Cyber Governance Connective Tissue Still Missing at Board Level

Written by staff writer.

Many Australian boards and executives are yet to implement a sound cyber governance strategy, according to Jamie Norton, who sits on the executive advisory board at Avertro. He says there is growing awareness of cyber issues, but what he calls the “connective tissue” between that awareness and concrete action is sometimes missing.

“Cyber awareness among boards is definitely growing,” he told MySecurity Media in an exclusive interview. “We are seeing in the media a lot of incidents and repercussions for not having good governance and cyber hygiene. But there is still a question mark around what we need to do.”

Norton says boards and executives must treat cyber risks with the same seriousness as they treat financial and legal risks. He says boards should treat cyber threats with the merit they deserve and not downgraded, as sometimes happens, to technology risk status.

“People need to have confidence that the function is working the way it needs to be, that there is a strategy at the firm and an understanding of the current risks around cyber. To achieve this, there needs to be really strong governance in place to give the board and executive competence, and I think that connective tissue is missing at the moment. For a lot of firms, there is certainly an awareness of the issues, and there is a lot of media and ministerial attention – there is a lot of noise, but what’s missing is how do we take this and do something with it.”

Norton says several high-profile cyber incidents, including the Medibank Private, Optus, and Latitude Financial hacks, have helped put cyber on the agenda in boardrooms and make directors and executives aware of the potential repercussions of poor cyber governance. He also highlights another change. Unlike before, Norton says the news cycle around these cyber attacks has not petered out, and in some cases, class actions are underway. He says this helps make boards aware of the potential reputational and financial cost of a cyber incident.

Norton, who formerly worked as the CISO at the Australian Taxation Office, says boards and executives set the tone around governance that filters through the entire organisation. He says the key to developing a positive tone around all aspects of governance, including cyber governance, is having good situational awareness. But Norton says there is no silver bullet to getting that situational awareness.

He says there is a certain level of inherent cyber risk in all organisations, but boards need to find an acceptable risk level and determine how they will get there. “That situational awareness of cyber governance is key,” he says. “At the moment, a lot of places are using spreadsheets and all manner of things and not having a coherent view of the cyber risks. My role at Avertro is helping to solve that problem.”

Norton supports the proactive cyber stance taken by the incumbent Australian government. “You can see in their messaging that the government is saying that firms need to have appropriate cyber governance, that it has to be appropriate, and if something goes wrong, you have to able to demonstrate that your level of governance was appropriate.”