A cyber security framework the Board will understand
There is no doubt that cyber security has taken a front-row seat in businesses of all shapes and sizes. This is even more true for companies that are governed by a Board of Directors, where members of the Board can now be held personally liable for failures that release personal data of staff or customers.
Further, the environment in which companies operate has become far less forgiving. In the Ponemon Institute’s 2020 study, the average cost of a data breach was estimated to be USD3.86 million globally, and USD2.15 million in Australia.
Board members understand this impact and want to support their cyber and risk teams, however, are often not well versed in the technology or terminology.
Framing the conversation
Nick Scholefield, former CIO at financial services company Perpetual, and current Chief Operating Officer for Cloud Managed Services and Technology at Interactive understand the dilemma. Having reported to CEOs and Boards for APRA regulated and privately held businesses, he says the way a Board receives information is critical to their ability to engage and provide support.
“The Board wants cyber risks in a framework that they understand. To do so, we need to move away from the technology and separate the risk from the issue, the event and the impact. The risk is not that you suffer from a cyber event, but losing customer data may be breaching a legislative requirement or suffering reputational damage is the real risk. Start there and then share the controls you have in place to mitigate these risks and how you measure the success (or otherwise) of those controls.”
For more information and tools check out Communicating cyber security in a language the Board understands.