Treating cybersecurity as a strategic asset involves proactively integrating it into business planning, not just as a cost centre, to protect critical assets, build trust and gain a competitive edge in the digital landscape.
Every six minutes, Australians report a cybercrime. Small businesses are hit the hardest financially, according to the Australian Cyber Security Centre (ACSC), losing an average of $49,600 per incident—an eight per cent increase from last year. Boards need to treat cybersecurity as a strategic asset.
Boards are underestimating the risk they face from cyber threat actors. Infiltration can and does happen. Making cyber security a specific responsibility of one area of the business identifies it as a major priority. Spreading responsibility across several departments no longer provides the focus required to prepare and act when the inevitable occurs.
There’s growing agreement among policy and cyber experts that boards can create long-term value by moving cybersecurity beyond IT departments and compliance tick boxes.
In FY2023-24, the Australian Signals Directorate (ASD) received over 36,700 calls to its Australian Cyber Security Hotline, an increase of 12 per cent from the previous financial year. ASD also responded to over 1,100 cyber security incidents, highlighting the continued exploitation of Australian systems and ongoing threat to our critical networks. The average self-reported cost of cybercrime per report for individuals, rose by 17 per cent last year to $30,700, the ASD said.
By integrating cybersecurity into the heart of strategic decision-making, boards can not only mitigate risks, but create long-term value, enhance resilience and build trust premium with customers and partners.
Bridging the divide between business and technical is at the heart of elevating cybersecurity as a strategic asset in the boardroom, says Chirag Joshi MAICD, vice president of the Information Systems Audit and Control Association Sydney and founder of 7 Rules Cyber advisory.
To bridge the gap, he says boards need to treat cybersecurity in the same way as financial and legal risks.
"We’re moving beyond cyber as a cost centre,” he says. "It’s no longer restricted to tools protecting your devices, it’s about business growth; something material to investors.”
Board priorities:
- Compliance is the bare minimum.
- A ‘tick-the-box’ approach will leave your business unprepared.
- Cyber threats are evolving faster than regulation can keep up.
- Cyber resilience requires many approaches, including education of staff to common threats, robust defence and security practices and vulnerability testing.
Cyber breach losses
Joshi says cyber risk quantification (CRQ) — tying cybersecurity initiatives as closely as possible to revenue and business disruption costs for an organisation — provides a crucial link to the materiality of cybersecurity and thus corporate strategy.
“Risk quantification challenges organisations to consider strengths and areas that are material to them,” he adds. “And to consider the financial, people, systems, regulatory costs and revenue losses associated with a cyber breach.”
Moves by the US Securities and Exchange Commission (SEC) to mandate reporting of cyber incidents and cyber governance arrangements, along with consideration of the expertise of management and board directors to manage material risks from cybersecurity threats, is also evidence of a momentum shift.
It’s not good enough for boards to just look at updates from the management team. They also now need to lean in and influence decisions due to materiality, he says.
Cyber event simulations
Darren Hopkins, forensic technology expert and partner at McGrathNicol, says board-level committees have a key role to play in enhancing decision-making around cyber resilience.
He says committees should make faster decisions, meet more regularly, have a larger agenda and become more detailed and aligned to the business strategy. This provides insights into key issues which can be reported to the board.
Hopkins notes that scenario planning and simulations that test protections and systems are among the fundamentals technology committees should use to embed cyber resilience in corporate strategy and risk management.
“As Security of Critical Infrastructure Act 2018 regulated entities, you have to do a simulation every year and you have to report that back through the Act,” he says.
“The reason they’re asking everyone to practise for a cyber event is because they’re not common, but when they happen they’re devastating. So how do you make sure you’re ready and match fit if you haven’t had a chance to test your plans?”
ASIC has also put boards on notice. Chair Joe Longo has issued multiple warnings to directors to make it their business to be across cyber resilience and to make cybersecurity a priority. Penalties, fines and even prison terms are among the serious consequences for corporate boards that fail to protect against cyber threats.
Cyber literate boards
Daniel Sekers GAICD, co-chair of Votiro Cybersec Global — recently acquired by Menlo Security — believes boards must actively champion cyber resilience as a core part of every organisation’s culture.
“Cyber resilience isn’t just a technical issue, it’s a business imperative,” he says. “Boards and directors must foster a shift in mindset and view it as a strategic enabler. If directors lack technical expertise, the solution is simple — they must upskill. A board that isn’t cyber-literate is a board exposing its company to unnecessary risk.”
Curiosity and continuous learning are fundamental for directors in an increasingly digital world.
"You don’t have to be a cyber expert, but you do have to exercise curiosity,” he says. “Cyber resilience should be a standing board agenda item. Alignment between the board and executive team is critical — when cyber is prioritised at the highest levels, it filters through the entire organisation.
Value proposition and brand identity
Cyber resilience, when executed well, isn’t just about protection, says Sekers.
“Organisations that embed cyber resilience into their core business strategy will gain a competitive edge in customer confidence, regulatory trust and investor appeal. Investors are increasingly assessing cyber resilience as a key measure of risk management, revenue protection and, ultimately, shareholder value.”
Sekers warns that boards continuing to treat cybersecurity as a compliance exercise are failing to see the bigger picture — and they risk a significant fallout when a breach occurs.
“The boards that lead in cyber resilience are those that see it as a strategic asset, proactively investing in it as part of long-term business sustainability,” says Sekers.
Companies that embed it into their corporate DNA will not only protect their assets, but also enhance their brand, investor confidence and competitive positioning. For boards, the message is clear — cyber is not just an IT issue, it’s also a leadership and culture responsibility.
Competitive advantage
Sekers cites Apple as a prime example of an organisation that has successfully turned its cyber governance into a competitive advantage.
Unlike companies that must first undergo digital transformation before achieving cyber resilience, Apple’s digital-first DNA has positioned it ahead of the curve.
“Apple has embedded security and privacy into its brand and that’s a clear differentiator in its product ecosystem,” says Sekers. “They don’t treat cyber as a regulatory necessity. They see it as a trust enabler and a market advantage. They publicly champion security and privacy and that messaging resonates with consumers and investors alike.”
Practice resources — supporting good governance
AICD’s contemporary governance practice resources for members:
Cyber-security Governance
- AICD's Key Components of a Strategic Cybersecurity Approach
- Cyber Security Handbook for Small Business and Not-for-Profit Directors
- AI Fluency for Directors Course
Latest news
Already a member?
Login to view this content