Australian businesses face a surge in cyber threats, driving up costs and regulatory scrutiny. With boards demanding greater accountability, CISOs play a critical role. Former CISO and cybersecurity expert David Gee GAICD explains how they can engage boards, strengthen resilience, and foster a security-conscious culture.
Boards are demanding answers as cyberattacks grow in both frequency and severity. The latest data from the Office of the Australian Information Commissioner (OAIC) reveals that reported breaches in the first half of 2024 hit their highest level in over three years, marking a nine per cent increase from the previous six months.
While 63 per cent of data breaches affected 100 or fewer people, one incident reported affected over 10 million Australians, according to Carly Kind, Australian Privacy Commissioner.
In its annual report released in November 2024, the Australian Signals Directorate outlined it received over 87,000 reports of cybercrime over the financial year, an average of a report every six minutes. The average cost of cybercrime for small businesses rose by 8 per cent from last year to $49,600 per report, and by 17 per cent for individuals to $30,700 per report.
As the threat landscape evolves, so too does the governance response. In light of these challenges, the AICD and Cyber Security Cooperative Research Centre (CSCRC) have released significant updates to the Cyber Security Governance Principles. Since its launch in 2022, the framework has become the AICD’s most downloaded resource, providing boards with critical guidance on cyber resilience. The November 2024 update ensures the Principles remain an essential reference for Australian directors navigating an increasingly complex cybersecurity environment.
The evolving board-CISO relationship
A day in the life of a CISO could include any number of challenges. They include managing vulnerabilities, responding to incidents, driving cyber transformation uplifts, ensuring regulatory compliance and conducting security assessments of internal and partner systems. They are regularly assessing risks and mitigations, strengthening risk management governance, and engaging business stakeholders to reduce cyber risk while addressing team stress and burnout.
This is by no means an exhaustive list. Being “comfortable with the uncomfortable” is a constant state of existence for a CISO, with never enough hours in the day to address every risk being faced. There is a constant juggle of what to prioritise and what risk acceptance can be tolerated.
Prioritising cyber risks
It is not necessarily a bad thing if the board’s questions make the CISO more uncomfortable. This can indicate better engagement of the board in the issues and the responsibility they need to have to ensure that management is taking cyber threat and cybersecurity as seriously as they should.
Questions will require straight answers, in language and a level of complexity that is expected by the board. However, cybersecurity is not a simple subject to articulate clearly, while also being comprehensive. Boards should be encouraged to ask for clear explanations of any uncertainties that arise from the board papers or conversations.
CISOs should never assume the board has the appropriate level of knowledge. One of the most important elements of their role is to bring full understanding of the issues and potential implications of action or inaction in this fast-moving and ever-changing area of expertise.
What the CISO needs from the board
Currently, most enterprises have work to do to improve their risk posture. Having the board understand their role and how they can support the CISO is an important aspect to reflect on.
These five considerations require ongoing support and focus over the medium term:
- The CISO will want the board to help set the overall strategic direction and ensure that this is aligned with risk appetite
- While the CISO establishes the cyber risk culture, the board can help by setting the tone from the top and ensuring cybersecurity compliance is appropriately prioritised across management and the business
- The CISO will need to have a strong mandate to operate. Having strong accountability to be able to act and defend the enterprise without excessive interference is critical
- The CISO will require the board to understand cyber risks buydown. Not all risks are of equal importance and the focus must be on reducing risk on the most critical threats first
- The CISO will want support from the board to be allocated the resources and budget to support the cyber strategy.
However, it’s worth noting there are no easy fixes. The organisations that develop a solid, two-way understanding of their cybersecurity needs will be more able to address the challenge more effectively.
The board’s acid test
There will never be enough budget or resources as in the perfect world. They are either not in the planned budget or these cyber staff can’t be hired as the market cyber gap continues.
The acid test can be used to ensure that the tone from the top is set to the right trigger point. What might look low-risk, or “green” on the surface, could be “amber” or “red” if the board is taken down into the layers.
What the board must do is “challenge”’ the green risk appetite metrics and “support” the red. Too often we see the risk culture dynamic is the opposite, and what the board sees is an optimistic set of metrics.
Challenging the green, supporting the red: meaningful cyber risk oversight
To fully “support” the red, the board must understand the degree of gap and the extent of remediation required. For many of these action plans, there is a requirement from business and various technology leaders to lean in. Once there is this level of understanding, board members can provide their strategic support to this priority. Stay the course and try not to be attracted to the next shiny object that can derail remediation.
Conversely, to “challenge” the green infers that the board gets comfortable that the targets set are sufficiently aggressive and that there is full transparency on the underlying data — that is, there is no cyber equivalent of greenwashing. One classic example is that assets are risk-accepted and excluded from the metric. The residual risk remains.
The evolving role of the CISO
The role of the CISO has evolved significantly in recent years. No longer are they solely focused on technical details. Instead, they are strategic leaders who must be able to communicate effectively with both technical and non-technical audiences.
They need to translate complex technical jargon into clear, concise business terms the board can understand. This includes framing cybersecurity risks in the context of business objectives and potential financial impact.
Furthermore, CISOs must be proactive rather than reactive. They need to anticipate emerging threats and develop strategies to mitigate them before they can cause damage. This requires a deep understanding of the threat landscape, as well as the ability to stay ahead of the curve. Continuous learning and professional development are crucial for CISOs to remain effective in this dynamic environment.
Building an enterprise-wide cybersecurity culture
A strong cybersecurity posture is not just about technology — it's about people, processes and technology working together seamlessly. CISOs need to foster a culture of cybersecurity awareness throughout the organisation, ensuring that all employees understand their role in protecting sensitive data. This includes providing regular training and education on topics such as phishing, password security and social engineering.
In addition to people and processes, technology plays a critical role in cybersecurity. CISOs need to ensure the organisation has the right tools and technologies in place to detect and respond to threats. However, technology alone is not enough. It must be implemented and managed effectively to be truly beneficial.
Collaboration is key to resilience
Effective communication and collaboration are essential for successful cybersecurity management. CISOs need to work closely with other departments within the organisation, such as IT, legal, and risk management, to ensure that cybersecurity is integrated into all aspects of the business. They also need to establish strong relationships with external partners, such as regulators, law enforcement agencies and industry groups, to stay informed about the latest threats and best practices.
Ultimately, the CISO is responsible for ensuring that the organisation's data is safe and secure. This is a challenging task, but it is one that is becoming increasingly important in today's digital world. By effectively communicating with the board, building a strong cybersecurity posture, and fostering a culture of awareness, CISOs can help their organisations navigate the complex landscape of cyber threats and protect their valuable assets.
David Gee GAICD is a non-executive director, tech risk adviser and author. He is an ambassador for CI-ISAC critical infrastructure. He is a former CIO, CISO and tech, cyber and data risk leader.
Latest news
Already a member?
Login to view this content