensure you are kept up to date.
If you have any queries in relation to this article, please contact our cybersecurity expert Michael Shatter.