5 minute read
What should the cyber security committees report to the boards of directors?
By Mouaz Alnouri
Irecently attended the Gartner Security & Risk Management Summit 2023 in Sydney. During the conference, Gartner predicted that board governance would evolve over the coming years. Gartner predicts that by 2025, 40% of boards will have dedicated cyber security committees overseen by qualified board members.
I also recently attended the company directors course by the Australian Institute of Company Directors, which helped me better understand the duties and responsibilities of company directors and what things typically concern them.
Hence, I decided to write this blog post to combine my knowledge from the cyber security industry and my learnings from the company directors course to help cyber security professionals and directors work together on managing cyber security risks for their organisations.
Cyber Security is an Increasing Interest
It’s not surprising that boards are beginning to care more about cyber security. The increasing interest is because the Australian Cyber Security Centre has observed over 67,500 cyber crimes during the 2020-21 financial year, representing an increase of nearly 13% from the previous financial year.
The board of directors is responsible for reviewing the appropriateness of the organisation’s risk identification, assessment, management, monitoring and reporting processes. And cyber security is all about risk management.
So it makes sense for the boards to view cyber security as a business risk and keep a close eye on it.
Boards rely more on committees to play a significant role in the board’s cyber security risk oversight activities. These include ensuring the organisational culture aligns to its risk appetite, purpose and strategy; and developing and supporting organisational resilience, including a robust crisis management capability.
So what would the cyber security committee report to the board during the board meetings?
Risk Rating has Changed
The cyber security committee must first report the cyber security risk status driven from the cyber security risk register that the committee monitors.
The board would be interested in knowing the risks that changed their rating over the reporting period, especially if the risk has moved from low to high. The rating will vary if the risk likelihood has increased if, for example, another company in the same industry got compromised. Or if the risk impact has increased if, for example, the backup system or disaster recovery site stopped working due to a technical failure. These risks need to be brought to the board’s attention to answer the question, “what do I need to worry about?”. And, of course, they need to be brought with a control, mitigation and treatment plan for the board’s approval.
Emerging Risks
Other significant risks to be brought to the board include ‘Emerging Risks’. They are new risks driven by social, economic, political and pandemic circumstances, such as the conflict between Russia and Ukraine, fast-tracked digital transformations due to COVID-19, working from home arrangements, and legislation amendments.
Audit for controls, mitigations and treatments
Another key matter the cyber security committee updates the board with is the status of the control, mitigation and treatment activities applied to existing high risks to reduce their level (likelihood and impact) to medium or low. The status of the control, mitigation and treatment activities will answer the question, “Is our approach defensible?”.
The cyber security committee needs to report when these controls, mitigations and treatments did not stop a threat and triggered an incident. Then, prioritise actions required to build a sustainable program that balances the need to protect against the requirements to run the business.
An example can be to report the number of operating systems that are not updated within the acceptable timelines, the number of failed backups, number of applications used by the staff and are not whitelisted, among others.
Cyber Security Projects Update
Another essential item to communicate with the board of directors is the status of cyber security projects. These are projects the board has approved and provided funding to control, mitigate or treat risk and reduce its level (likelihood and impact).
It is essential to report to the board if the projects are on track or off track and seek support and advice if any tasks are blocked.
Indicators for Security Conscious Corporate Culture
Your people are your cyber security strategy's core and your best defence. So, every organisation should build a security-conscious culture to reduce the number of cyber security incidents caused by human activities.
It is important to report to the board the indicators that measure changes in employees' behaviour in relation to cyber security. These are not security awareness training completion rates and phishing simulation click-throughs. These include the number of suspicious emails reported by employees rather than ignoring or deleting them and the number of executive briefings on spear-phishing.
Communicate Effectively with the Board
Each of the above items will create items for discussion and decisions to be made. For each item, you need to:
• Lay out the problem: Use storytelling to educate the board of directors on how things work and describe the limitations of the current state
• Define the objectives and criteria for the solution: The board doesn’t know what bad, good or great looks like.
So make sure to provide a big picture of the desired state and describe what success looks like.
• Generate Options: You need to help the board understand the decision it needs to make. Co-create a strategic story through a focus on business trade-offs.
• Evaluate Options: Help the board map the options to the business capabilities, funding and the company strategy to select the best option and provide direction and funding as required.
Recommendations
There is no standard template I can provide for cyber security committees to report to the board. However, the above items provide a starting point for reporting cyber security posture to the board of directors in the most effective way. You can always add more items as you see suitable. The best way to add items is to observe what questions the board normally asks and include them in future reports. I would also encourage you to ask the board members about their questions related to cyber security and include the answers in the report.
Most of the members in cyber security committees include senior cyber security professionals like the CISO. So, one last piece of advice I have is that these professionals must understand their liability for the decisions taken by the board if they participate in the decision-making process.
By law, any individual who exerts influence or control over a company is considered a shadow director. This is despite not being officially appointed as a director. So, if you participate in the decision-making process, beyond giving advice, you have the same legal responsibilities as a registered director.
Remember that management's primary objective is to provide information to the board of directors with data to enable them to make key operational and strategic decisions that allow the organisation to achieve its strategic outcomes.
About the author:
Mouaz Alnouri is a technology enthusiast. With over a decade in the IT services industry, he’s provided intelligent solutions for complex problems throughout his career. He’s worked with major technology and telecommunications firms, including Telstra and NBN. Mouaz is leading the team at Skillfield with a passion for protecting Australians and their businesses from hackers and all sorts of bad actors.