Research Review: How to Implement Core Cyber Security Governance Principles

In today’s rapidly evolving cybersecurity threat landscape, everyone has a role to play when it comes to keeping companies and their data safe. Not only do advanced phishing and social engineering attacks turn every employee into a potential attack vector, APRA has made clear its intent to hold company directors and board members personally responsible for breaches.

That said, getting up-to-speed on cybersecurity best practices can seem overwhelming—especially for leaders who lack a background in digital security.

Fortunately, the Australian Institute of Company Directors (AICD) and the Cyber Security Cooperative Research Centre (CSCRC) have come together to create a series of core Cyber Security Governance Principles, as well as a series of questions leaders can ask to boost their organisations’ cyber security posture.

Here’s a quick summary to help you get started:

The 5 Core Cyber Security Governance Principles

According to the AICD and the CSCRC, the following principles “provide a clear and practical framework for organisations to build stronger cyber resilience”.

1. Set clear roles and responsibilities. For SMEs, this may involve defining specific cyber security roles and reporting responsibilities for board members, CEOs, Managing Directors, key managers (including CIOs, CTOs, CISOs, and Chief Risk Officers), and key staff.
2. Develop, implement, and evolve a comprehensive cyber strategy. Fulfilling this principle begins with identifying the company’s key digital assets and data. Additional responsibilities include assessing internal and external resources, mitigating the risk associated with third-party suppliers, establishing proper data governance, and regularly evolving the plan, amongst others.
3. Embed cyber security in existing risk management practices. The two agencies define cyber risk as an operational risk, placing the onus on the company’s risk management program to develop and oversee appropriate controls.
4. Promote a culture of cyber resilience. Security is everyone’s responsibility, but encouraging this mindset starts from the top down in the form of ongoing training, incentivisation, and evaluation.
5. Plan for a significant cyber event. Proactive planning and the utilisation of simulation exercises and scenario testing can help companies identify weak points in their cyber security strategies before hackers do.

Under the first core principle, the two organisations also address the pressing issue of cyber insurance with a great deal of hesitancy. “While cyber insurance may be necessary for certain organisations,” they state, “the often high cost and restricted or tailored coverage of a particular policy means that a board should carefully consider if it is appropriate and/or value for money for their organisation.”

Interestingly, both high costs and limitations in coverage both factor into the rationale given by Medibank CFO Mark Rogers when explaining that the private health insurer did not have active cyber cover when its customers’ medical records were breached in a recent, unprecedented attack.

10 Questions Directors Must Ask in Relation to Security

In addition to their five core principles, the two agencies list 10 questions company directors should be asking in order to understand their existing cybersecurity posture.

1. Does the board understand cyber risks well enough to oversee and challenge?
2. Who has primary responsibility for cyber security in our management team?
3. Who has internal responsibility for the management and protection of our key digital assets and data?
4. Where, and with whom, are our key digital assets and data located?
5. Is cyber risk specifically identified in the organisation’s risk management framework?
6. How regularly does management present to the board or risk committee on the effectiveness of cyber risk controls?
7. Is cyber security training mandatory across the organisation and is it differentiated by area or role?
8. How is the effectiveness of training measured?
9. Do we have a Cyber Incident Response Plan, including a comprehensive communications strategy, informed by simulation exercises and testing?
10. Can we access external support if necessary to assist with a significant cyber security incident?

Being able to answer all 10 of these questions successfully is a good proxy for compliance with the five core principles listed above.

That said, if your organisation is struggling to execute any of the core principles or answer any of these questions, it may be time to enlist professional assistance. Cyber security is no longer an area that directors can afford to ignore. Mangano IT can help organisations at all levels of maturity to assess their cyber security readiness or implement security standards in line with these core principles.

Reach out for more information or to get started with a cyber security assessment.