Cover story: What's the best approach to cyber?

Earlier in the year, Digital Nation held its first 'Digital as Usual' event for 2024, bringing together board members, cyber security experts and C-suite level players to discuss various angles of the cyber experience across an organisation.

Recent high profile cyber security incidents at organisations including Optus, Medibank and Latitude Financial have done more than just raise the profile of cyber as a business risk.

They have forced a reappraisal amongst boards regarding their role in helping defend organisations against attacks and led to entirely new approaches to securing digital systems and assets.

With board directors responsible for steering the strategies of their organisations, it is not surprising to see that many are taking a much greater interest in cyber issues, and taking a more hands-on approach to its management.

The Australian Institute of Company Director's 2022 report Cyber Security Governance Principles stated that Australian directors consistently identified cyber security and data theft as the number one issue keeping them awake at night.

For company director Andrew Baxter, whose portfolio includes Australian Pork, the Sydney Symphony Orchestra and OzHarvest, he has noted a massive increase in interest in cyber among his fellow directors, with the topic now firmly entrenched within board papers.

"The risk of the valuation of your business dropping, particularly if you're a listed company, is huge," Baxter said.

"With Medibank, you're talking about billions of dollars of market cap being lost off the back of a breach. So there's not only the brand reputation risk, there's not only personal information being leaked out, but there's also a financial implication that boards need to consider."

Board agendas

Baxter says one of the most common representations of the changing approach by boards to cybersecurity is its elevation on meeting agendas.

"Many boards will have a 'deep dive' section in each of their board papers and depending on the board," Baxter said.

"Now all of a sudden cyber is one of those deep dives on most board agendas."

The second change has been the greater willingness to listen to cyber experts at board meetings.

"Just hearing the practical firsthand experience of what they did, how they reacted and what they've put in place since to ensure that these things don't happen again has certainly come to the fore," Baxter said.

"If board directors are governing strategy and governing the execution of that strategy, as well as the risk around it, then these are critical things they need to be worried about."

However, heightened interest at a board level does not always translate to a new approach to cyber throughout the organisation.

Company director and cyber specialist Craig Davies believes there is a significant difference between the approach taken by ASX 100 companies, who are heavily invested in cyber defence and that of the rest of the business community.

But within those mature organisations, Davies sees a significant change occurring in the form of leaders taking a more human-centred approach to cyber defence.

"We do know the number one issue in protecting an enterprise is the people element," Davies said.

The people problem

According to Davies, leaders would be well-advised to take a leaf out of the book of the car industry, which has recognised that people are the primary cause of accidents and hence has engineered to vehicles to reduce the potential for harm.

"If they (drivers) do make a mistake, there's a possibility they could be okay," Davies said.

"Yet for many organisations, they still have to deal with the probable fact that a person can click on a link and can take out the majority of the organisation.

"Organisations that understand that this could really stuff their businesses actually plan for all the scenarios, they workshop the scenarios and they even workshop what the communication looks like and who it comes from."

This notion of anticipating and practicing in the event of a possible incident is also championed by Klaus Bartosch, CEO of the venture capital firm Dreamoro.

However, he cautions that no organisation can truly know the strength of its program until it is put to the test by external agents.

"Getting independent parties doing threat assessments of your environments in your business by attempting to hack you is a good place to start," Bartosch said.

"If you haven't had those kinds of independent external examinations performed, how can you possibly know where you think your real threats are?"

His next recommendation is to ensure the organisation has a mature capability for understanding the different threats it faces, along with the potential impact those threats pose to external stakeholders and customers.

"Thirdly, most companies use multiple third-party software products to do what they do," he said.

"How many companies have actually asked those same software companies to provide them with a detailed certification and plan to manage and protect their data?

Regulation

An additional challenge has been the increased oversight of cyber defence being wielded by the Australian Government, which Davies likens to the introduction of greater regulation for occupational health and safety which was introduced decades earlier.

"All of a sudden we've got a couple of criminal convictions for negligence and everybody's wearing fluoro," Davies said.

"I think that's the evolution you will see happening, particularly as companies and organisations generally start to understand just how critical these issues are to how they operate."

However, he cautions that mandating that organisations meet specific standards however can have detrimental consequences, in the form of 'compliance theatre'.

"People get the spreadsheet and take it all literally and they implement processes or policies that are never followed up, or never present any evidence," Davies said.

"They can say they are compliant to the standard, but they are actually not, because they will still get breached."

According to Bartosch, this phenomenon provides organisations with an excuse to only meet the minimum requirements.

"What they should be doing is focusing on properly protecting their business, their data, their people, their customer’s data and the impact on their business from a shareholder's perspective," Bartosch said.

Ultimately, Bartosch believes changing approaches to cyber will eventually lead boards to confront one of the most important questions of all – who should lead that response.

For Bartosch, the answer to that question is not the CIO.

"Is it not a conflict of interest?" he said.

"A company needs to have that function operating independently in order to get the kind of rational appraisal and assessment and plans built for the business.

"Cybersecurity isn't just an IT problem. There are all sorts of ways that an organisation can be breached that aren't limited to technical IT breaches, so how are you going to deal with that and manage that as part of a process?"