Awareness is growing amongst industry, government and business leaders of the critical need to uplift cyber resiliency in Australia. It’s hard to miss the ever-present reports of the latest victims of ransomware, significant corporate data breaches, and the growing aggressiveness of foreign state actors using cyber-enabled interference.
This rising cyber threat has led to various attempts to improve resiliency however, it is becoming self-evident that these are not moving the bar in the right direction. In fact, recent data has highlighted something that many in the industry have long suspected – that too much focus on regulatory compliance at the executive level actually makes organisations less equipped to respond to a cyber-attack. Board members and senior executives need to ask how they can create the ‘culture-shift’ needed to build an effective foundation for cyber resilience and what role security leaders play in this.
Cyber security is now firmly entrenched as a board level and executive committee agenda item. But often it is still treated as a special case or separate to broader enterprise risk management. This often plays into traditional corporate structures or power bases with little interest in security. We still have a way to go culturally before cyber risk has appropriate consideration amongst a broad spectrum of senior stakeholders similar to other major corporate risks.
Typically, in Australia, cyber security sits within the domain of technology, which itself is often not the foremost concern of senior stakeholders in delivering their objectives. As a result, security lacks the firepower or collective support to breakthrough as a top corporate priority across an organisation.
Yet we are seeing green shoots emerge as leaders become aware of the devastating financial and reputational impacts that cyber breaches bring. Organisations are adapting their corporate governance so that cyber security has an equal seat at the table across business lines.
Security needs a voice at the top table
In the modern operating environment, it is imperative that frameworks are developed so that aggregated organisational cyber risk(s) are effectively positioned at senior leadership and board level and are duly considered in decision making alongside more traditional corporate risks. This requires the security leadership team to step up and be more front and centre in executive forums and this changes the mix of skills and experience needed for these roles. Addressing cyber risks more explicitly in pursuit of achieving business objectives may also require a ‘culture-shift’ that funding is prioritised over other less risky areas.
In a great example of this culture-shift, I recently facilitated a cyber-strategy workshop with a large organisation at the senior executive committee level. Towards the end of the workshop, the CFO commented, after strategic cyber–risks were tabled, that while she understood the challenge, no funding was actually available in the technology line to address corporate cyber risks. This was in spite of the fact that, some cyber risks were well above the organisation’s risk appetite and would be more damaging than some other corporate risks being addressed. It required the injection of the CEO to highlight the task of a leadership team is to consider cyber risks alongside more traditional (and usually well accepted) corporate risks and investments, and to allocate funding and resourcing accordingly.
Building culture requires the overcoming of inertia
There is often severe inertia, particularly in larger organisations, to anything that impacts existing executive priorities and sentiments. It is understandably hard to relinquish the natural desire to grow and transform your agenda and yield instead to ensuring the security of that agenda, where the cost is typically viewed as an insurance rather than an transformation enabler. The ‘secret sauce’ for senior management and boards to navigate this path effectively is to demand collective accountability for cyber risks at the most senior levels of an organisation. This changes the dynamic for cyber security decision making and positions it appropriately as an enterprise issue across business lines, not a deflected accountability buried somewhere in technology. It also enables security to be seen as foundational across the leadership group, and not just a technology cost centre item.
Effective cyber resilience can only become culturally pervasive with a strong executive mandate and accountability across and into the business. The goal for security leadership teams is to strongly advocate for this culture-shift and provide the necessary insights and visibility to impact executive decisions and decision makers. The ideal approach for these insights is a formalised, measurable and defensible approach that, highlights the business risk reduction and capability improvements afforded by investments in cyber. Importantly, the agreed approach should clearly draw attention to what is being done to mitigate cyber risks and conversely, what is not being done and potentially elevated residual risk scenarios.
Balancing the competing regulatory pressures on cyber with the need to appropriately protect the business is why an effective cyber strategy is essential. The best approach is one where executive stakeholders and boards understand the risks in the context of enterprise risks, current cyber capability, investment scenarios, what the result will be and over what period, and how it’s tracking. Once this level of clarity becomes part of the regular cyber reporting cycle, then everything – be it cyber risk or regulatory – becomes an informed decision and there is genuine ability to influence and impact cyber risk across the organisation. This is the ‘culture-shift’ that creates a genuine foundation for effective cyber resilience in your organisation.