10 April 2017

Over the past couple of weeks, I have been to a few seminars to improve my understanding of Cyber Security and have come to realisation that it is not an IT issue, but a board and executive issue.

Cyber Security is about understanding your companies risk profile and that can only be done at a senior level. To leave any high risk competent of your business to operational staff should be considered poor management.

The management of cyber security needs to be undertaken in a similar manner to other property, staff and criminal threats to your business. To be shut out of accessing your corporate systems is like a fire taking out your corporate headquarters, just with a higher likelihood of it occurring.

To understand what information you wish to protect, you need to understand what data you hold and what is its value to the business. The value of this to your business can be equated to, the cost of no longer having access to or control over the data.

Some of the common reasons for attack include;

  • Blackmail to restore data
  • Sale of commercial information
  • Hack for protest
  • Opportunist attack
  • State Sponsored or Quasto state-sponsored attacks

As an executive or board member, you need to understand;

  • What data or information matters most to your organisation?
  • How much will it cost if this is lost?
  • What controls are in place and do we have enough controls?
  • Are we effectively in our controls, do we maintain them?
  • Understanding our third-party risk and supply chains.
  • The management and update of software, firmware and legacy systems.
  • The compulsory cyber reporting rules that are coming in over the next 12 months.

Most large attacks are state-sponsored in some manner, so do you understand your customers, competitors and supply chain well.

A good way I use to understand your approach to Cyber Security is to compare it to your international travel. Experienced travellers booked with a reputable airline, will have their wallet, passport, phone etc on their body. They will have the laptop, the travel documents, a change of clothes in their carry-on baggage. The checked in luggage is important, but we know one day it won’t get to the out destination with us.

As with many unknowns we can underspend or overspend on our approach. A guide can include;

  • What data and systems do you have? Which ones are really critical?
  • What would be the cost to the business if we lost them?
  • How long would it take to recover and at what cost?
  • What is the likelihood and the expect rate of return on your investment?
  • Budget created

It is likely that you might be overinvesting or investing to protect the wrong items. Getting the perfect cyber security plan and complying with all the regulations, might look good, but has the potential to be investing in items of low importance to your business. Losing your customer database might upset the privacy commissioner, but will it hurt your operations.

While the IT teams may be the ones to deliver and manage the cyber protections, they shouldn’t be the ones to determine the strategic risk priorities for your organisation. That is a role of the board and executive.