Practical steps for directors on how to manage cybersecurity breaches

    Current

    The message from cybersecurity experts is that breaches are no longer just an IT issue, with boards and management increasingly accountable for them.


    Nigel Phair GAICD, a professor in the Department of Software Systems and Cybersecurity at Monash University, thinks cybersecurity risk should be elevated from an operational or technical level to that of a strategic risk.

    “It needs to be integrated into all facets of board governance, risk and strategy discussions,” he says. “It also needs to be measured using a recognised maturity model, which incorporates testing, independent reviews and dynamic dashboards. To become proactive, boards need meaningful measurements for their cybersecurity program, to receive regular updates and build expertise in the boardroom.”

    Similarly, Chirag Joshi MAICD, founder and chief information security officer (CISO) at 7 Rules Cyber, wants boards to ensure cybersecurity is incorporated into enterprise risk management. He says it’s an approach that regulators, including the Australian Prudential Regulation Authority (APRA), are taking. For example, APRA’s Prudential Standards CPS 230 and CPS 234 explicitly hold boards and senior management accountable for governing and managing cyber risks as part of an organisation’s overall operational risk management — a cultural shift from reactive risk management to proactive deterrent strategies.

    Joshi adds the focus is increasingly on material risk management, or risks that could significantly affect the organisation. “It’s not good enough to say we are compliant with ISO/IEC 27001 (world’s standard for information security management systems). Now it’s more about actually addressing risks,” he says. “This means boards don’t need to focus too much on the underlying technology. Instead, they should ask management to articulate the risks at a strategic level.”

    What’s a board to do?

    Akash Mittal GAICD, CISO for group security at Sumitomo Australia and a member of the Cyber Australian Information Security Association’s executive advisory board, says boards should ensure cybersecurity is a standing item on every board meeting agenda and suggests a dedicated cyber risk committee could be useful at larger organisations.

    The board’s composition is also important. “Often, boards lag behind the rapid pace of technological change,” says Mittal. “To address this, they must become more diverse, not only in experience and perspective, but also in age and technical expertise. Including younger members with tech backgrounds can help boards better understand the opportunities and risks associated with digital transformation and cybersecurity.”

    David Gee GAICD, an adviser with Bain & Company, JS Careers and Emertel, says boards should examine whether their take on technology adequately covers cybersecurity.

    “In many cases, it won’t,” he says. “A big four accounting partner may understand risk management generically, but not enough about cyber risk management to be able to bring the other board members on the journey. Once you have one cyber-savvy board member, then some degree of training can be useful to reinforce the existing members’ cyber awareness.”

    Mittal says boards should also foster a culture that prioritises awareness and accountability of cyber risks. “Boards should define what a cyber risk-aware culture means for their organisations. This includes fostering open and transparent communication between the board and key executives such as the CEO, chief risk officer, chief technology officer and CISO to ensure better visibility and alignment.”

    Joshi believes in defining the organisation’s responsible risk appetite statement and setting thresholds for cyber-related risks.

    Gee says boards shouldn’t get comfortable with their cyber risk appetite. “Comfort breeds complacency and reduces the team vigilance necessary for effective cybersecurity governance. Risk appetite must be a dynamic framework that evolves with the rapidly changing threat landscape, requiring continuous reassessment rather than settling into a static comfort zone.”

    Joshi is seeing more use of cyber risk quantification, where these are expressed in financial terms to provide a better grasp of their materiality and financial exposures. He says this enables companies to prioritise risks based on their potential financial impact and make informed decisions about where to allocate resources. It also helps in assessing whether the insurance coverage is sufficient and in negotiating insurance policies.

    In the toolbox

    Phair says boards should receive the same cyber hygiene training as other staff members. However, those serving on a risk and audit committee should take a deeper dive into learning the specific risk management frameworks the organisation is using, specifically the practicalities of the control framework in use.

    Gee believes simulations are important. “Boards need to participate in these at least annually and observe how the scenario worked or didn’t work,” he says. “They need to ensure the exercise is a sufficiently plausible scenario and that the team is as prepared as possible. They want to understand their own role in this crisis and if the internal and external facets are well-coordinated.” Instead of making things up on the run, he says simulations provide a playbook on who will do what in the face of an attack. They also identify areas for improvement.

    Useful questions for management

    Chirag Joshi from 7 Rules Cyber, lists questions boards should be asking:

    • Do we have sufficient understanding of where our critical data and information assets are?
    • How are we ensuring we are tracking the right risks relevant to us?
    • Is our cyber risk appetite statement adequate to inform management controls?
    • What is management doing to articulate cyber risks in financial terms?
    • What are our weaknesses and how are we reducing them?
    • How is management ensuring control effectiveness?
    • Can you provide lead and lagging metrics, for example, on where we’ve experienced incidents or compliance issues?
    • How are we addressing our third-party or supply chain risks?
    • Is our insurance coverage fit for purpose?

    Pros and cons of AI

    Phair says there’s more good than bad in the use of AI in security programs. “It can be used to scale threat detection and response, create predictive threat intelligence models, analyse user behaviour and automate incident response. Of course, criminals are also using AI for more genuine, hyper-personalised phishing attacks, and to create and distribute malware at scale.”

    Gee warns AI can increase potential entry points and vulnerabilities attackers can exploit. “We should view AI as an incredible business opportunity for productivity — and an incredible new risk. And be careful not to score an own goal. Beware the ‘AI will fix everything’ mindset and don’t use it as a band-aid for fundamental security weaknesses, rather than addressing the root causes of poor cybersecurity hygiene and processes.”

    This article first appeared under the headline 'Sentry duty’ in the September 2025 issue of Company Director magazine.

    Practice resources — supporting good governance

    Latest news

    This is of of your complimentary pieces of content

    This is exclusive content.

    You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.