How to Develop a Cyber Security Strategy at the Board level



Beyond ‘Hope and Prayer’: The reality of cyber risk in the Internet-Age

Cyber security can often feel like a moving target: threats and vulnerabilities change regularly and the standards for how to manage and oversee cyber risk just aren’t on the radar for many organizations.

With the ongoing proliferation of sophisticated malware, data security breaches and ransomware attacks are an increasingly common experience for organizations worldwide.

In Australia alone, it has been estimated that 59 percent of organizations have detected a business-interrupting security breach during an average month. This is more than twice as often when compared to results from 2015.

A report by telecommunications company Telstra found that ransomware was the number one type of malware downloaded in the Asia Pacific region. Over 60 percent of Australian organizations stated they had experienced at least one ransomware incident in the last 12 months ─ 57 percent of which ended up paying the ransom.

One thing has become abundantly clear: cyber security is no longer an IT issue and is more than just a risk management priority. To meet the cyber security challenge will require an enterprise-wide approach to the identification, detection, response and recovery of cyber risk.

Cyber security oversight and leadership from the Board has never been higher or more pressing.




Taking the first step: Industry environment & regulation

To develop a cyber security strategy, your Board should first begin by taking a wider view of the industry or sector in which it operates. What are the regulatory obligations at work in this industry, and similarly, which laws, Acts or standards should govern your conduct?

In addition, what are your obligations to stakeholders, including clients, partners, suppliers and members? This information should form a framework in your mind around the expectations and regulation in your cyber treatment response.


Some regulation that may need to be considered could include:

Payment Card Industry Data Security Standards (PCI-DSS)
PCI-DSS are a set of security standards structured to help protect customers’ card data and information. The PCI DSS were developed by major credit card schemes Amex, Visa, MasterCard, Discover and JCB to limit credit card fraud. It effectively outlines the business requirements for the secure management of card data — including procedures, policies, networks, software design, architecture, and other security protective measures. The 12 standards of PCI compliance are now mandatory for all organizations that store, process or transmit cardholder information.

Mandatory data breach notification bill
As an example of the global changes in legislative requirements, in Australia the Privacy Amendment (Notifiable Data Breaches) Act 2016 has introduced a mandatory data breach notification regime. This new law applies to all entities that are currently subject to the Australian Privacy Principles under the Privacy Act 1988.

Under the new law, unless an exception applies, entities must notify eligible data breaches to the Office of the Australian Information Commissioner (OAIC) and affected individuals as soon as practicable. This should occur after the entity becomes aware that “there are reasonable grounds to believe that there has been an eligible data breach of the entity.”

In summary, an ‘eligible data breach’ occurs where there has been:

(a) unauthorized access or disclosure, or loss of information where unauthorized access or disclosure is likely; and

(b) a reasonable person would conclude that the access or disclosure would likely result in serious harm to the individuals to whom the information relates.

These requirements should form the basis of a cyber security policy and procedures, which in turn need to be embedded into your Governance Framework.

Identify your ‘Crown Jewels’

The next priority is to identify your most critical data assets; data which is most exposed to risk (inside or outside your organization), most likely to be targeted and data which would be the most damaging if compromised.

Think of these critical assets as your organization’s ‘Crown Jewels’ —the data, systems, and software applications that are essential to operations. Many seemingly innocuous types of information or data are valuable to hackers. They may include:

  • Client, donor or trustee data (usernames, email addresses, physical addresses, passwords, bank information, financial records, healthcare information, confidential email threads etc.)
  • Sensitive contracts with customers, suppliers, distributors, joint venture partners etc.
  • Employee log-in credentials
  • Business plans
  • New products or services in development
  • Lists of customers, employees or contractors

This information can be sold on the black market, used to compromise an organization’s defenses or even used to steal an individual’s identity.

How to determine your most valuable data assets

Critical assets and their levels of sensitivity vary widely across sectors. It might be useful to determine your critical assets with the following questions:

  • What are our organization’s most critical data assets? (This would include, for example, a hospital’s patient information or a database containing customer credit card information).
  • Where can these assets be found? Are they located on one or multiple systems?
  • Who has permission to access these critical assets?
  • Are our systems adequately protecting this data? Have we tested this protection and are we satisfied with the results?

After thinking about your vulnerabilities, identify the following: potential attackers, the availability of assets to users, where security is weakest around Crown Jewel assets and identify the controls that should be in place to protect them.

Lastly, consider your response to a potential attack. How would you detect an intrusion, respond (as per your regulatory obligations) and formulate a recovery?

How you respond to these prompts could form the framework for a cyber security strategy.




Developing a cyber risk register

Once you have identified your Crown Jewel assets, it’s time to organize your results within your risk management plan, as this falls within the charter of the Board.

Your organization can't protect everything, and a technology solution alone is never going to be enough. That's why a more effective approach to cyber security requires taking an individualized, risk-based approach.

A Cyber Risk Register flags the highest risks to your organization, as well as any opportunities that can be seized. A robust cyber risk register is also an effective way to communicate to external stakeholders that you understand cyber risk and are taking measures toward better managing its ramifications.

This process enables you to allocate security resources in a more intelligent and cost-effective way.

    For example, if you accept donations online, this could be flagged as a potential risk under your cyber security obligations. Anything that could increase your exposure to a potential attack should be considered and recorded in the risk register.

