Article co-authored with Chathura Abeydeera, Director - Cyber Security and Incident Response at KPMG Australia, CREST Assessor and CREST Australasia Advisory Board Member
Introduction
We know cybersecurity is not all about technology, etc. etc.
We know people and processes are just as important as technology, etc. etc.
But, what do people and processes look like?
An important articulation of people and processes in cybersecurity is cybersecurity (or information security) governance. Are you a sucker for definitions? Well, we’ve got you sorted:
Information security governance is the mix of framework, processes, and practices that organizations use to manage and protect their information assets. It involves strategic planning, risk management, and oversight of information security activities (thanks Co-pilot!)
Cyber-governance has become a critical sub-set of corporate governance and corporate responsibility. Ultimately, responsibility and accountability for cyber-governance sits with the Board of Directors. Boards are now faced with the challenge of not only overseeing cyber-risk management but also navigating cyber-crises when they occur (and they do occur). Cyber-governance plays a pivotal role in safeguarding an organisation's integrity and resilience. And the Board oversees cyber-governance.
While the landscape remains ever-evolving, Action 5 of Shield 1 of the 2023-2030 Australian Cyber Security Strategy advocates for clear cyber guidance for businesses, acknowledging the current ambiguity in cyber-governance (we recently wrote about the Strategy here).
In this short piece, we amalgamate insights from the recently published Australian Institute of Company Directors (AICD) guidance “Governing Through a Cyber Crisis”.
The report
Overall, the report asks Boards to not only play ‘devil’s advocate’ and constantly challenge management and their assumptions, but also to take a more active role in cybersecurity in general. The report is organised around 4 Rs, namely the stages to face a cyber-incident: Readiness, Response, Recovery, Remediation. As crisis and risk managers know well, the domain is full of 3, 4, and 5-stage models to describe what happens and what ought to be done in a crisis. Considering cyber-incidents are no different from other organisational crises, alignment with consolidated ERM models would have helped.
The report is incredibly exhaustive and goes a long way in:
- Providing a holistic overview for boards to be effective at ongoing oversight (point A below)
- Unpacking the 4 phases of the cyber-incident and offering specific guidance for boards (B-E below)
The whole report is a must-read for board members of organisations of all sizes and industries. Similar to what previously done with the “Cyber Security Governance Principles”, it also contains dedicated guidance for SMBs and NFPs. If you think that it’s TLTR, here we will simply point out to some particularly relevant points.
- The Introduction sets the tone with a number of regulatory references that should help define some boundaries and goals for Board’s effective oversight of cyber-governance [1].
A) Overview: The report identifies the 5 challenges Boards typically encounter in cyber-crises (see Figure 1). The report also acknowledges the need for Australian Boards in general to be more active in cyber-crisis management, a call that has been made numerous times in the last couple of years (see this and this). How to do so? The report proposes one interesting option: creating a cyber-crisis Sub-Committee.
B) Readiness: Crises need to be first and foremost managed before they happen, and this is the focus of the Readiness phase. The report stresses the importance of solid cyber-risk governance (a topic that is still quite under-developed). Solidity in this field revolves around the following elements (see Figure 2).
Among others, the presence of a consolidated Data Governance framework (e.g., What data do we have? Where is it? Who has access to it? Under what rules?) is certainly an hygiene factor but one on which nonetheless organisations have a long way to go. This is probably the reason why, in absence of regulations and clear guidelines in this field (on the model, for example, of what done in the EU Data Governance Act), the report offers some specifics. The report also illustrates what a cyber-incident management team should look like, dividing it into three main parts: Board (or Sub-Committee), core Crisis Management Team, and Incident Response team.
