Shortly after the release of the ASX 100 Cyber Health Check Report, I wrote about the next steps for boards. Although the arc of progress described in the ASX Report is tilted towards goodness, it is also clear – much needs to be done. At that time, I recommended:
- Make sure the board has sufficient cyber security expertise or advisors;
- Encourage your Chief Information Security Officer to build governance skills in finance, risk, strategy, legal, and compliance;
- Use the results of the ASX Report for discussion at your next board meeting;
- Commence or update your organisation’s detailed cyber security strategy and report on the security transformation program regularly;
- Include cyber security as a quarterly agenda item, or more often as needed;
- Measure your board’s performance in this critical area; and
- Learn from peers on other boards.
Last time I focused on experience and expertise of the board. Most importantly, expertise at a board level comes from knowing the “that, how, and why” of cyber security and having the right practical experience. This implies having an experienced cyber security person on the board, audit and risk committee, or as an advisor to the board.
In this article, I want to focus on the Chief Information Security Officer’s experience and the board.
Many organisations are putting well qualified cyber security skilled people in CISO or CISO-light roles and then expecting them to be well rounded and be able to interact with boards or their committees. Regrettably, these CISOs function with a lot of day-to-day stress, in roles that are within organisations that have values and cultural misalignments, without sufficient mandate from the executive or board, and without resources to execute effectively…Click here to read full article.
