This morning I attended the AICD’s “Governing Through a Cyber Crisis” because I was interested to see what strategies for building a cyber-resilient organisation would be covered at a board level. As a 30-year tech professional, I reckon there’s a difference between governing through a crisis and building a cyber-resilient organisation – but it depends how you look at it.
As outlined, the talk focused on how a board would manage a situation where the horse has already bolted. It covered ensuring the right people are in place to manage the situation, reporting to authorities in the event of a breach, communications and media management – all very important, and we’ve seen the fallout when these things aren’t done right. In this context, “cyber-resilience” is about making sure your organisation is set up to manage the inevitable cyber situation.
What really stood out for me was that we only touched on preventative measures – auditing, including third party vendors, and penetration testing – after 51 minutes, and AI at 55 minutes. Doing all this and more to try to prevent the situation from occurring in the first place, AND having the strategies in place to manage if it fails, is how I define true “cyber-resilience”.
Being in tech is challenging if leaders don’t understand proactive prevention and won’t fund or support it. I get it, it’s expensive – and the biggest problem is that if it’s done right, it can be really hard to prove value. Statistics that say “0 breaches” are not as exciting as “5% increase in revenue” to business leaders. But that’s what proactive is all about.
If Australian organisations are really keen to build true cyber-resilience, we need increased attention on getting people with technical know-how onto boards, assessing risk in the right places, ensuring it is funded by determining the value of proactive prevention in a measurable way, and focusing on prevention rather than just cure.
