Lani Refiti, ANZ Regional Director at Claroty, tells us boards must include the expertise of CIOs and CISOs to advise on critical cybersecurity issues. He says: “CIOs and CISOs need to be elevated to board level. At present they are conspicuous by their absence.”
Earlier this year, the ransomware attack on Colonial Pipeline which cost the company $US4.4 million presented a serious warning to the industrial sector around the world. But it was only the tip of a global iceberg.
In July, ABC reported: “It’s an open secret within the tight-lipped world of cybersecurity. For years, Australian organizations have been quietly paying millions in ransoms to hackers who have stolen or encrypted their data.”
The Australian Labor Party is currently trying to reveal the collective amount local organizations have paid. Shadow Assistant Minister for Cybersecurity and for Communication, Tim Watts, has tabled a bill that would make it mandatory for Commonwealth, state or territory entities, corporations and partnerships, to report ransomware payments.
Meanwhile, Australia’s Department of Home Affairs has taken another initiative to combat ransomware. In July, it established Operation Orcus, a taskforce spanning several agencies including the Australian Cybersecurity Center (ACSC), the Australian Federal Police (AFP), the Australian Criminal Intelligence Commission (ACIC), Austrac and state and territory police forces, but has given no details of how it will operate.
And in March the Department of Home Affairs’ Cybersecurity Advisory Committee issued a report: Locked Out: Tackling Australia’s Ransomware Threat, which flagged ransomware as ‘one of the most immediate, highest impact cyberthreats to Australia.’
It sent a clear message to organizations of all kinds to not be complacent in the face of increasing cyber-risk, urging them to understand the risks and prepare accordingly, know what action to take in the event of a ransomware attack and maintain a clear understanding of their legal and regulatory obligations.
It’s no surprise that the global shift to remote work caused by the COVID-19 pandemic has increased opportunities for cybercriminals. Just as it allowed organizations to accelerate their Digital Transformation, revamp business and operating models, and boost operational efficiency and quality of service, it also provided many new attack routes for threat actors.
Savvy technology leaders called for a renewed focus on cybersecurity as a key business enabler, especially in the case of converged operational technology (OT) and Information Technology (IT) environments, such as those in manufacturing, oil and gas and water and waste management.
But with Digital Transformation and cybersecurity now becoming essential components of every business, there needs to be an appropriate organizational response to this: CIOs and CISOs need to be elevated to board level. At present they are conspicuous by their absence.
According to a recent report on diversity within Fortune 100 Senior Executives, almost 70% of newly-appointed independent board members in 2019 came from the ranks of CEOs or senior finance and operating roles, not from technology roles.
Cyber-risk and cybersecurity are integral elements in every organization’s overall risk management strategy and awareness of their importance is rising. In such a climate, boards must include the expertise of CIOs and CISOs to understand and advise on these critical issues.
CIOs, CISOs and board directors can provide informed and expert advice on how to counter cyberthreats, how to build resilience, and how to implement the most effective digital initiatives. They can also identify cyber-risks and recommend risk mitigation strategies.
Their absence at the board level can easily lead to complacency, or stasis, when boards lack the background and understanding to make major technology-related decisions. Today their expertise is sorely needed. There will be no return to a pre-COVID normal. Disruption is inevitable and agility is essential.
For many organizations there is another dimension to the need for tech expertise on boards. Soon, an increasingly wide range of organizations in Australia will fall under the category of critical infrastructure providers and will be subject to new legislative demands.
The Security Legislation Amendment (Critical Infrastructure) Bill 2020, now before Parliament, greatly extends the scope of what is considered critical infrastructure, adding an additional seven sectors to the category. Organizations in sectors including food and grocery, healthcare, transport and education will now need to be much more diligent about their cybersecurity and resilience.
Without strong cyber and technical representation on boards, organizations are exposing themselves to a range of business risks, including noncompliance with regulations, and the danger of cyberattacks. Those with strong technical representation will achieve better business outcomes, be more competitive and more resilient.
Overall, we need to see greater diversity on company boards in relation to skills and knowledge, specifically the presence of cyber and digital skills.Click below to share this article