Boards less tolerant of cyber risk, increasing cyber literacy

Rapid advancements in cybersecurity capabilities and the increasing threat of cybercrime is forcing boards to upskill when it comes to cyber literacy.

Speakers at the Governance Institute Australia National Conference 2021 discussed how the threat of cybercrime will impact boards and executives going forward.

• Subscribe to Digital Nation Australia's twice-weekly newsletter

According to Narelle Devine, Telstra’s chief information security officer Asia Pacific, cybersecurity threats have evolved immensely over the past five years, as have boards’ attitudes towards them.

“From a board perspective, boards have really changed their risk appetite over the last five years,” said Devine.

“I wouldn't say that they we're ever happy to accept cyber risk, but they've become much more educated and understanding of what that means, and they are much less tolerant of cyber risk.”

While businesses will never be 100 per cent secure, Devine says its about understanding the business risks and finding the right the balance.

Devine also believes that from a business perspective, leaders must continue to increase their cyber literacy in order to create the most effective security for their organisations.

Tracey Edwards, director security services MLC Wealth/IOOF, believes cyber literacy is now mandatory at the board table, especially when it comes to investment decision-making.

“Influencing where the board is best to spend their dollars to solve issues, they need to then understand that there is no silver bullet,” she said.

“While this evolves, boards must actively become educated in cyber risks in their organisation.”

In addressing this threat, Dr Marcus Thompson, Founder of Cyber Compass and board director at Engineers Australia said that accountability and knowledge of the required fiduciary and governance responsibilities is in the board’s hands.

“Ultimately, the accountability sits with the board, so you need to be addressing it in the same way you think about workplace health and safety and maybe even solvency,” he said.

In dealing with a threat, many boards are concerned by the vulnerability and ramifications of admitting that an incident occurred.

While unintentionally sharing information to potential adversaries and the lowering of share prices is a risk, transparency to customers and building the relationship of accountability and trust is crucial, said Devine.

“You do want to be careful about what you do there, but there is a real relationship and trust component to this and the more that you can share quickly, honestly, the better you maintain that trust relationship, particularly with any supply chains that are impacted or partners or people that are kind of sitting on the boundary of that particular attack,” she said.

“I think we just need to shift the discussion from feeling like a victim when this stuff has happened to being happy to talk about it.”