Having conversations about Cyber and IT in the Boardroom

Jul 14, 2021

With the ever-changing landscape of technology, it brings with it a lot of new language to the table, which makes it seem complicated and one of those technically detailed conversations.

It doesn’t have to be.

The frequency we are hearing terms such as cyber and cyber-security reported in the news is growing – even as recently as last week with the NSW Education department being hit by a cyber-attack. The Australian Institute of Criminology has released a report putting the total economic cost of cyber-crime across Australia at $3.5 billion in 2019, including $1.9 billion lost by individual victims.

With the depth and breadth of technology needed to run and work within an organisation increasing and the ongoing maintenance of the technology that this entails, the risk the IT infrastructure poses to the organisation is also escalating.

As a Board director, you’re empowered to question the risks of any aspect of an organisation and with that comes the need to educate yourself to understand those risks and your organisation’s preparedness to respond to those risks. It’s also worth noting that the Federal Government is working on new cyber-security standards that include corporate governance, first floated in the 2020 Cyber Security Strategy, which may hold directors personally responsible for cyber-attacks.  Addressing cyber and IT infrastructure risk should be no different to addressing finance or stakeholder engagement risk for example.

It’s important that Board directors identify these risks as organisational risks and not just an IT problem, as taking this approach will encourage your peers, stakeholders and employees to take the same approach.

In our research into cyber-security, Techradar recently reported that up to 99 per cent of cyber-attacks require human interaction to execute.  This is why it is so important to bring all levels of the organisation along on the cyber and IT infrastructure conversation.

So, how do you have the conversation?
The CEO is a lynchpin in the conversation, bringing information to the board and acting as a leader for the organisation’s attitude to this topic. A great place to start is to have a strategic plan for cyber and IT Infrastructure for the organisation in place and that plan should be a regular part of the Board’s agenda and papers.

What questions should be raised at a Board meeting?
The Australian Cyber Security Centre has published a prioritised list of mitigation strategies to assist organisations in protecting their systems, called the Essential Eight. A great question off the back of those strategies is “how do we stack up?”

It doesn’t have to be that detailed though, as suggested in the book The Secure Board, some great questions are:

  • Do we know who has access to our critical information assets and how is this monitored and managed?
  • What happens in the event a key supplier is compromised?
  • In our security team, how many people are focussed on the security of technology, and how many are focussed on the behaviours of our people?
  • Are we doing everything we can for our customers to protect their data that we hold?

The most important thing though, is that the cyber and IT infrastructure conversation at the Board room level starts straight away before an incident occurs. The acceptance of these risks as organisational risks needs to be guided from the top, to then filter down through the whole organisation.

If you’d like to hear more from experts in the field, watch our recent webinar Cyber Security for Boards where Fi Mercer chats with Anna Leibel and Claire Pales about how it’s no longer a question of if you need to know about cyber-security but when you’re going to learn.

This article takes inspiration from Anna and Claire’s book, The Secure Board, which is a fantastic starting point for assuring your board is addressing and understanding the cyber risk in your organisation.



State of Governance – Webinar

State of Governance – Webinar

VHA and Governance Evaluator explored the state of governance in 2021 with an expert panel sharing insights and trends across health, community health, human services and aged care including key focus areas for boards and professional development for individual directors.

The Importance of Organisation Wide Governance – Webinar

The Importance of Organisation Wide Governance – Webinar

Governance Evaluator Founder & CEO Fi Mercer discusses the importance of good governance at all levels of your organisation, and the key risks of not taking this holistic approach, with Leading Age Services Australia’s Brendan Moore.

Fi Mercer Chats with Claire Braund

Fi Mercer Chats with Claire Braund

Governance Evaluator has partnered with Women on Boards to provide their members with access to our high quality, cost efficient way to improve the governance within their organisation and enhance director effectiveness.As part of our launch, Governance Evaluator's...