Cyber security has been rocketing up the list of board priorities. As a result, the Australian Institute of Company Directors (AICD) and the Cyber Security Cooperative Research Centre (CSCRC) developed a list of Cyber Security Governance Principles that became industry standards.
These Principles were recently refreshed. Read on to learn what’s new.
Cyber Security Governance Principles
What are the Principles all about? Well, the Principles, first published in 2022, provide a practical framework to help directors, governance professionals, and their organizations proactively tackle oversight.
To support directors, the Principles provide practical tools, including tailored questions, governance red flags, and checklists to help boards strengthen cyber resilience, improve risk controls, and oversee supplier relationships more effectively.
Updates to Principles a response to changes in the cyber environment
So, why the recent changes? It’s fair to say much has changed in the digital world, even in two short years.
Australia specifically has seen multiple significant cyber incidents. And the proliferation of global conflicts has led to an upsurge in cybercrime.
Meanwhile, the country’s regulators and policymakers have made boards directly responsible for the cyber security practices of their respective organizations.
The Updated Cyber Security Governance Principles
As a result of these factors, the Principles got a refresh. This most recent update (Version 2) covers emerging issues such as digital supply-chain risks, data governance, and effective cyber incident response and recovery.
But what are the Principles themselves? The five include:
1. Set clear roles and responsibilities
Defining clear roles and responsibilities is a foundational component of building effective cyber resilience. Comprehensive and clear board reporting is a key mechanism by which a board can assess the resilience of the organization. External experts can play a role in providing advice and assurance to directors and identify areas for improvement.
2. Develop, implement, and evolve a comprehensive cyber strategy
A cyber strategy can be a business enabler by identifying opportunities for the organization to build cyber resilience. Identifying the key digital assets and data of an organization is core to understanding and enhancing cyber capability. A robust cyber strategy will account for the importance and potential risks associated with key third-party suppliers.
3. Embed cyber security in existing risk management practices
Cyber risk is still an operational risk that fits within an organization’s existing approach to risk management. Although cyber risk cannot be reduced to zero, there are a number of accessible and low-cost controls that all organizations can use to mitigate the risk. The board should regularly assess the effectiveness of cyber controls to account for a changing threat environment, technological developments, and the organization’s capabilities.
4. Promote a culture of cyber resilience
A truly cyber resilient culture begins at the board and must flow through the organization, extending to key suppliers. Regular, engaging, and relevant training is a key tool to promote a cyber resilient culture, including specific training for directors. Incentivize and promote strong cyber security practices.
5. Plan for a significant cyber security incident
Directors and management should proactively plan for a significant cyber incident. Simulation exercises and scenario testing are key tools for the board and senior management to understand and refine roles and responsibilities. A clear and transparent approach to communications with key stakeholders in a significant cyber incident is critical in mitigating reputational damage and allowing for an effective recovery.
Of course, the updated Cyber Security Governance Principles are a great place to start when trying to promote a culture of cyber resilience.
What else can you do? Check out our Guide to Cyber Resilience to find out.
.svg)
.svg)
.svg)