Recently, at Sekurokon, Shamane Tan, Chief Growth Officer at Sekuro, hosted Meet Your Sharks! The insightful session provided unfiltered feedback on how you should be presenting to the board on risks and convince your directors to give you the budget you need. There were insightful learnings which no doubt will be serious topics for continuous discussion as we navigate increased cyber risk.
The panel for this discussion included:
Clr. Jeff Whitton FAICD, Board Chairman OCTEC and Local Government Councilor at Orange City Council;
Monica Schlesinger, Director and CEO at Australian Health and Science Institute and Chair Board of Directors Espace Publishing; and Nicholas Chilton, Head of Board Advisory (South Pacific Region) at Nasdaq.
Sitting on the board of an organisation does not only come with the responsibility to determine how challenges impact the organisation, but it also comes with the understanding that challenges can impact directors personally. Today, not only does a director need to understand all the corporate compliances that cover them as a director of the organisation of which they sit, they have to understand cyber security compliance. Security is a topic that is relatively new to some boards and they are now having to frame enterprise risk management with cyber security considerations.
“As a company director, the first rule of thumb is to protect yourself,” Jeff explained. “When you do choose to join a board, you should do your due diligence on that company to make sure the company is fiscally viable and hasn’t breached any compliances, because once you join that board, you become responsible for any past issues with the company.”
It’s not enough to say you weren’t involved with the board of the organisation when mistakes were made. You need to have an understanding of compliance and governance, and how that applies to the organisation and the industry. Cyber security is the board’s responsibility, but at the same time the C-suite must be open, honest and report issues as soon as they come to light. At the end of the day, both the C-suite and the board will suffer the same obligation if an issue was not reported, and a risk-mitigation strategy was not in place.
When it comes to getting necessary buy-in for security projects, this discussion raised a few key points:
The boardroom is losing faith in the cyber security industry because there is a realisation that attacks can’t be stopped, only mitigated and that they can’t protect an organisation from all cyber threats.
The way to overcome this is education. “When it comes to cyber security, you need to teach the directors on how to manage it and the importance of mitigating risk,“ explained Monica. A short course is not enough to achieve this. People need repetition. Cyber security should be on the agenda at every meeting. Getting the CEO or an IT committee on board to drive this education will go a long way to teach the board what they need to know in order to protect the long-term sustainability of the company.
Cyber security isn’t like economic uncertainty where a long-term projection can be mapped out. As cyber is unpredictable, using examples from the current environment we are seeing is more useful. Nicholas explained:
When it comes to identifying risk and creating a plan of action in the event of a breach, there are important discussions to have with CIOs and CISOs to have a strategy or plan of action in place.
The board needs to understand the legal liabilities and what the organisation is covered for. “As directors, we don’t need to know every technical detail, but we can rely on experts. What experts informed us of possible risk, and can we rely on them?” Monica pointed out. Having a business continuity plan available in the event of a breach is vital.
You need to know what to do in the event of a breach and should have answers and guidance already available in playbooks, strategies, and incident response plans. It is imperative to have an incident response plan that feeds off into your entire cyber security strategy and the applicable laws to your industry and location. Jeff remarked:
If the risk is critical but the company can’t afford to mitigate it, then the risk is deemed to be acceptable. The C-suite has done its job in raising the issue, explaining it and costing it out.
Most boards understand risk through audits and risk committees. However, there is another area called acceptable risk. When a board has zero appetite for risk, there is a cost associated.
Once the C-suite have identified the risk and highlighted the associated costs, it is then left to the board to decide how to deal with it financially and strategically. The C-suite have done their job by identifying the risk, costing it and educating the board on what the risk means to the company and themselves.
If a risk is a critical risk to the organisation, but fiscally the business cannot deal with it because it’s going to cost $10 million to deal with that risk, then the board takes this on as an acceptable risk.
Businesses spend money on two things - investments to grow and compliance. Cyber security teams need to find a way to fit into one of these categories. Another way is to frame cyber security as an enterprise risk management problem.
When it comes to convincing the board for budget, there are two rules of spending within a company. Money is spent to grow the business to get a return on revenue for the business and its shareholders. The second aspect is ensuring the business is compliant. Framing cyber security as an enterprise risk could be the way to ask for buy in.
“There is this importance of putting into perspective everything else that directors have to deal with and articulating to them why cyber security is not just a siloed IT problem, it’s an enterprise risk management problem. Nicholas explains:
The first paragraph of a proposal makes an immediate impression, so always include the reasoning up-front.
If you can convince the board that they need to spend money on compliance, they will spend it. However, in your budget proposal, you need to grab their attention immediately and make your strong argument clear up front and in the beginning. They are less likely to approve it if it the supportive information and facts are buried on page 55. You’ve lost their interest by then.
Increasingly, boards are being asked to consider whether a decision passes the ‘pub-test’ - would the everyday person respond with anger, or will they think that a reasonable decision was made based on the information at hand?
Australian directors are very compliance focused. However, as cyber security threats and breaches continue to increase over the next five to ten years, we will see a focus on the ‘pub test.’ Do decisions around cyber security meet the community’s expectations more than just the company’s compliance?
A member of the audience provided food for thought: “When it comes to convincing your board to spend money on cyber security, you’ve got to articulate an important part of the narrative – the community. Is the community going to be quite upset with us, even if we are technically compliant with the law? So that’s another dimension that I think is worth exploring.”
To learn more, watch the full discussion here: