QTY	Product	Price	Edit
	{{ item.title }} {{ item.secondaryItem.title }} Availability - Places available Availability - In stock This product is already registered. View all enrolled courses/webinars	{{ (item.price * item.quantity) \| currency }} FREE {{ (item.secondaryItem.price * item.secondaryItem.quantity) \| currency }} FREE

Subtotal	{{ subTotal \| currency }} $0.00
Total inc. GST	AUD {{ total \| currency }} $0.00
Package Discount Package Discount If you enrol in all three Foundations of Directorship courses, you will receive a package discount. Already applied	-{{ packageDiscount \| currency }}
Member Discount	-{{ discount \| currency }}

Risk, ransomware and knowing when to exit: Andrew Penn AO

Tuesday, 23 July 2024

Cyber security

As the former CEO of Telstra but more recently a Coles Group board member and chair of the federal government's Expert Advisory Board for Australia’s new Cyber Security Strategy, Andrew Penn AO is no stranger to tech risks and issues such as ransomware. In a wide-ranging interview as our guest on this year’s first episode of the AICD podcast Boardroom Conversations, he shares insights on whether or not boards should pay ransomware demands. And discusses his career transition from CEO to board roles and the factors he weighed up before changing course in his career.

Should organisations pay ransomware demands? It’s a question which preoccupies many boards and managers. The advice from the federal government’s blueprint for the future, the 2023-230 Australian Cyber Security Strategy is not to rule out payment of these demands.

Chair of the federal government's Cyber Industry Expert Advisory Board, Andrew Penn AO, says ransomware was tackled extensively at a policy level by the official strategy.

“Our view was we should not ban ransomware payments. That would be too much of a blunt instrument and too difficult to determine what the unintended consequences may be. But we strongly discourage them.

“And we recommended that it becomes compulsory to report them for most organisations … (just) maybe not very small businesses.”

He told Boardroom Conversations there may be situations where health and safety or human life could at risk, when a ransomware payment may need to be considered very thoughtfully. “But you also need to take responsibility for where that ransomware payment is going to,” he added. “Who are you financing? You may have ESG policies within the company that you're actually now going to conflict with by paying a ransomware payment.”

Boards must prepare for malicious attacks in advance with scenario planning and identifying who is accountable for communication and engagement with stakeholders, he adds.

“The worst possible time to develop a crisis plan is in the middle of a crisis. So, make sure you've got an incident response plan in place,” says Penn.

It is important that the board is involved in scenario planning, and should not take over the planning, but leave it to the experts and people who are closer to the issue, he says.

“In my old world at Telstra, we had a very robust crisis management approach, not necessarily just for cyber security, but just generally. So, there were lots of crises (to plan for) network outages or cyclones… And there are a lot of people who are part of that process, including the chair of the crisis management team.”

Boardroom Conversations Podcast

Season 2 now available with new episodes dropping weekly. Listen via the AICD website or on your favourite podcast app

CEO transition process

After seven years as CEO of Telstra, Penn departed at what he felt was the right time. “I always say that it's important you need to leave when you're not quite ready and when people still want you to stay. Not the other way around. And so, I felt I navigated that process well.”

He advises CEOs who are making a similar transition to move into a portfolio career to realise it's important to try and find the right mix of things to work on.

When he decided to leave Telstra, he was turning 60 and wanted to have another stage to his professional career where he could make an impact. He chose the Coles Group board, partly because it was a similar large ASX-listed organisation.

“One of the things about working at the big end of town in an executive role is you get access to contemporary thinking around corporate governance, contemporary issues, technology. And it doesn't really matter whether it's Telstra or another very large organisation. That's what I knew I was going to miss.

“So being a non-executive director of a very organisation, such as Coles, gives me firstly….I think it's a situation where I can make an impact, to make a difference because I've had that experience. But secondly, I knew I would miss the opportunity to be working on those complex organisational, economy-wide issues. And so hence the decision to join Coles.”

He also sits on the council of the National Gallery of Victoria. “I've always been passionate about the arts. I paint a bit myself. Finding ways to to bring creativity into my life I find pleasurable, but (it) also actually makes me a better person, a better leader, makes me reflect on things and bring more reflections than just pure logic and rationale and analytics and numbers.”

Listen to Boardroom Conversations here.

Cyber security

Latest news

This is of of your complimentary pieces of content

Access this content

This is exclusive content.

You have reached your limit for guest contents. The content you are trying to access is exclusive for AICD members. Please become a member for unlimited access.

Access this content