    Other top cyber security risks may include:

    • A 'bring-your-own-device' policy 
    • Cloud software
    • Outsourcing to third parties 
    • System backups 
    • Firewall access and protection
    • Antivirus software
    • Intrusion detection & intrusion protection systems

    In building a complete picture of the 'surface area' in which a hacker could penetrate your organization’s defenses, consult a cross-organization team comprised of key individuals from senior management, operations, IT and risk management committees.

    Ask yourself:

    • Are you aware of all the potential risks facing your organization at any given time?
    • Do you know what the potential fallout of those threats are and what counter-measures you can put in place to protect against them?
    • This team’s main tasks are to (1) determine which information assets are priorities for protection, (2) the probability that each asset will be attacked, and (3) how to organize a proportionate defense.
    • Filling out a Cyber Risk Register will help you recognize risks, determine the costs for those risks, and determine a strategy for prevention – before they happen.

    Q: What is cyber risk?

    Cyber risk can be thought of as any risk resulting in financial loss, disruption or damage to the reputation of an organization from a failure of its information technology systems.

    What is a data breach, exactly?

    As part of your duties as a Director, you are charged with protecting the organization through the control and mitigation of extreme risks. This naturally leads to the treatment of cyber risks which, in some cases, can have devastating or existential consequences if neglected.

    Data breaches can take many different forms and may result in varying levels of damage. Therefore a proportionate investment for each asset’s defense is an important consideration.

    Breaches can range from internal errors such as lost laptops or paper documents to employees entering a restricted area of your system without proper authorization.

    Data breaches could also include malicious software that enters your network (through email attachments or otherwise), hacking, data theft or denial of service attacks (DDoS). In a DDoS attack, a hacker attempts to make an online service unavailable by overwhelming it with traffic from multiple sources. In many cases, this causes a system failure or crash, leaving a potential user without access to the website or service.

    It may be advisable for directors to participate in one or more cyber breach simulations or exercises to gain exposure to the organization’s detection and response procedures in the event of a serious incident.


    Beyond Governing cyber security

    In order to withstand a cyber security attack, a comprehensive cyber security governance framework needs to be formalized by the Board which ties together the responsibilities from all departments of the organization.

    The potential effects of a data breach are expanding well beyond information loss or disruption. Cyberattacks can have a severe impact on an organization’s reputation, brand and ability to raise funding in the future.

    The most successful organizations in this area will approach cyber security as an enterprise-wide strategy and risk issue, with consideration given to all operating activities. One way to achieve this is through the governance framework.


    Embedding cyber security into your Governance Framework

    A cyber security governance framework contains a set of management tools, a comprehensive risk management approach and, more importantly, an organization-wide security awareness program.

    This framework should weave into your organization’s key systems and processes from end to end. In thinking about potential cyber risks, the Board should instruct management to consider not only the high-probability attacks and defenses but also low-probability, high-impact attacks that would be catastrophic.

    For example, losing a hard disk drive containing volumes of sensitive information and a targeted attack from a malicious third party could present the same level of exposure and potential harm.

    An adaptable security program should balance the full spectrum of potential risks, be they from inside – for example in the case of inadequate staff training – or outside the organization.

    If a disgruntled employee, with even modest IT skills, could cause harm to the organization, what role do human resources play in screening candidates for new positions and how would this impact a new employee's progression through the organization?

    Similarly, what information should various departments have access to and what should be restricted? Does the finance department keep client credit card information on file? Is it aware of the regulations that protect client privacy?

    The Board may also consider requiring management to set up company-wide training on cyber risk. Staff must be engaged in a cyber awareness and that means going beyond PowerPoint presentations and tick-box exercises.

    A better approach is to sit down with new employees and induct them into the organizations’ cyber security culture. The human resources, finances, IT and public relations, crisis communications departments should all be called upon to understand their obligations in ensuring cyber security best practice.

    Another key challenge is to make sure that partners in the supply chain take security just as seriously. Third-party organizations can be a major weak point in a security chain. Ensure that partners receive the same training and communication about information security, and take measures to secure your entire value chain.

    Even with vastly different resources and capabilities, every organization that handles sensitive information needs to demonstrate it is upholding its fiduciary and social duty to protect this information, even in the event of a breach. Legislation has now started to catch up, and Directors are increasingly being held liable for inadequate data protection.


    Never allow your stakeholders to ask, “Where was the Board?”

    Now is the time to prepare your cyber security strategy, processes, and allocate training and resources to the better management and protection of critical data assets. It may be helpful to begin your strategy by identifying the laws and regulation and cyber risks in your industry or operating environment. This information should govern your conduct. Next, determine what data assets you must protect – your Crown Jewel data assets.

    Your senior executive team can help you identify risks in your system and help support a culture of security awareness. Embedding this information into your governance framework and reviewing it regularly will help ensure you remain alert to cyber threats and preserve the safety, integrity and confidentiality of your data and information systems.


    Don't know where to begin? 

    In partnerships with Advisory Boards Group, Conscious Governance has developed a 10-part online training program titled 'How to Govern Cyber Security'.

    It has been designed for CEOs, Board members and executives to build capacity in cyber security, starting with the fundamentals. To learn more, Click here.


    —10 Video Modules

    —11 PDF worksheets & downloads

    — One purchase grants lifetime access throughout your career

    —24/7 online access


    Recommended Reading