Questions the Board or Senior executives should ask the CIO / CISO.
Do we know what data we hold and where it is stored?
Have we identified critical information assets of which confidentiality, integrity and availability are essential to the function of our organisation?
Consider not only the value of individual pieces of data but also the aggregated value of your data holdings. Understanding where this data is stored within your organisation is critical to being able to both protect it and respond to a cyber security incident when it arises. This data could be located on infrastructure held locally, in the cloud, laptops, mobile phones, external storage devices or even located in staff personal cloud storage.
Subsequently, you should know what is in place to protect critical information assets.
The board should be satisfied that critical information assets of the organisation are appropriately secure.
There should be transparency surrounding the location of all critical assets (including third-party partners and service providers), how they are protected and how protection is being assured.
Do we know how mature our cyber security is?
Understanding your organisation’s cyber security maturity will help you to identify areas that require further investment. The Essential Eight Maturity Model is a valuable resource in this regard as it can be used to identify priority areas for cyber security.
Are cyber risks an integral part of the organisation’s enterprise risk management framework? The board should ensure that cyber risk is an element of the enterprise risk framework and that exposures are recognised, assessed for impacts based on clearly defined metrics such as response time, cost and legal or compliance implications, and planned for to attract investment commensurate to a risk-based assessment.
Undertaking an independent Maturity Assessment will allow the board to achieve a better view of the organisational risk profile as well as the gap between the current state and the desired state.
Do we know our regulatory obligations?
In the event of a cyber security incident, you may have regulatory obligations, such as those under the Notifiable Data Breach Scheme, which require you to notify the Office of the Australian Information Commissioner and affected individuals when an eligible data breach has occurred. As such, in the event of an eligible data breach, it is important that you communicate this in a transparent, honest, and timely manner.
What is our people strategy around cybersecurity?
Despite significant advances in cybersecurity technology, products, lack of staff awareness of safe cyber practices, social engineering or negligent behaviours remain a major source of cyber issues.
Boards should satisfy themselves that there is sufficient investment in staff awareness training given its prominence as a source of risk—and because a collective effort against cyber threats will better serve an organisation.
Do we know if there are cyber security risks in our cyber supply chain?
Has management factored in risk with third parties, including outsourced IT, cloud service providers and other partners, in its cyber strategy?
Does your organisation depend on key business partners, such as vendors that supply software and hardware that supports your critical business operations, or a third party with remote access to your systems?
IBM’s 2022 Cost of a Cyber Breach Report noted that 19% of data breaches were caused by a business partner initially being compromised. (For context, ransomware was the root of 11% of breaches.) This is an emerging cyber threat boards should be asking questions about.
Key information boards should know and understand include:
- Is our organisation practising vendor risk management controls with its suppliers?
- What (if any) cybersecurity requirements do we include in our supplier contracts?
- What steps are we taking to reduce the risk our suppliers pose to its cybersecurity?
- What steps are we taking to ensure that we are compliant to our customer’s security expectations?
Do we know what cyber security framework we use?
Understanding strategies your organisation can use to mitigate cyber security risks is important.
A cyber security framework is a set of guidelines or a template that outlines policies and procedures you can use in your business. These frameworks will help you establish and maintain your cyber security posture, when a framework is applied, your cyber security resilience should improve, and the risk of a cyber event minimised.
While no set of mitigation strategies are guaranteed to protect against all cyber threats, organisations are recommended to implement eight essential mitigation strategies as a minimum. This baseline, known as the ‘Essential Eight’, makes it much harder for adversaries to compromise your systems and data.
Beyond this, other Frameworks exist to help Australian companies in addressing better Information Security Management:
- NIST CSF
- ISO 27001:2022
- Australian Security of Critical Infrastructure Act 2022
- CIS Controls
Many customers are now demanding their suppliers undertake a Vendor Risk Management Assessment to validate their security controls and risk profile.
How do we monitor cyber risk?
Trying to identify a cyber risk or incident may pose challenges. The need to identify an incident or breach is essential. The sooner an incident can be identified, the quicker the mitigation strategy can be put in place to minimise the impact on the organisations as well as customers and vendors.
How often do we review the cyber resilience program?
Given the rate of change in the cyber risk landscape, and the speed at which a business can be severely compromised (potentially within hours or days); the board should consider whether periodic reviews (that are more frequent than for other risks forming part of the risk management framework) should be adopted.
Are we prepared to respond to a cyber security incident?
When responding to a cyber security incident, there are often significant time pressures placed on decision-making.
To further assist in preparing to respond to a cyber security incident, it is important that you have appropriate response measures in place, such as an incident response plan.
To be effective, an incident response plan should align with your organisation’s emergency, crisis, and business continuity arrangements, as well as jurisdictional and national cyber and emergency arrangements.
In doing so, it should support personnel to fulfil their roles by outlining their responsibilities and all legal and regulatory obligations. Such incident response plans should be regularly reviewed and tested alongside activities that target strategic decision-making, operational responses and communication strategies.
Finally, in the event of a cyber security incident, it is important to have one person in charge as the incident response coordinator, such as a CISO or CSO, to ensure clarity of direction and timely operational decisions can be made. Ideally, this person should be supported by a board member with relevant cyber security or risk management skills to act as the interface between the incident response coordinator and the board to ensure board-level decisions can be made and communicated quickly.
What needs to occur in the event of a breach?
Boards should ask themselves:
- When a problem arises, what processes are in place for communicating effectively, internally, and externally, and managing the situation?
- Has there been a sufficient level of scenario planning and testing to ensure that response plans are valid and up to date, including with third-party suppliers and dependants?
Boards may need to ensure that security and customer trust are central considerations as companies strive to deliver innovative products and services through technology.
Does the board need further expertise to understand the risk?
Although boards may not require general technology expertise, for many companies it may be advisable to have one or more directors who have a strategic understanding of technology and its associated risks, or who have a background in cybersecurity.
In some circumstances, the board should consider the use of external cyber experts to review and challenge the information presented by senior management.