How to Attain Executive and Board Oversight of Your Organisation’s Cyber Security Posture

In a recently published industry report, insights obtained through surveying over 300 Australian CEOs on what is “Keeping Us Up at Night” highlighted “Protecting and dealing with Cyber Risks” as the primary concern for CEOs in 2024 and the next three to five years.

As CEOs and Boards face increased fiduciary obligations over cybersecurity risks, the escalating frequency and sophistication of cyber threats underscore the importance of Boards and CEOs being aware of risks, having mitigation strategies, and being prepared for potential breaches. Failing to address Cyber Security adequately may result in severe consequences, including financial losses, reputational damage, and legal implications.

Here is a summary of several best practices to ensure Executive and Board oversight of Cyber Security:

  • Establish Cyber Security Governance Framework: Develop a clear governance framework outlining roles, responsibilities, and reporting structures for Cyber Security oversight.
  • Cyber Security Training and Awareness: Ensure that executives and board members receive regular training on Cyber Security issues to enhance their understanding of risks and the importance of proactive measures. Invest in Cyber Security technologies and employee training to keep pace with evolving threats.
  • Regular Risk Assessments: Conduct regular cyber security risk assessments to identify and evaluate potential threats, vulnerabilities, and the impact on business operations, supply chains, and customer/client data.
  • Incident Response Plan: Develop and maintain an effective incident response plan that dovetails into Disaster Recovery and Business Continuity plans to ensure a swift and coordinated response to cyber incidents.
  • Cyber Security Expertise: Engage Cyber Security experts and consultants to provide independent assessments, audits, and recommendations for improving cyber security posture.
  • Legal and Regulatory Compliance: Stay informed about evolving Cyber Security regulations and legal requirements, ensuring compliance with relevant laws and standards.
  • Board-Level Oversight Committee: Establish a dedicated Cyber Security committee within the board to focus specifically on cyber security issues, ensuring continuous attention and expertise. This may also support Audit and Risk committee efforts.
  • Regular Board Updates: Provide regular updates to the board on Cyber Security matters, including threat intelligence, incident response activities, and the effectiveness of implemented security measures.
  • Key Performance Indicators (KPIs): Develop and monitor Cyber Security KPIs to measure the organisation’s performance in managing and mitigating cybersecurity risks. Examples include incident response time, employee training completion rates, and vulnerability patching speed.
  • Insurance Coverage: Evaluate and secure appropriate cyber security insurance coverage to mitigate financial risks associated with potential cyber incidents.
  • Integration with Business Strategy: Align Cyber Security strategies with overall business goals, ensuring that security measures support and enhance the organisation’s objectives.
  • Vendor Risk Management: Implement a robust vendor risk management program to assess and manage Cyber Security risks associated with third-party vendors and partners.
  • Communication and Transparency: Foster a culture of open communication and transparency regarding Cyber Security issues, encouraging reporting of incidents and lessons learned.

If you are interested in elevating your organisation’s cyber security conversation from just technical controls to preventative measures across people, process, and technology, contact us for a confidential discussion.

 

Reference:
KPMG.com.au
Published: January 2024
“Keeping us up at night: The big issues facing business leaders in 2024”.