Case Study: Keeping CPA's board up to date about cybersecurity risks

A period of accelerated digitalisation has heightened the importance of providing information about cyber security to boards and management teams

Digital Nation spoke to Nigel Hedges, head of information security for CPA Australia, which provides credential and education needs to its 268,000 members in the accounting sector domestically and abroad.

• Subscribe to Digital Nation Australia's twice-weekly newsletter

Hedges says that the business' security posture has changed over the past two years as hackers have come together in groups to target businesses across sectors, with all industries fair game. This resulted in new challenges across the threat landscape.

Additionally, the need to manage all transitional activities throughout the work-from-home arrangement added to the challenge.

“That whole transition, introduced another set of risk because you're moving to new suppliers, and you need to make sure you're investing with the right suppliers, you have to go through security due diligence,” says Hedges.

These changes were done under extreme time pressures, with work that might otherwise have involved months of planning, needing completion in just days.

“It did require a lot more resources to spend on all the various different aspects of pivoting and transitioning to remote working all the online systems,” he says.

“Using those agile philosophies to make steps towards things, I think, certainly allowed us to move at speed.”

Given its purpose, the CPA board is well versed in cybersecurity issues, but the speed of change does raise interesting issues about the learning curve of boards generally.

Hedges believes that many board members still don’t fully understand the nuances of the cyber risk posed to their companies, despite an increase in ransomware attacks over the past 12 months.

When he spoke to his peers in the cybersecurity industry it was also clear there were myriad ways of reporting to boards, and many of them were substandard.

Fortuitously for CPA, the organisation started a process in 2019 to improve how it reported to the board and to management.

"The first challenge I had was that managing or reporting to management and the board was quite manual. So you're digging into PowerPoint presentations and trying to get the right images and things like that."

Instead what he wanted was an approach that allowed for a consistent reporting style covering the whole gamut of the risk. "What's the program? What's actually happening out there? When they hear about Colonial Pipeline, they want to know, could that happen to us? What are we doing to solve that today? What are our gaps?"

He wanted a way to track the past, present and future maturity of the cybersecurity program.

"The trap I think that some boards can fall into is relying on this annual IT general controls assessment that a lot of people do. And it's more or less like playing Whack a Mole with a set of problems and then waiting 12 months to see what the new set of problems are."

The goal was to make it easy for the board to visualise what was being done, the level of maturity across certain domains, and the change over time.

"Being able to visualise that was a big problem."

He also wanted a way of clearly articulating the risk factors. "And that includes the supplier risk because we're all having to move to the cloud and that introduces new sets of supply risk concerns, and SaaS providers."

All of this added up to the need to introduce a streamlined third-party cyber risk process to replace the inefficient manual processes which were no longer fit for purpose anymore.

"The company saw the need to track and visualise the past, current, and future maturity of the programs they were using, and settled on a solution from Avertro CyberHQ.

According to Hedges, "They developed a platform where it was easy to put in the information, and then have a consistent way of presenting information back to a board level."

It also met CPA's need to describe the organisation's maturity against a variety of best practice frameworks. 

"Everyone's got a different flavour. Some use a NIST cybersecurity framework. Some are using ISO 27,001, some are using APRA, Some are using the Essential Eight from the Australian Government. So being able to pivot across all those things also was quite a useful part of the platform."

Choosing Avertro also came with its own risk, as the business was still relatively immature at that stage.

“With Avertro being a start-up a couple of years ago, there's the typical learning curve of building the product. So we worked really closely with them from that customer advisory perspective and giving them feedback on the technology,” says Hedges.

“We were quite fortunate that we had regular catch-ups with the development team, and what was proven pretty quickly is they had a very good ability to resolve these issues as we went along.”