C) Response: Probably this is considered the most important phase in the report, if space dedicated to it, and inclusion of a case study on the response to cyber-extortion are any indication. Once more, the report recommends managing a cyber-crisis through the previously created Board Sub-Committee and includes communication and reporting actions, one area traditionally overlooked in Board’s involvement in crisis response. We would like to emphasise the acknowledgement that a balance needs to be stricken between the need to draft Board papers (which can become an important legal instrument) with the agility necessary in crisis circumstances (quick verbal communication). The report is also explicit on the identification of the spokesperson for stakeholder communication: the CEO should be that person, with other Board members (e.g., chairperson) to communicate on a case-by-case basis with specific stakeholders. Finally, the report offers recommendations on media management, reminding us of the well-known adage that: “The reputational damage arising from poor communications during an incident can be more damaging than the incident itself”. Finally, the report adopts a risk-based approach to the possibility of paying a ransom. It obviously does not provide guidance on ‘yes’ or ‘no’, but it does raise relevant questions Boards should consider (in particular, legal ones) when making the call.
D) Recovery: The phase that starts the post-incident stage, Recovery, is for large part dedicated to ‘bouncing back’ to Business-As-Usual, to investigations, to post-incident reporting. Security uplift in itself is perhaps more typical of the following stage, Remediation, but indications are offered for Boards to ensure short-term security investments are made. Post-incident reviews and associated reporting are said to be best performed by independent third-parties for large organisations. Depending on budget, this could actually be a good suggestion for smaller organisations too, in particular for effective organisational learning to take place.
E) Remediation: Similar to Response, Remediation indicates post-incident interventions aimed at ‘fixing’ the root causes of the cyber-crisis and, in general, transform it into an opportunity: a comprehensive security uplift. Remediation leads the Board to transition into the following Readiness phase, until the next cyber-crisis occurs. Long-term litigations, where present, will likely absorb a lot of efforts in this phase. The report also underlines the importance of trust and reputation re-build. An effective response to cyber-crises can help organisations build increased trust and attain higher performance than pre-crisis. Guidance on reputational re-build is a bit light in the report, and mainly reverts on the importance of ensuring solid, customer-centric communication (similar to Response). This stage could present great opportunities for the Board to ‘reconnect’ the Crisis Management and cybersecurity teams with the rest of the organisation (e.g., the role of the Marketing and Sales departments in helping re-build reputation).
Overall, the AICD document provides a commendable framework for Boards grappling with the uncertain terrain of cyber-governance. The imperative to never assume immunity but instead validate the assumption of compromise sets the tone for a proactive approach. Boards are urged to promote a risk-based perspective over a narrow compliance-based approach, emphasizing the importance of robust technical assessments. At the same time, the document recognizes the unclear state of cyber-governance and the need for clear guidance for businesses, clarifying expectations and empowering Boards to better manage cyber-risks.
The AICD document stresses the crucial role Boards play in overseeing cyber-risk management, urging them to take proactive measures. Beyond effective communication during a crisis, there is a need for preventative measures, including a proactive stance, creation of a dedicated cyber-incident sub-committee, secure systems, understanding of legal implications and insurance options and exploration of root causes of incidents. Boards are also encouraged to actively participate in cyber-crisis simulations, making informed judgments based on learnings.
Food for Thought and Conclusion
Based on guidance offered by the report, incident response planning would be best performed by harnessing Cyber Threat Intelligence to anticipate realistic, potential scenarios and identify relevant threat actors targeting the organisation. This would be a much better option than generic scenario planning. Boards also need to keep building on their understanding of the importance of preventative measures. On option here are investments in advanced preventative measures, including continuous penetration testing and red teaming. Additionally, the implementation of sophisticated detection engineering controls, coupled with robust, supporting cyber-governance arrangements, can be a crucial factor for early identification of relevant cyber threats.
As the traditional concept of a digital perimeter is debunked, emphasizing the need for a more nuanced understanding of cybersecurity is paramount. The Board plays a fundamental role in helping such understanding, by challenging managerial assumptions and taking a more active stance in cyber-incident management. The AICD document provides invaluable guidance for Boards navigating the intricate landscape of cyber-crises.
[1] Unlike the higher-level “Principles” document, this report was prepared in collaboration with the Cybersecurity Cooperative Research Centre and law advisory firm Ashurst.
Dr Ivano Bongiovanni GAICD
The University of Queensland