This morning I attended the AICD's "Governing Through a Cyber Crisis" because I was interested to see what strategies for building a cyber-resilient organisation would be covered at a board level. As a 30-year tech professional, I reckon there's a difference between governing through a crisis and building a cyber-resilient organisation, but it depends how you look at it.
As outlined, the talk focused on how a board would go about managing a situation where the horse has already bolted, and covered points such as ensuring the right people are in place to manage the situation, reporting to authorities (in the event of a breach), communications and media management, etc., which I agree is all very important. This is the "governing" part and we've seen the fallout when these things aren't done right, and managing all that is absolutely important for an organisation to get right. So in this context "cyber-resilience" is about making sure your organisation is set up to manage the inevitable cyber situation.
What really stood out for me was that we only touched on discussing preventative measures like auditing, including third party vendors, and penetration testing, after 51 minutes, and then AI at 55 minutes. Doing all this and more to try to prevent the situation from occuring in the first place, AND having the strategies in place to manage if it fails, is how I define true "cyber-resilience".
Being in tech is challenging if leaders don't understand proactive prevention and won't fund or support it. I get it, it's expensive and the biggest problem is that if its done right, it can be really hard to prove value! Statistics that say "0 breaches" are not as exciting as "5% increase in revenue" to business leaders. But that's what proactive is all about.
If Australian organisations are really keen to build true cyber-resilience then we need to see increased attention on getting people with technical know-how onto boards, assessing risk in the right places, ensuring it is funded by determining the value of proactive to an organisation in a measurable way, and focusing on prevention rather than just cure.