The cyber risks that organisations face today will not be the same as the risks they face tomorrow. One way to ensure your organisation’s cyber resilience is for the board to endorse a robust cyber risk framework. The AICD asked Nigel Phair GAICD, Managing Director of the Centre for Internet Safety at the University of Canberra, what directors and senior executives need to know about building a successful framework.
AICD: What is a cybersecurity risk management framework and what should it look like?
NP: A cyber risk framework should dovetail with your organisation’s existing risk framework. There should be dependencies between physical risk controls and cyber risk controls.
The first step is to identify and class the information held by the organisation. This should entail determining the importance of the information, who the owner is (and therefore who is responsible), who has access to the information and under what circumstances. The second step is to prioritise the IT infrastructure assets, where decisions are made about what technology is used to store and access data. The third step relates to the people element of cybersecurity. It involves creating, defining and communicating a culture of cybersecurity throughout the organisation.
AICD: How should a cyber risk framework be used by executive management and the board?
NP: On a day-to-day basis executives and the board should be using a dashboard of the cyber risk framework that is regularly updated and shows trends and issues as they occur. A good dashboard will provide an at-a-glance view of how the organisation is performing, while still allowing the board and management to drill down into the detail of specific performance measures. Numbers based is best, with agreed baselines and tolerances so performance can be measured and benchmarked. Using a traffic light protocol is just one way to make it practical.
AICD: How can boards support the implementation of a cyber risk framework in their organisation?
NP: Cyber security is a journey with no end destination. While it is important for directors to stay up-to-date with a cyber risk dashboard, they can add value by keeping it high level and asking themselves how a cyber attack will disrupt the future of the organisation, what could be the impact on share price or on the organisation’s stakeholders and their expectations. The technical information presented to the board by the CIO may be interesting to some, but is not necessarily of broader value.
Organisations should develop a strategy, overseen and endorsed by the board, on how they will invest in and exploit technology over the next three years for business improvement and growth. Use of these emerging technologies will be the key to enhanced productivity, service delivery and even shareholder returns. A cyber risk framework should reflect this strategy and the new risk scenarios it presents for the organisation.
This content is brought to you in partnership with Optus Business.
Already a member?
Login to view this content