Cyber security top of mind for New Zealand boards

The next time a CIO is summoned to the board meeting, she or he should expect a grilling on security and risk management. That’s according to the latest Gartner research which notes interest in these topics is at an all-time high, a view that chimes with findings from the New Zealand Institute of Directors (IoD).

The COVID-19 pandemic has upped the ante for cyber security

In the latest issue of IoD’s membership magazine, Boardroom, the problem is laid bare in a piece by Aura information security general manager Peter Bailey. He cites an increased reliance on digital technologies and a distributed workforce as a result of the COVID-19 pandemic, as bringing cyber security issues to the fore.

“The very lifeline to productivity in the stormy seas of COVID-19 may tow your organisation into a lurking cyber security iceberg,” he writes. “Having more of your workforce connected to a myriad of internet connections greatly increases your necessary connectivity surface area. This dispersed network creates exponentially more vantage points for cyber criminals to infiltrate your systems as well as increasing the chance of accidental data breaches via your employees.”

IoD Principal Advisor Selwyn Eathorne concurs with this view, noting that as organisations have changed their operation models and practices, the cyber security risk has increased. “Boards are concerned about a large range of matters at this time, including cyber security. Many organisations have changed aspects of their operating models and work practices with more reliance on digital and technology. This has led to increased cyber security risks and is set to continue as organisations transition into the future. Boards will continue to want to know that the their organisations critical assets are being protected. They will need to stay informed about emerging cybersecurity risks, trends and issues,” he says.

How CIOs and CSOs can communicate effectively about cybersecurity

As to whether New Zealand boards believe they are sufficiently informed about cyber security, the feedback is mixed.

“In our 2019 survey of director sentiment, less than half of directors (41%) said that their board received comprehensive reporting from management about data breach risks and incidents. However, 67% of directors of publicly listed companies said that they received comprehensive reporting,” Eathorne says.

Eathorne says there is “no one-size-fits-all approach” to communicating on security and risk management, and it needs to be tailored to the organisation. “Boards and management need to consider the format and frequency of reporting, and consider what information and detail is most valuable in maximising the effectiveness of board oversight in this area. Reporting to the board on cyber security has similar principles to reporting on other areas of an organisation such as health and safety and financial reporting,” he says.

The IoD has produced a guide on how to go about reporting to boards on cyber security which includes a section on six questions covering key areas of interest: metrics, investment, effectiveness, incidents, reporting and awareness.

Gartner meanwhile has distilled its research into five questions, which it describes at follows:

1. The trade-off question: Are we 100% secure?
2. The landscape question: How bad is it out there?—and how do we compare to others?
3. The risk question: Do we know what our risks are? What keeps you up at night?
4. The performance question: Are we spending enough/why are we spending so much?
5. The incident question: How did this happen? What went wrong?

It notes that boards collectively care about three things: revenue/mission, cost and risk. “Board members expect their leaders to interpret topic specific information into its broader business impact. Security and risk management is one of these topics,” Gartner says.