Board Members’ Guide to Cybersecurity Governance: Understanding Roles and Principles

Cybersecurity Governance

Cybersecurity Governance Principles – Set clear roles and responsibilities

The Australian Institute of Company Directors and the Cyber Security Cooperative Research Centre recently put out a joint paper. It provides some guidelines around cyber security for board members. It focuses a lot on red flags – signs that you’re not doing well. But if you see those red flags, what next?

Welcome to the first of our blog posts on the AICD’s governance principles. This one is focused on setting clear roles and duties. We’ve put together a list of action points for you, based on the red flags. If your board has red flags, follow these points to amend each one.

1.   Include cyber risk and strategy on board agendas

Cybersecurity can’t just be the concern of the IT department. It’s everyone’s mission. What’s more, strategy and budget decisions in this area must come from the top down. The board has to know what’s going on, and lead changes for the better.

Ask a subject matter expert to provide cyber risk updates at every board meeting. Choose someone who knows the full status of security measures in the organisation. It might be an internal team member or external contractor, depending on your setup. These updates help the board to stay aware of the issues. Also, add regular security agenda items. This will help keep the board driving strategy. Talk about what you need to do to counter the risks your board is hearing about. But don’t let these measures become a mere formality. Your board needs to be engaged and involved at every turn.

2.   Annually review director understanding of cyber risks

Don’t expect directors to be cybersecurity experts. They won’t be, and they shouldn’t be. However, your board needs to understand the base concepts. They must be able to make the crucial decisions when they need to. When the board has a basic knowledge of the subject, it can respond faster to a critical threat.

Run an annual review of director knowledge. Invite a subject matter expert to walk directors through recent changes to the cybersecurity landscape. The goal is to boost board members’ knowledge enough to tackle key issues as they arise. Directors can also benefit from regular awareness training. This gives them insight into the challenges that other people in the company are facing.

3.   Make cyber security reports to the board of directors simple and clear

Cybersecurity is a complex subject. Directors need to be able to quickly grasp key information. Reports can easily end up bogged down in industry jargon and complex details. This makes it difficult for the board to move quickly on the reports when action is needed. Simple, clear reports aid in making high-level, critical decisions.

Write reports that are simple and easy to understand. Leave out industry jargon. Highlight key data that will help the board make strategic decisions. If you need to add more detail, use the same style. Keep it simple, brief, and clear.

4.   Implement external reviews and QA for cybersecurity strategy

Does your board know how well you meet the key standards for cybersecurity? Or where your weak points are with data collection? Directors need a clear view of what is happening inside and out of your company. You need a good view of where your weak points are. Your board needs to know how your security stacks up against other companies. This all requires an impartial assessment from an external subject matter expert.

Hire an external subject matter expert to get a less biased, wider view of your strategy. Ask them to review how well your board complies with regulations and standards. Seek insights into how to improve your security measures and align more closely with industry standards.  

5.   Document clear roles and responsibilities for cybersecurity and information security

Who has primary authority over cybersecurity? If no one can reach your primary person, who makes the decisions? Does IT or Customer Service protect client data? Does everyone know what their role is in cybersecurity? These questions might seem like they have obvious answers. Without clear documents, though, assumptions can lead to blurred lines and catastrophic delays.

Everyone must know the needs and roles of each team. For example, the IT team typically maintains devices and software – cybersecurity. However, the customer support team usually collects and manages customer data – information security. Both roles are important and need oversight from the board. Both roles can become blurred if one team thinks the other is handling a certain aspect. For example, the CS team assumes that the IT team has put info security processes in place.

Consider setting up a cybersecurity working group that will coordinate efforts between teams. It can run security workshops to get everyone working together. It can also map out specific security duties to people and teams. These efforts help everyone to know what’s expected of them.

Improve your overall defences with security awareness training

While this blog post has focused primarily on your board, everyone needs to understand cyber risk. Your staff are your strongest point of defence against cyber attacks. Make sure they’re empowered to do their best by providing an engaging and effective awareness training program.

PhishNet trains people to recognise everyday scams and cyber threats through our Cyber Security Awareness Training platform. With clear measurable results, orgnaisations can meet compliance requirements and proactively reduce the risk of cyber incidents. Talk to us about how awareness training can help protect your people and business.